What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency that promotes innovation by advancing measurement science, standards and technology.

The NIST CSF is flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States.

On 12 February 2013, Executive Order (EO) 13636 "Improving Critical Infrastructure Cybersecurity" was issued. This began NIST’s work with the US private sector to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework." The result of this collaboration was the NIST Cybersecurity Framework Version 1.0.

The Cybersecurity Enhancement Act (CEA) of 2014 broadened NIST's efforts in developing the Cybersecurity Framework. Today, the NIST CSF is still one of the most widely adopted security frameworks across all US industries.

NIST Cybersecurity Framework includes functions, categories, subcategories and informative references.

Functions give a general overview of security protocols of best practices. Functions are not intended to be procedural steps but are performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” Categories and subcategories provide more concrete action plans for specific departments or processes within an organization.

Examples of NIST functions and categories include:

• Identify: To protect against cyberattacks, the cybersecurity team needs a thorough understanding of the organization's most important assets and resources. The identify function includes categories such as asset management, business environment, governance, risk assessment, risk management strategy and supply chain risk management.
  
  
• Protect: The protect function covers much of the technical and physical security controls for developing and implementing appropriate safeguards and protecting critical infrastructure. These categories are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology.
  
  
• Detect: The detect function implements measures that alert an organization to cyberattacks. Detect categories include anomalies and events, security, continuous monitoring and detection processes.
  
  
• Respond: The respond function categories ensure the appropriate response to cyberattacks and other cybersecurity events. Specific categories include response planning, communications, analysis, mitigation and improvements.
  
  
• Recover: Recovery activities implement plans for cyber resilience and ensure business continuity in the event of a cyberattack, security breach or other cybersecurity event. The recovery functions are recovery planning improvements and communications.

The NIST CSF's informative references draw a direct correlation between the functions, categories, subcategories and the specific security controls of other frameworks. These frameworks include:

1. The Center for Internet Security (CIS) Controls®
2. COBIT 5
3. International Society of Automation (ISA) 62443-2-1:2009
4. ISA 62443-3-3:2013
5. International Organization for Standardization and the International Electrotechnical Commission 27001:2013
6. NIST SP 800-53 Rev. 4
   

The NIST CSF does not tell how to inventory the physical devices and systems or how to inventory the software platforms and applications; it merely provides a checklist of tasks to complete. An organization can choose its own method on how to perform the inventory.

If an organization needs further guidance, it can refer to the informative references to related controls in other complementary standards. There is plenty of freedom in the CSF to select the tools that best suit the cybersecurity risk management needs of an organization.

To help private sector organizations measure their progress toward implementing the NIST Cybersecurity Framework, the framework identifies four implementation tiers:

• Tier 1 – Partial: The organization is familiar with the NIST CSF and might have implemented some aspects of control in some areas of the infrastructure. Implementation of cybersecurity activities and protocols has been reactive versus planned. The organization has limited awareness of cybersecurity risks and lacks the processes and resources to enable information security.
  
  
• Tier 2 – Risk informed: The organization is more aware of cybersecurity risks and shares information on an informal basis. It lacks a planned, repeatable and proactive organization-wide cybersecurity risk management process.
  
  
• Tier 3 – Repeatable: The organization and its senior executives are aware of cybersecurity risks. They have implemented a repeatable, organization-wide cybersecurity risk management plan. The cybersecurity team has created an action plan to monitor and respond effectively to cyberattacks.
  
  
• Tier 4 – Adaptive: The organization is now cyber resilient and uses lessons learned and predictive indicators to prevent cyberattacks. The cybersecurity team continuously improves and advances the organization’s cybersecurity technologies and practices and adapts to changes in threats quickly and efficiently. There is an organization-wide approach to information security risk management with risk informed decision-making, policies, procedures and processes. Adaptive organizations incorporate cybersecurity risk management into budget decisions and organizational culture.

The NIST Cybersecurity Framework provides a step-by-step guide on how to establish or improve their information security risk management program:

1. Prioritize and scope: Create a clear idea of the scope of the project and identify the priorities. Establish the high-level business or mission objectives, business needs and determine the risk tolerance of the organization.
   
   
2. Orient: Assess the organization’s assets and systems and identify applicable regulations, risk approach and threats to the organization.
   
   
3. Create a current profile: A current profile is a snapshot of how the organization is managing risk as defined by the categories and subcategories of the CSF.
   
   
4. Conduct a risk assessment: Evaluate the operational environment, emerging risks and cybersecurity threat information to determine the probability and severity of a cybersecurity event.
   
   
5. Create a target profile: A target profile represents the risk management goal of the information security team.
   
   
6. Determine, analyze and prioritize gaps: By identifying the gaps between the current and target profile, the information security team can create an action plan, including measurable milestones and resources (people, budget, time) required to fill these gaps.
   
   
7. Implement action plan: Implement the action plan defined in Step 6.