The NIST Cybersecurity Framework provides a framework, based on existing standards, guidelines, and practices for private sector organizations in the United States to better manage and reduce cybersecurity risk. It was created by the NIST (National Institute of Standards and Technology) as an initiative to help organizations build stronger IT (information technology) infrastructures.
In addition to helping organizations prevent, detect, and respond to cyber threats and cyber attacks, it was designed to improve cybersecurity and risk management communications among internal and external stakeholders.
Learn how UpGuard streamlines the security questionnaire process >
The framework is increasingly adopted as best practice, with 30% of U.S. organizations using it as of 2015, and it is expected to rise to 50% by 2020. Currently, 16 critical infrastructure sectors and 20 states use the framework inside the United States.
Outside of the United States, the framework has been translated into many languages and is used by the governments of Japan and Israel, among others.
A security framework adoption study reported 70% of surveyed organizations to see the NIST Cybersecurity Framework as the best practice for information security, data security, and network security, but many note that it requires a significant investment.
With the average cost of a data breach reaching $4.35 million, investing in tools to prevent data breaches and data leaks is a must for organizations around the world.
Many organizations are investing in tools to automate vendor risk management by continuously monitoring and rating the vendor’s security, as well as continuous monitoring for data exposures and leaked credentials.
What is the Background of the NIST Cybersecurity Framework?
In February 2013, President Barack Obama and the US government issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, to improve the national and economic security of the United States by improving the reliability of its critical infrastructure.
EO 13636 directed NIST to work with stakeholders to develop a voluntary framework, the NIST Framework for Improving Critical Infrastructure Cybersecurity, based on existing standards, guidelines, and practices to reduce cybersecurity risk to critical infrastructure. This was reinforced by the Cybersecurity Enhancement Act of 2014.
Version 1.0 was published by NIST, originally created to promote the protection of critical infrastructure by creating a prioritized, flexible, repeatable, and cost-effective approach to help owners and operators manage cybersecurity risk.
The framework was widely adopted by organizations and helped shift organizations to be proactive about risk management.
In 2017, a draft version of 1.1 was circulated for public comment. Version 1.1 was made publicly available on April 16, 2018, and is backward-compatible with version 1.0.
The main changes included guidance on how to perform self-assessments, additional details on vendor risk management, guidance on how to interact with supply chain stakeholders and third-party vendors, and encouraging a vulnerability disclosure process, e.g. listing them on CVE.
What is the Purpose of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework seeks to address the lack of standards when it comes to cybersecurity by providing "a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes."
Cybersecurity is a young industry, and there are major differences in the way companies use technology, processes, access control, and other security controls to reduce the risk of cyber attacks like man-in-the-middle attacks, phishing, email spoofing, domain hijacking, spear phishing, computer worms, data breaches, typosquatting, ransomware and other types of malware.
The framework aims to help organizations learn from best practices. Additionally, NIST can be used in conjunction with other frameworks or compliance standards such as HIPAA, HECVAT, FISMA, GLBA, SOX, or SOC 2, among many others.
What is the Summary of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework consists of three main components:
- The Framework Core: A set of desired cybersecurity activities and outcomes using a common language that is easy to understand. It guides organizations in managing and reducing cybersecurity risk while complementing their existing cybersecurity and risk management methodologies.
- The Framework Profile: An organization's unique alignment of its organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities to improve security standards and mitigate organizational risk.
- The Framework Implementation Tiers: Provides context on how an organization views cybersecurity risk management, guides them to consider what the appropriate level of rigor is for them, and is often used as a communication tool to discuss risk appetite, mission priority, and budget.
What are the Benefits of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework provides a common language and systematic methodology for managing cybersecurity risk.
The Framework Core outlines activities and information sources that can be incorporated into any cybersecurity program and is designed to complement, rather than replace, your current cybersecurity program.
By creating a Framework Profile, organizations can identify areas where existing processes need strengthening, or where new processes can be implemented.
These profiles and the common language provided in the Framework Core can improve communication throughout the organization and improve your risk management strategy.
Pairing a Framework Profile with an implementation plan allows your organization to decide on which cost-effective protective measures will be taken based on information systems, the business environment, and the probability of cybersecurity events.
Additionally, profiles and the risk management processes they create can be leveraged as strong artifacts to demonstrate due care.
Finally, the Framework Implementation Tiers provide your organization with context about how robust your cybersecurity strategy is and whether you have applied the appropriate level of rigor for the size and complexity of your organization. Tiers can be used as communication tools to discuss mission priority, risk appetite, and budget.
What is in the NIST Cybersecurity Framework Core?
The NIST Cybersecurity Framework Core is designed to help organizations define what activities they need to do to attain different cybersecurity standards.
It enables the communication between multi-disciplinary teams by using simple and non-technical language.
The Framework Core consists of three parts:
- Functions: The five high-level Functions are Identify, Detect, Protect, Respond and Recover. These five Functions apply not only to cyber risk management but risk management at large.
- Categories: There are 23 categories split across the five functions. Categories cover the breadth of cybersecurity objectives (cyber, physical, personnel, and business outcomes) while not being overly detailed.
