In 2014, the National Institute of Standards and Technology published version 1.0 of its “Framework for Improving Critical Infrastructure Cybersecurity.” Commonly known as the NIST Cybersecurity Framework, its development was in response to Presidential Executive Order 13636 in February 2013: Improving Critical Infrastructure Cybersecurity. Subsequent versions of the NIST CSF appeared in 2017 and 2018, with the most recent version published in April 2018.
The NIST CSF provides guidance for organizations to better manage their cybersecurity risk. This guidance is based on existing standards and practices and gives organizations an easier-to-understand and easier-to-use way to improve cybersecurity and business efficiency over previously existing regulatory cybersecurity publications such as NIST 800-53.
NIST CSF: A guide to risk-based cybersecurity
It is important to emphasize that the NIST CSF is a risk-based framework and approach to cybersecurity management. In a risk-based approach to cybersecurity management, an organization first develops a clear picture of what it needs to protect: critical assets, vital business processes and the people, process, technology, information and facilities that must be secured in order to successfully operate the business. An organization should also consider its mission, vision, values and critical success factors as part of this process.
Secondly, the organization develops an understanding of its risk environment, including how it will be impacted if a threat becomes active and the risk is realized.
Lastly, in a risk-based cybersecurity approach, the organization prioritizes the identified risks and develops protection processes, mitigation strategies and controls to counter these specific risks.
Another common cybersecurity approach is to use a control-based framework or standard. In this approach, a list of cybersecurity controls is implemented in a checklist manner simply because the control is included on the list. A checklist approach does not factor in what is important to the continuity of a specific business or the specific elements of a given organization’s risk environment.
Such an approach may lead to organizations implementing controls that are not needed, while taking resources away from more relevant and important controls. Implementing cybersecurity controls can be expensive, disruptive to the organization and time-consuming. Therefore, it makes sense to implement those controls that will have the greatest benefit to the organization and will block the most damaging cybersecurity risk scenarios.
NIST CSF benefits
The NIST CSF is intended to help organizations identify, implement and improve cybersecurity practices and creates a common risk-based language for communication of cybersecurity issues. This risk-based common language is vital to integrate with enterprise risk management, as well as communicate cybersecurity concerns throughout the organization.
The NIST CSF uses business drivers to guide cybersecurity activities. At a high level, the NIST CSF describes five core cybersecurity functions. Those functions are:
- Identify critical assets and business functions;
- Protect assets and functions by developing safeguards for service delivery;
- Detect cybersecurity events and incidents;
- Respond to detected events and incidents; and
- Recover and then restore services and capabilities that were affected by a cybersecurity event or incident.
These functions are intended to align with existing cybersecurity incident management functions that have long been in use and help identify where cybersecurity resources have been effectively deployed. These five functions include tremendous detail, but having the top-level NIST CSF also provides an assessment instrument that helps determine the current threat state, set goals for cybersecurity and develop a plan of action for a cybersecurity risk management program.
At least two cybersecurity “profiles” must be developed. One organizational profile is the current state profile that documents the starting point for cybersecurity risk management. The other organizational profile is the target profile that describes a desired end state for cybersecurity risk. The use of these organizational profiles will help an organization “align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances and resources,” according to the framework. A NIST CSF profile is a flexible, highly specific description of an organization’s specific cybersecurity current state and desired end state. There are profile templates available for many types of critical infrastructure security as well.
Using the NIST CSF as a risk-based cybersecurity approach is a way to effectively and proactively protect against threats. This approach gives organizations a way to develop cybersecurity risk profiles that represent where they are and then create a map forward to the desired end state for their cybersecurity programs. It’s also important to remember that using a language familiar to the enterprise risk community, as well as incident responders, removes additional barriers to widespread adoption.