What is NIST CSF?
The National Institute of Standards and Technology (NIST), a US federal agency, was tasked in 2013 with building a technology-neutral cybersecurity framework (CSF) in collaboration with the private sector. The aim was to protect critical infrastructure from security attacks by developing a cybersecurity framework from existing standards such as ISO/IEC 27001, Federal Information Processing Standards (FIPS), Common Criteria (CC) for Information Technology Security Evaluation, and other industry best practices.
NIST cybersecurity framework is a collection of voluntary security standards that apply to managing and reducing cybersecurity risks. Organizations can use it to assess their current cybersecurity capabilities, formulate a target security posture, and evaluate the progress towards it. This framework also enhances the ability of an enterprise to communicate potential cybersecurity risks to their internal and external stakeholders.
Who must comply with NIST CSF?
Consequences of NIST CSF non-compliance
Non-compliance to the NIST CSF places organizations that work with federal agencies at risk of being charged under the Federal Acquisition Regulation (FAR) or losing federal contracts. It can also be detrimental to marketing and future contract negotiations, bringing unwarranted lawsuits and negative public sentiment. Furthermore, depending on the governing body, the significance of data handled, and potential breach implications, the agency might face direct and indirect consequences such as dismissal for negligence, imprisonment, termination of the contract, or dissolution of the concerned department.
NIST CSF requirements for compliance
The NIST CSF is made of three categories to help organizations evolve a cybersecurity strategy:
- Framework core assists organizations with planning cybersecurity activities.
- Implementation tiers describe the cyber risk level of the organization and the degree to which the characters mentioned in the framework are exhibited.
- Profiles present the cybersecurity readiness status of an organization at any specified time, thus supporting the organization in planning an implementation roadmap.
NIST CSF functions and categories
The core of the NIST CSF is divided into five functions: identify, protect, detect, respond, and recover. Each of these functions is further divided into categories and subcategories. The NIST CSF core is made up of 23 categories and 108 subcategories, which reinforce the comprehensive approach recommended by the framework.
The identify function of the NIST CSF establishes the foundational attributes that influence the direction of cybersecurity-related actions. This function focuses on thorough documentation of assets on the network and along the operational pipeline. These assets include systems, people, assets, data, and capabilities.
The Identify function consists of six categories:
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
The protect function of the NIST CSF serves the goal of defending the most critical assets from increasingly sophisticated cybersecurity threats. By limiting or containing the impact radius of a potential cybersecurity threat, the protect function ensures the continued availability of critical services.
The protect function consists of six categories:
- Awareness and Training
- Data Security
- Protective Technology
- Information Protection Processes and Procedures
- Identity Management and Access Control (IAM)
The detect function of the NIST CSF necessitates the deployment of monitoring systems and practices to effectively spot cybersecurity events. It involves the use of intrusion detection systems that notify or block unusual network activities.
The detect function consists of three categories:
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
The respond function of the NIST CSF counters a cybersecurity event by restricting and mitigating the effects of the attack. This is carried out by implementing attack action plans and setting up response teams based on the identified threats.
The respond function consists of five categories:
- Response Planning
The recover function of the NIST CSF gears the organization toward timely recovery and resumption of business operations. This helps in planning alternate strategies for continued business operations and reducing the impact of a cyberattack.
The recover function consists of three categories:
- Recovery Planning
The NIST CSF classifies the framework-core implementation into four tiers. This four-tiered model helps the executives evaluate (or rate) the organization’s data security initiatives and determine areas requiring improved measures to line up with the controls defined in the framework core. Additionally, the implementation tiers function as a measure that accommodates every organization’s distinct operating environment, acceptable risk level, financial limitations, and other subjective regulatory requirements.
The four implementation tiers outlined in the NIST cybersecurity framework are as follows.
- Partial – Tier 1 Organizations that fall under the partial tier have a limited grasp of the potential cyberthreats. These organizations lack documented processes and proactive measures to handle cyber risks. They tend to deal with cybersecurity events in an offhand manner, pushing their employees, customers, and external collaborators into a reactive mode.
- Risk informed – Tier 2 Organizations that fall under the risk informed tier have a fragmented security strategy. The decision-makers in these organizations understand specific threats in their environment and implement measures to protect against these threats. They lack a unified approach and robust governance policy toward risk management.
- Repeatable – Tier 3 Organizations that fall under the repeatable tier have strong internal policies and documented procedures to combat cyberthreats. Their defense strategy enables them to quickly respond to incidents while remaining repeatable over time. Moreover, they engage in the process of reviewing and updating their protection measures as new cyberthreats emerge.
