The National Institute of Standards and Technology (NIST) is a non-regulatory agency that promotes innovation by advancing measurement science, standards, and technology. The NIST Cybersecurity Framework (NIST CSF) consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk.
The NIST CSF is designed to be flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States.
On February 12, 2013, Executive Order (EO) 13636—"Improving Critical Infrastructure Cybersecurity"—was issued. This began NIST’s work with the U.S. private sector to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework." The result of this collaboration was the NIST Cybersecurity Framework Version 1.0.
The Cybersecurity Enhancement Act (CEA) of 2014 broadened NIST's efforts in developing the Cybersecurity Framework. Today, the NIST CSF is still is one of the most widely adopted security frameworks across all U.S. industries.
NIST Cybersecurity Framework includes functions, categories, subcategories, and informative references.
Functions give a general overview of security protocols of best practices. Functions are not intended to be procedural steps but are to be performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” Categories and subcategories provide more concrete action plans for specific departments or processes within an organization.
Examples of NIST functions and categories include the following:
The NIST CSF's informative references draw direct correlation between the functions, categories, subcategories, and the specific security controls of other frameworks. These frameworks include the Center for Internet Security (CIS) Controls®, COBIT 5, International Society of Automation (ISA) 62443-2-1:2009, ISA 62443-3-3:2013, International Organization for Standardization and the International Electrotechnical Commission 27001:2013, and NIST SP 800-53 Rev. 4.
The NIST CSF does not tell how to inventory the physical devices and systems or how to inventory the software platforms and applications; it merely provides a checklist of tasks to be completed. An organization can choose its own method on how to perform the inventory. If an organization needs further guidance, it can refer to the informative references to related controls in other complementary standards. There is a lot of freedom in the CSF to pick and choose the tools that best suit the cybersecurity risk management needs of an organization.
To help private sector organizations measure their progress towards implementing the NIST Cybersecurity Framework, the framework identifies four implementation tiers:
The NIST Cybersecurity Framework provides a step-by-step guide on how to establish or improve their information security risk management program:
IBM has many resources available about how to adopt the NIST Cybersecurity Framework. IBM also provides a variety of security framework and risk assessment services to help assess an organization's security posture.
Businesses can use IBM’s security framework and risk assessment services to help identify vulnerabilities to mitigate risks. These services provide network monitoring and management and enhance privacy, security options, and identification of security risks.
IBM also can help align security standards and practices to the NIST CSF in a cloud environment.
Sign up for an IBM ID and create an IBM Cloud account.