The NIST cybersecurity framework is a powerful tool to organize and improve your cybersecurity program. The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into these 5 core functions:
Here are some tips on getting started on using the NIST cybersecurity framework in your organization without getting bogged down and lost in the minutia of the specification documents.
Why should I use the NIST Cybersecurity Framework?
First, let’s take a step back and list the cybersecurity issues that are probably top of mind.
- You worry about unseen risks and vulnerabilities.
- You do not have an accurate inventory of assets that need to be protected.
- Your team spends much effort chasing items that will not have impact, while you would like them to focus on real risk
- You want to know how to address risk items given your current tools and what’s available in the marketplace
- Your colleagues outside the security team do not understand cyber risk and therefore fail to “own” critical mitigation tasks
- Your board is beginning to ask you about quantifying the risk reduction outcomes from the strategic cybersecurity plan that your team has been executing. “Are we compliant with NIST”?
The NIST framework can help you with these challenges. You will be able to leverage the learnings of people who have successfully addressed similar problems.
The objective of the framework is to help you prioritize cybersecurity investments and decisions. The framework also helps you reason about the maturity of your program and provides a framework for conversations with stakeholders including your senior management and your board of directors.
How to get started with NIST Cybersecurity Framework
Aligning with the framework means enumerating all your activities and labelling these elements with one of these 5 function labels. For example, the Identify label will be for tools that help you inventory your assets. Tools like Firewalls and Crowdstrike will go into Protect. However, depending on their capabilities you would also put them in Detect along with your IDS and SIEM. Your incident response tools and playbooks go into Respond. Your backup and recovery tools are part of Recover.
Once you have gone through this exercise, some of your buckets may feel more empty than others and you may feel uncomfortable about the corresponding function description in the picture above. That’s good — now you can articulate what your cybersecurity program is missing.
Understanding Maturity Levels in NIST Language
The NIST framework guides you to think about “maturity levels” for each of these functional areas. In NIST language, these levels are called “implementation tiers” to avoid confusion with CMMI’s Levels.
The idea is that as you add capabilities, you go to higher implementation tiers. The tier names Partial, Informed, Repeatable and Adaptive imply exactly what their English language meaning says. The holy grail is the “Adaptive” tier — which means your cybersecurity program is as good as it gets. You might even choose to draw a line (“Peer Benchmark”) for where you want to get to based on your knowledge of other companies that are similarly situated as yours do.
Implementing and improving your cybersecurity program
While all the functions of the NIST cybersecurity framework are important for different reasons, the Identify function is foundational. Identify is all about developing an accurate IT asset inventory, and understanding the criticality of assets. Identify is also concerned about discovering vulnerabilities that attackers can exploit. To take a human analogy, Identify capabilities are like your senses, and help by providing direction to your cybersecurity program.
We recommend that you begin the NIST framework alignment of your cybersecurity program by focusing on Identify. The picture below shows the relationship between Identify and the other cybersecurity functions.
Recommended Reading: How to implement and improve your Identify capabilities in a straightforward way.
Once you are well on your way with Identify, You can learn about How to implement the Protect and Detect functions.
No matter how good your program, some of your enterprise’s components will be breached at some point of time. Therefore it is also important to make sure what you will do when you discover a (hopefully minor) data breach, and how you would restore your systems back to their state before the breach. Respond and Recover are the essential reenergizing engines of the NIST cybersecurity framework. Additional details about implementing the Respond and Recover functions will be covered in an upcoming article.
The NIST cybersecurity framework as a system for board-level reporting
The NIST framework works very well for board level reporting. If you are a new CISO, here is a set of slides that allow you to introduce your InfoSec strategy and plan by aligning with the NIST framework. Here is what your ongoing quarterly presentation looks like.
Frequently Asked Questions About NIST Cybersecurity Framework
- What are the five elements of the NIST cybersecurity framework?
The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into these 5 core functions:
- What does NIST stand for in NIST cybersecurity framework?
NIST stands for the National Institute of Standards and Technology, which operates under the US Department of Commerce.NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.