The NIST Cybersecurity Framework provides a framework, based on existing standards, guidelines and practices for private sector organizations in the United States to better manage and reduce cybersecurity risk.
In addition to helping organizations prevent, detect and respond to cyber threats and cyber attacks, it was designed to improve cybersecurity and risk management communications among internal and external stakeholders.
The framework is increasingly adopted as best practice, with 30% of U.S. organizations using it as of 2015, expected to rise to 50% by 2020. Inside the United States, 16 critical infrastructure sectors and 20 states use the framework.
Outside of the United States, the framework has been translated to many languages and is used by the governments of Japan and Israel, among others.
A security framework adoption study reported 70% of surveyed organization's see the NIST Cybersecurity Framework as best practice for information security, data security and network security, but many note that it requires a significant investment.
Many organizations are investing in tools to automate vendor risk management by continuously monitoring and rating the security of vendors, as well as continuous monitoring for data exposures and leaked credentials.
What is the purpose of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework seeks to address the lack of standards when it comes to cybersecurity by providing "a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes."
Cybersecurity is a young industry and there are major differences in the way companies use technology, processes, access control and other security controls to reduce the risk of cyber attacks like man-in-the-middle attacks, phishing, email spoofing, domain hijacking, spear phishing, computer worms, data breaches, typosquatting, ransomware and other types of malware.
The framework aims to help organizations learn from best practices.
What is the summary of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework consists of three main components:
- The Framework Core: A set of desired cybersecurity activities and outcomes using common language that is easy to understand. It guides organizations in managing and reducing cybersecurity risk while complimenting their existing cybersecurity and risk management methodologies.
- The Framework Profile: An organization's unique alignment of their organizational requirements and objectives, risk appetite and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities to improve security standards and mitigate risk at an organization.
- The Framework Implementation Tiers: Provides context on how an organization views cybersecurity risk management, guides them to consider what the appropriate level of rigor is for them and is often used as a communication tool to discuss risk appetite, mission priority and budget.
What are the benefits of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework provides a common language and systematic methodology for managing cybersecurity risk.
The Framework Core outlines activities and information sources that can be incorporated into any cybersecurity program and is designed to complement, rather than replace your current cybersecurity program.
By creating a Framework Profile, organizations can identify areas where existing processes need strengthening, or where new processes can be implemented.
These profiles and the common language provided in the Framework Core can improve communication through the organization and improve your risk management strategy.
Pairing a Framework Profile with an implementation plan allows your organization to decide on which cost-effective protective measures will be taken based on information systems, business environment and probability of cybersecurity event.
Additionally, Profiles and the risk management processes they create can be leveraged as strong artifacts to demonstrate due care.
Finally, the Framework Implementation Tiers provide your organization with context about how robust your cybersecurity strategy is and whether you have applied the appropriate level of rigor for the size and complexity of your organization. Tiers can be used as communication tools to discuss mission priority, risk appetite and budget too.
What is in the NIST Cybersecurity Framework Core?
The NIST Cybersecurity Framework Core is designed to help organizations define what activities they need to do to attain different cybersecurity standards.
It enables communication between multi-disciplinary teams by using simple and non-technical language.
The Framework Core consists of three parts:
- Functions: The five high level Functions are Identify, Detect, Protect, Respond and Recover. These five Functions not only apply to cyber risk management but risk management at large.
- Categories: There are 23 categories split across the five functions. Categories cover the breadth of cybersecurity objectives (cyber, physical, personnel and business outcomes) while not being overly detailed.
- Subcategories: There are 108 subcategories split across the 23 categories. These are outcome-driven statements that provide considerations for creating or improving a cybersecurity program. As the Framework is outcomes driven, it does not mandate how an organization achieves outcomes, as it must make risk-based implementations based on its needs.
What are the five Functions of the NIST Cybersecurity Framework?
The five Functions included in the Framework Core are:
Recall, there are 23 categories and 108 subcategories.
For each subcategory, an informative resource is provided that reference specific sections of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443 and the Council on CyberSecurity critical Security Controls (CCS CSC).
While the NIST CSF is a terrific guide, most of these informative references require a paid membership or purchase to access, which has led to the creation of new NIST Framework guides that are more accessible to small businesses.
The Identify Function helps develop organizational understanding of cybersecurity risk to systems, people, assets, data and capabilities.
There are six categories under the Identify Function:
- Asset Management (ID.AM): The data, personnel, devices, systems and facilities that enable the organization to operate are identified and managed consistent with their relative importance to the organization and its risk strategy.
- Business Environment (ID.BE): The organization's mission, objectives, stakeholders and activities are understood, prioritized and used to inform cybersecurity roles, responsibilities and risk management decisions.
- Governance (ID.GV): The policies, procedures and processes to manage and monitor the organization's regulatory, legal, risk, environmental and operational requirements.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to each function (including mission, image and reputation), organizational assets and individuals.
- Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerance and assumptions are established and used to support risk decisions.
- Supply Chain Risk Management (ID.SC): The organization's priorities, constraints, risk tolerance and assumptions are established and used to support risk decisions related to third-party risk and fourth-party risk. The organization has in place a process to identify, assess and manage supply chain risks, e.g. a third-party risk management framework, vendor security questionnaire template and a security ratings tool.
