Understanding NIST’s Cybersecurity Framework

The World Economic Forum recently published The Global Risks Report 2019 and, consistent with 2018, two of the top five risks were identified as Data Fraud or Theft and Cyber-Attacks.

These findings demonstrate the significance of cyber-related risks and the need for strong cybersecurity defenses across organizations of all shapes and sizes. Cyberattacks are becoming increasingly widespread and complex, and fighting these attacks are becoming more difficult. These challenges are compounded by the lack of a unified strategy among organizations.

Steps Leading to the NIST Cybersecurity Framework

In 2014, then-President Obama signed an executive order, titled Critical Infrastructure Cybersecurity, to address the absence of frameworks that directly explored Cybersecurity risks.  In April 2018, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework as a set of guidelines for private sector companies to be better prepared in identifying, detecting, and responding to cyber-attacks. It also includes guidelines on how to prevent and recover from an attack.

The NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. The NIST Cybersecurity Framework is now being implemented at all government offices under an executive order signed by President Trump.

The Framework Core

The Framework Core defines activities organizations should undertake to attain different cybersecurity results. This is divided into several elements:

Functions: The five functions outlined in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover. These are your most basic cybersecurity tasks.

Categories: For each of the five functions, there are categories that are specific challenges or tasks one must carry out. For instance, in order to protect (function) your systems, you must implement software updates, install antivirus and antimalware programs, and have access control policies in place.

Subcategories: These are the tasks or challenges associated with each category.  For instance, in implementing software updates (category), an organization must ensure that all its Windows computers have auto-updates turned on (subcategory).

Information Sources: These are the documents/manuals that detail specific tasks for users on how to perform tasks. An example would be a document that would detail how auto-updates are enabled for Windows computers.

Implementation Tiers: The NIST Cybersecurity Framework specifies four implementation tiers. This helps an organization assess its level of compliance. The higher the tier, the more compliant the operation is.

Profiles: Profiles under the NIST Cybersecurity Framework relate to both the current status of your organization’s cybersecurity measures and the roadmaps you have towards being NIST Cybersecurity Framework compliant. NIST suggests that having these profiles allows organizations to see their weak spots every step of the way. Once organizations can plug in these weaknesses, it becomes easier to move up to higher implementation tiers.

NIST Cybersecurity Framework: Is It a Fit for Us?

Not all companies are required to implement the NIST Cybersecurity Framework. However, the cost of a security breach can be significant. And if the financial complications aren’t harrowing enough, it’s impossible to place a value on the loss of customer trust and an organization’s reputation. It is recommended companies at the very least understand the current state of their cybersecurity program, risks and initiatives or strategies in place to address such risks.

MorganFranklin helps public and private companies benchmark their cybersecurity processes, controls and technologies against the NIST Cybersecurity Framework and make smart investment decisions to enhance their cybersecurity programs.

2019-05-07T13:44:10+00:00May 7th, 2019|Insights, Insights - Companies|