Faced with growing cyber risks and cyber attacks, companies need directives to increase or improve their cybersecurity. One of the more interesting references is the NIST Cybersecurity Framework.
The NIST Cybersecurity Framework
The NIST Cybersecurity Framework helps companies better evaluate cyber risks.
The first version was published by the US National Institute of Standards and Technology (NIST) in 2014. At the time, the document was intended for those managing critical infrastructure. However, in 2017 a new version was created and then made publicly available in 2018.
Unlike the first version, the second includes guidance on performing self-assessments and more information about managing risk along the supply chain. Furthermore, it contains indications on how to interact with different subjects and favors the process of disclosure of vulnerabilities.
The NIST Cybersecurity Framework has 3 goals:
-
- Improving the security and resilience of critical infrastructure;
- Enhancing national security;
- Protecting individuals’ privacy, civil liberties, and economic activity.
The Framework consists of 3 parts:
- The “Core” contains the set of activities and outcomes that are necessary for information security risk management.
- The “Profile” is a specific description of how an organization applies the Core within its environment, reflecting its business requirements, risk tolerances, and resources.
- The “Tiers” represent different levels of cybersecurity maturity and indicate an organization’s ability to manage cybersecurity risks.
The NIST Cybersecurity Framework is organized around 5 core functions.
Each function is associated with key cybersecurity outcomes that are essential for information security programs and is further broken down into subcategories, which NIST refers to as “Informative References”.
NIST Cybersecurity Framework functions and subcategories
1) Identify: Understand the information security risks.
- Asset Management (ID.AM): Understand the organization’s assets and the associated cybersecurity risks.
- Business Environment (ID.BE): Understand the business context for decisions about cybersecurity risk management.
- Governance (ID.GV): Develop and implement policies, procedures, and processes to manage cybersecurity risk.
- Risk Assessment (ID.RA): Regularly assess cybersecurity risk to organizational missions, functions, and business processes.
- Risk Management Strategy (ID.RM): Communicate, integrate, and prioritize risk management decisions across the workforce.
- Supply Chain Risk Management (ID.SC): Understand, manage, and communicate information about risks associated with the supply chain.
2) Protect: Limit or contain the damage from a cyber attack.
- Access Control (PR.AC): Identify, classify, and protect information and systems from unauthorized access.
- Awareness and Training (PR.AT): Ensure that the workforce has awareness and training to perform their cybersecurity-related duties.
- Data Security (PR.DS): Protect information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Information Protection Processes and Procedures (PR.IP): Identify, document, and implement information security processes and procedures.
- Maintenance (PR.MA): Maintain and enhance cybersecurity capabilities to manage evolving risks.
- Protective Technology (PR.PT): Identify, select, and implement technologies to mitigate risks.
3) Detect: Find cybersecurity incidents.
- Anomalies and Events (DE.AE): Identify, detect, and respond to cybersecurity events.
- Security Continuous Monitoring (DE.CM): Monitor information systems and environment for hints that indicate an incident.
- Detection Processes (DE.DP): Maintain and test processes and procedures to ensure a constant and adequate awareness.
4) Respond: Take action in response to a detected incident.
- Response Planning (RS.RP): Develop, maintain, and regularly test incident response plans.
- Communications (RS.CO): Develop, implement, and maintain capabilities to timely share information internally and externally.
- Analysis (RS.AN): Collect, analyze, and share information to support incident response.
- Mitigation (RS.MI): Identify, assess, prioritize, authorize or take action to reduce risks.
- Improvements (RS.IM): Improve the security processes, tools, and controls based on lessons learned from incidents.
5) Recover: Restore normal operations after an incident.
- Recovery Planning (RC.RP): Develop, maintain, and regularly test recovery plans.
- Improvements (RC.IM): Improve processes, tools, and controls based on lessons learned from incidents.
- Communications (RC.CO): Develop, implement, and maintain capabilities to share information internally and externally about incident response and recovery activities.
Why use the Framework?
The NIST Cybersecurity Framework helps companies manage cyber risks in a structured and systematic way, learning from past incidents. However, they can tailor it to their specific needs. Additionally, it allows companies to better communicate about cyber risks with employees, shareholders, and partners.
Some of the benefits of using the Framework include:
- Improved security posture
- Better identification of cybersecurity risks
- Improved cybersecurity risk management
- Increased transparency
- Enhanced communication about cybersecurity risks
- Improved incident response
- Increased resilience to cyber attacks
- Reduced costs associated with cybersecurity incidents.
Even though the NIST Cybersecurity Framework is voluntary, it is now one of the main reference for the cybersecurity around the world. Indeed, despite being a set of guidelines that will continue to evolve as the cybersecurity landscape changes, the Framework provides a flexible and cost-effective approach that suits every company, regardless of size or sector.
Here you can read the text of the Framework.