The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services and limits or contains the impact of potential cybersecurity events, often by employing a defense in depth strategy.
There are six categories under the Protect Function:
- Access Control (PR.AC): Access to assets and facilities is limited to authorized users, processes or devices, and to authorized activities and transactions.
- Awareness and Training (PR.AT): Personnel and partners are provided with cybersecurity awareness training and can perform their information security-related duties and responsibilities consistent with policies, procedures and agreements.
- Data Security (PR.DS): Sensitive data is managed consistently in accordance to the organization's risk strategy to protect its confidentiality, integrity and availability (CIA Triad).
- Information Protection Processes and Procedures (PR.IP): Information security policies (that address the purpose, scope, roles, responsibilities, management commitment and coordination among entities), processes and procedures are maintained and used to protect information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of controls and information systems are consistent with policies and procedures.
- Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets consistent with policies, procedures and agreements.
The Detect Function defines appropriate activities to identify the occurrence of a cybersecurity event in a timely manner.
There are three categories under the Detect Function:
- Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact is understood.
- Security Continuous Monitoring (DE.CM): Information systems and assets are continuously monitor to identify security events and verify the effectiveness of protective measures, e.g. vendor security ratings software and data leak detection.
- Detection Processes (DE.DP):Detection processes and procedures are maintained and tested.
The Respond Function outlines appropriate activities to do after a security incident to improve response and reduce the impact of an event.
There are five categories under the Respond Function:
- Response Planning (RS.RP): Response processes and procedures and practiced, executed and maintained.
- Communications (RS.CO): Response activities are coordinated with internal and external stakeholders.
- Analysis (RS.AN): Analysis is conducted to ensure adequate response and to support recovery activities.
- Mitigation (RS.MI): Activities are performed to prevent the spread of a cyber attack, mitigating its effects and eradicating attack vectors.
- Improvements (RS.IM): Response activities are improved by incorporating best practices, lessons learned and other inputs.
The Recover Function identifies appropriate activities to plan for resilience and to restore capabilities or services that were impaired during a cyber attack, supporting timely recovery and improving incident response planning.
There are three categories under the Recover Function:
- Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets.
- Improvements (RC.IM):Recovery planning and processes are improved by incorporating best practices, lessons learned and other inputs.
- Communications (RC.CO): Restoration activities are coordinated with internal team and third-party vendors.
What are NIST Cybersecurity Framework Profiles?
Profiles are an organization's unique alignment to their business requirements and objectives, risk appetite and resources against the desired outcomes in the Framework Core.
Profiles are about optimizing the Cybersecurity Framework to best serve your organization. There is no right or wrong way to use it, as it is a voluntary framework and largely based on your organization's management of cybersecurity risk, risk tolerance and organizational understanding of appropriate safeguards.
A popular approach is to map cybersecurity requirements, mission objectives and operating methodologies, along with current practices against subcategories in the Framework Core to create a current profile. These requirements and objectives can be compared against the current state to gain an understanding of where gaps are.
Once this cybersecurity risk assessment process has been completed, organizations create a prioritized implementation plan based on priority, size of gap and estimate costs of appropriate activities or protective technologies.
Another way of doing it is to adopt a baseline target profile that is tailored for your sector (e.g. financial services or health care). This can be a great idea for organizations who have regulatory requirements to protect sensitive data like personally identifiable information (PII), protected health information (PHI) or biometric data.
What are the NIST Cybersecurity Framework Implementation Tiers?
There are four Implementation Tiers described in the NIST Cybersecurity Framework, the higher the tier, the closer the organization's cybersecurity risk management program is to the characteristics defined in the framework.
The four tiers are:
- Tier 1 (Partial)
- Tier 2 (Risk Informed)
- Tier 3 (Repeatable)
- Tier 4 (Adaptable)
Note, the tiers don't necessarily represent maturity levels. Organizations need to determine their desired tier, which will meet organizational goals, reduces cybersecurity risk to an acceptable level, and be feasible to implement at a financial and operational level.
What is the background of the NIST Cybersecurity Framework?
In February 2013, President Barack Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, to improve the national and economic security of the United States by improving the reliability of its critical infrastructure.
EO 13636 directed NIST to work with stakeholders to developer a voluntary framework, the NIST Framework for Improving Critical Infrastructure Cybersecurity, based on existing standards, guidelines and practices to reduce cybersecurity risk to critical infrastructure. This was reinforced by the Cybersecurity Enhancement Act of 2014.
Version 1.0 was published by the National Institute of Standards and Technology, originally created to promote the protection of critical infrastructure by creating a prioritized, flexible, repeatable and cost-effective approach to help owners and operators manage cybersecurity risk.
The framework was widely adopted by organizations and helped shift organizations to be proactive about risk management.
In 2017, a draft version of 1.1 was circulated for public comment. Version 1.1 was made publicly available on April 16 2018 and is backwards compatible with version 1.0.
The main changes were the inclusion of guidance on how to perform self-assessments, additional details on vendor risk management, guidance on how to interact with supply chain stakeholders and third-party vendors and encourages a vulnerability disclosure process, e.g. listing on them on CVE.
How UpGuard can improve your organization's cybersecurity by preventing data breaches and data leaks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.