- Adaptive – Tier 4 Organizations that fall under the adaptive tier have a comprehensive solution, as recommended by the framework, to protect against cyberthreats. They undertake an integrated approach to cybersecurity protection by implementing policies and procedures that yield an adaptive response to the evolving threat landscape.
NIST CSF roadmap
The NIST CSF governance model empowers organizations to handle risk based on its potential impact using a variety of techniques. Organizations can choose to avoid the risk entirely, manage the risk internally, or transfer the risk using managed solutions. This flexibility gives organizations of all sizes the ability to pursue compliance and optimize their approach to cybersecurity.
Understanding and communicating cybersecurity threats and requirements form a key component in implementing the NIST cybersecurity framework. Given the complex, contextualized, and interconnected business relationships, notifying the stakeholders in the supply chain of the risks and measures enhances the overall security.
NIST CSF best practices: A checklist
The identify phase involves taking stock of all the devices and systems in the network and establishing the responsibilities of all the employees and stakeholders.
- Asset management: Audit and list the risk profile of systems, assets and personnel.
- Risk assessment: Identify and validate the potential threats to the organization to inform the strategy.
- Governance: Regulate the risk and operating environment of the organization by formulating cyber policies and programs.
- Risk management strategy: Determine the organization's risk tolerance and operational priorities to shape the target roadmap.
- Business environment: Prescribe the cybersecurity roles by establishing the mission, objectives and long-term goals of the organization and stakeholders.
- Supply chain risk management: Build a target blueprint for the supply chain by assessing risks and developing a risk management strategy.
The protect phase requires technical and administrative actions to eliminate the risks identified by the organization.
- Identity management and access control: Administer user access through a strong and efficient access control system, like privileged account management and multi-factor authentication.
- Awareness and training: Engage employees and all stakeholders in a training program to clarify the standards, guidelines, and policies of the organization.
- Data security: Implement encryption technologies to protect data at rest and data in motion. Ensure all the devices and permissions are logged.
- Information protection processes and procedures: Once the responsibilities of different stakeholders are established, formulate a mechanism to enforce the same.
- Maintenance: Formulate a program that mandates regular maintenance of all data hosting and processing infrastructure.
- Protective technology: Implement baseline protection measures to resist common cyberthreats. Some of the solutions that perform such tasks are antivirus, anti-spyware, and network security solutions.
The detect phase shapes the ability of an organization to guard against emerging new and complex threats.
- Anomalies and events: Develop and implement tools that detect anomalous user or application behavior.
- Security continuous monitoring: Use detection and response solutions to monitor all the assets of the organization around the clock.
- Detection processes: Establish policies and guidelines that supplement threat detection and ensure active participation of employees and key stakeholders.
The respond phase plays a key role in averting and neutralizing cyberattacks in progress and reducing their impact.
- Response planning: Manage who authorizes an incident response, along with when and how the plans are maintained and deployed.
- Communications: Delineate the key responsibilities of the internal event response teams, contracted personnel, third parties, and law enforcement.
- Analysis: Constitute a program to analyze the incident, support the response team, and contribute in shaping future security policies.
- Mitigation: Take appropriate actions to reduce the impact of the attack on the organization.
- Improvements: Formulate a plan to audit the response, and improve based on the learnings.
The recover phase shifts the focus from preventing and managing a threat to addressing the effects of the attack after the event. In addition, it plays an important role in restoring the services damaged by the attack.
NIST CSF: Key subcategories to consider
|NIST CSF subcategory||Code definition||Compliance recommendations|
|ID.AM (Identify: Asset Management)||The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.||
|ID.RA (Identify: Risk Assessment)||The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.||
|PR.AC (Protect: Identity Management, Authentication, and Access Control)||Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.||
|PR.DS (Protect: Data Security)||Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.||
|DE.AE (Detect: Anomalies and Events)||Anomalous activity is detected and the potential impact of events is understood.||
|DE.CM (Detect: Security Continuous Monitoring)||The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.||
|RS.AN (Respond: Analysis)||Analysis is conducted to ensure effective response and support recovery activities.||
The goal of the NIST cybersecurity framework is for organizations to attain an optimal security posture rather than only fulfilling specific controls to meet management goals. This allows organizations to establish a strong security foundation while supplementing compliance with newer regulations as they come into existence. In addition, small and medium businesses find the NIST framework to be an affordable opening into the cybersecurity space. NIST CSF is advantageous for organizations of all sizes, as it:
- Carries industry recognition and applies to different sectors.
- Is easy to adopt, while shrinking the effects of successful attacks.
- Supports regulatory and compliance requirements while strengthening the data protection of the organization.