The NIST cybersecurity framework is a powerful tool to organize and improve your cybersecurity program. It is a set of guidelines and best practices to help organizations build and improve their cybersecurity posture. The framework puts forth a set of recommendations and standards that enable organizations to be better prepared in identifying and detecting cyber-attacks, and also provides guidelines on how to respond, prevent, and recover from cyber incidents.
Drafted by the National Institute of Standards and Technology (NIST), this framework addresses the lack of standards when it comes to cybersecurity and provides a uniform set of rules, guidelines, and standards for organizations to use across industries. The NIST Cybersecurity Framework (NIST CSF) is widely considered to be the gold-standard for building a cybersecurity program. Whether you’re just getting started in establishing a cybersecurity program or you’re already running a fairly mature program, the framework can provide value — by acting as a top-level security management tool that helps assess cybersecurity risk across the organization.
The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into these 5 core functions:
Here are some tips on getting started on using the NIST CSF in your organization without getting bogged down and lost in the minutia of the specification documents.
5 Core Functions of NIST Cybersecurity Framework
The Identify function is focused on laying the groundwork for an effective cybersecurity program. This function assists in developing an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. To enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs, this function stressed the importance of understanding the business context, the resources that support critical functions, and the related cybersecurity risks. Essential activities in this group include:
- Identifying physical and software assets to establish the basis of an asset management program
- Identifying the organization’s business environment including its role in the supply chain
- Identifying established cybersecurity policies to define the governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
- Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk
- Establishing a risk management strategy including identifying risk tolerance
- Identifying a supply chain risk management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
The Protect function outlines appropriate safeguards to ensure delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event. Critical activities in this group include:
- Implementing protections for Identity Management and Access Control within the organization including physical and remote access
- Empowering staff through security awareness training including role based and privileged user training
- Establishing data security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
- Implementing processes and procedures to maintain and manage the protections of information systems and assets
- Protecting organizational resources through maintenance, including remote maintenance activities
- Managing technology to ensure the security and resilience of systems, consistent with organizational policies, procedures, and agreements
Detecting potential cybersecurity incidents is critical and this function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Activities in this function include:
- Ensuring anomalies and events are detected, and their potential impact is understood
- Implementing continuous monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities
The Respond function focuses on appropriate activities to take action in case of a detected cybersecurity incident and supports the ability to contain the impact of a potential cybersecurity incident. The essential activities for this function include:
- Ensuring response planning process are executed during and after an incident
- Managing communications with internal and external stakeholders during and after an event
- Analyzing the incident to ensure effective response and supporting recovery activities including forensic analysis and determining the impact of incidents
- Performing mitigation activities to prevent expansion of an event and to resolve the incident
- Implementing improvements by incorporating lessons learned from current and previous detection / response activities
The Recover function identifies appropriate activities to renew and maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Timely recovery to normal operations is impressed upon, to reduce the impact from a cybersecurity incident. Essential activities for this function somewhat overlap with those of Respond and include:
- Ensuring the organization implements recovery planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents
- Implementing improvements based on lessons learned and reviews of existing strategies
- Internal and external communications are coordinated during and following the recovery from a cybersecurity incident
Why should I use the NIST Cybersecurity Framework?
First, let’s take a step back and list the cybersecurity issues that are probably top of mind.
- You worry about unseen risks and vulnerabilities.
- You do not have an accurate inventory of assets that need to be protected.
- Your team spends much effort chasing items that will not have impact, while you would like them to focus on real risk
- You want to know how to address risk items given your current tools and what’s available in the marketplace
- Your colleagues outside the security team do not understand cyber risk and therefore fail to “own” critical mitigation tasks
- Your board is beginning to ask you about quantifying the risk reduction outcomes from the strategic cybersecurity plan that your team has been executing. “Are we compliant with NIST”?
The framework can help you with these challenges. You will be able to leverage the learnings of people who have successfully addressed similar problems.
The objective of the framework is to help you prioritize cybersecurity investments and decisions. The framework also helps you reason about the maturity of your program and provides a framework for conversations with stakeholders including your senior management and your board of directors.
How to get started with NIST Cybersecurity Framework
Aligning with the framework means enumerating all your activities and labelling these elements with one of these 5 function labels. For example, the Identify label will be for tools that help you inventory your assets. Tools like Firewalls and Crowdstrike will go into Protect. However, depending on their capabilities you would also put them in Detect along with your IDS and SIEM. Your incident response tools and playbooks go into Respond. Your backup and recovery tools are part of Recover.
Once you have gone through this exercise, some of your buckets may feel more empty than others and you may feel uncomfortable about the corresponding function description in the picture above. That’s good — now you can articulate what your cybersecurity program is missing.
Understanding Maturity Levels in NIST Language
The framework guides you to think about “maturity levels” for each of these functional areas. In NIST language, these levels are called “implementation tiers” to avoid confusion with CMMI’s Levels.
The idea is that as you add capabilities, you go to higher implementation tiers. The tier names Partial, Informed, Repeatable and Adaptive imply exactly what their English language meaning says. The holy grail is the “Adaptive” tier — which means your cybersecurity program is as good as it gets. You might even choose to draw a line (“Peer Benchmark”) for where you want to get to based on your knowledge of other companies that are similarly situated as yours do.
Implementing and improving your cybersecurity program
While all the functions of the NIST CSF are important for different reasons, the Identify function is foundational. Identify is all about developing an accurate IT asset inventory, and understanding the criticality of assets. Identify is also concerned about discovering vulnerabilities that attackers can exploit. To take a human analogy, Identify capabilities are like your senses, and help by providing direction to your cybersecurity program.
We recommend that you begin the framework alignment of your cybersecurity program by focusing on Identify. The picture below shows the relationship between Identify and the other cybersecurity functions.
Recommended Reading: How to implement and improve your Identify capabilities in a straightforward way.
Once you are well on your way with Identify, You can learn about How to implement the Protect and Detect functions.
No matter how good your program, some of your enterprise’s components will be breached at some point of time. Therefore it is also important to make sure what you will do when you discover a (hopefully minor) data breach, and how you would restore your systems back to their state before the breach. Respond and Recover are the essential reenergizing engines of the NIST CSF. Additional details about implementing the Respond and Recover functions will be covered in an upcoming article.
The NIST cybersecurity framework as a system for board-level reporting
The NIST framework works very well for board level reporting. If you are a new CISO, here is a set of slides that allow you to introduce your InfoSec strategy and plan by aligning with the framework. Here is what your ongoing quarterly presentation looks like.