- Subcategories: There are 108 subcategories split across 23 categories. These outcome-driven statements provide considerations for creating or improving a cybersecurity program. As the Framework is outcome-driven, it does not mandate how an organization achieves outcomes, as it must make risk-based implementations based on its needs.
What are the Five Functions of the NIST Cybersecurity Framework?
The five Functions included in the Framework Core are:
Recall, there are 23 categories and 108 subcategories.
For each subcategory, an informative resource is provided that references specific sections of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443 and the Council on CyberSecurity Critical Security Controls (CCS CSC).
While the NIST CSF is a terrific guide, most of these informative references require a paid membership or purchase to access, which has led to the creation of new NIST Framework guides that are more accessible to small businesses.
The Identify Function helps develop an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities.
There are six categories under the Identify Function:
- Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to operate are identified and managed consistent with their relative importance to the organization and its risk strategy.
- Business Environment (ID.BE): The organization's mission, objectives, stakeholders, and activities are understood, prioritized and used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental and operational requirements.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to each function (including mission, image, and reputation), organizational assets, and individuals.
- Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions.
- Supply Chain Risk Management (ID.SC): The organization's priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions related to third-party risk and fourth-party risk. The organization has a process to identify, assess and manage supply chain risks, e.g. a third-party risk management framework, vendor security questionnaire template, and a security rating tool.
The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services and limits or contains the impact of potential cybersecurity events, often by employing a defense in depth strategy.
There are six categories under the Protect Function:
- Access Control (PR.AC): Access to assets and facilities is limited to authorized users, processes or devices, and to authorized activities and transactions.
- Awareness and Training (PR.AT): Personnel and partners are provided with cybersecurity awareness training and can perform their information security-related duties and responsibilities consistent with policies, procedures and agreements.
- Data Security (PR.DS): Sensitive data is managed consistently in accordance to the organization's risk strategy to protect its confidentiality, integrity and availability (CIA Triad).
- Information Protection Processes and Procedures (PR.IP): Information security policies (that address the purpose, scope, roles, responsibilities, management commitment and coordination among entities), processes and procedures are maintained and used to protect information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of controls and information systems are consistent with policies and procedures.
- Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets consistent with policies, procedures and agreements.
The Detect Function defines appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.
There are three categories under the Detect Function:
- Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner, and the potential impact is understood.
- Security Continuous Monitoring (DE.CM): Information systems and assets are continuously monitored to identify security events and verify the effectiveness of protective measures, e.g. vendor security rating software and data leak detection.
- Detection Processes (DE.DP): Detection processes and procedures are maintained and tested.
The Respond Function outlines appropriate activities to do after a security incident to improve response and reduce the impact of an event.
There are five categories under the Respond Function:
- Response Planning (RS.RP): Response processes and procedures practiced, executed, and maintained.
- Communications (RS.CO): Response activities are coordinated with internal and external stakeholders.
- Analysis (RS.AN): Analysis is conducted to ensure adequate response and to support recovery activities.
- Mitigation (RS.MI): Activities are performed to prevent the spread of a cyber attack, mitigating its effects and eradicating attack vectors.
- Improvements (RS.IM): Response activities are improved by incorporating best practices, lessons learned, and other inputs.
The Recover Function identifies appropriate activities to plan for resilience and to restore capabilities or services that were impaired during a cyber attack, supporting timely recovery and improving incident response planning.
There are three categories under the Recover Function:
- Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure the restoration of systems or assets.
- Improvements (RC.IM): Recovery planning and processes are improved by incorporating best practices, lessons learned, and other inputs.
- Communications (RC.CO): Restoration activities are coordinated with an internal team and third-party vendors.
What are NIST Cybersecurity Framework Profiles?
Profiles are an organization's unique alignment to its business requirements and objectives, risk appetite, and resources against the desired outcomes in the Framework Core.
Profiles are about optimizing the Cybersecurity Framework to best serve your organization. There is no right or wrong way to use it, as it is a voluntary framework and largely based on your organization's management of cybersecurity risk, risk tolerance, and organizational understanding of appropriate safeguards.
A popular approach is to map cybersecurity requirements, mission objectives, and operating methodologies, along with current practices against subcategories in the Framework Core, to create a current profile. These requirements and objectives can be compared against the current state to gain an understanding of where cybersecurity gaps are.
Once this cybersecurity risk assessment process has been completed, organizations create a prioritized implementation plan based on priority, size of the gap, and estimate costs of appropriate activities or protective technologies.
Another way of doing it is to adopt a baseline target profile that is tailored to your sector (e.g. financial services or health care). This can be a great idea for organizations that have regulatory requirements to protect sensitive data like personally identifiable information (PII), protected health information (PHI), or biometric data.
What are NIST Cybersecurity Framework Implementation Tiers?
There are four Implementation Tiers described in the NIST Cybersecurity Framework, the higher the tier, the closer the organization's cybersecurity risk management program is to the characteristics defined in the framework.
The four tiers are:
- Tier 1 (Partial)
- Tier 2 (Risk Informed)
- Tier 3 (Repeatable)
- Tier 4 (Adaptable)
Note, the tiers don't necessarily represent maturity levels. Organizations need to determine their desired tier, which will meet organizational goals, reduces cybersecurity risk to an acceptable level, and be feasible to implement at a financial and operational level.