What is the NIST Cybersecurity Framework?

In the digital age, secure cyber infrastructure isn’t simply a business need – it’s a national and economic security concern.

To protect our country against cyber warfare, in 2013 then-President Obama issued an executive order directing The National Institute of Standards and Technology (NIST) to partner with critical players to develop a voluntary framework that would reduce cybersecurity risks for our country’s critical infrastructure. This framework, which includes specific cybersecurity standards, practices and guidelines, was created through a partnership between the private sector and the U.S. government, with the objective of supporting owners or operators of vital infrastructure to mitigate cybersecurity risks. Not only is the framework set up to support organizations in mitigating their cybersecurity risks, but it also serves as a platform for communication on the topic across key stakeholders.

Using the NIST Cybersecurity Framework

NIST’s cybersecurity framework is optional, which means organizations aren’t mandated to the practices; however, many organizations comply, including big players like Intel, Apple, and Bank of America. By 2020, Gartner Research estimates 50% of U.S. organizations will use the NIST Cybersecurity Framework.

The self-described “Rosetta Stone” of cybersecurity can equip organizations to navigate their cybersecurity plan and strategy by establishing a common language, as well as a process for understanding what can otherwise seem like a foreign language. And, instead of being established as a linear checklist, the NIST Cybersecurity Framework was designed to provide a flexible map, recognizing that each organization will have unique needs and vulnerable areas. The framework examines five key functions:

1. Identify where assets, data, systems, and capabilities may pose risks
2. Protect critical infrastructure with appropriate measures
3. Detect signals and activities of a security event
4. Respond effectively to security events
5. Recover and restore anything that was damaged in the security event

Within the framework, functions are further broken down into categories (like asset management, data, etc.) and then divided again into subcategories.

Tiers are applied to assess where current operations stand:

1. Tier 1 – These organizations haven’t established a formal process, and tend to approach security from a reactive standpoint. Understanding cybersecurity risk management can be limited.
2. Tier 2 – Risk-Informed. These organizations also may not have a standard policy for security risk management, but through management, they address risks as they occur.
3. Tier 3 – Repeatable. These organizations have formal risk management programs and defined security policies.
4. Tier 4 – Adaptable. These organizations take a proactive approach to cybersecurity risk management, leaning on analytics to guide data-driven best practices and adapts organizational policies to better understanding of events.

In practice, outcomes can include:

• Common vocabulary among leadership teams to discuss and understand cybersecurity
• Established risk management levels
• Clear understanding of the organization’s current cybersecurity practices – and benchmarks for where they should be.
• A clear path for budgets and prioritization related to established plans

Organizations leverage the framework from many different places in the cybersecurity process. Because the framework is intended to complement existing cybersecurity programs, it works as a supplement, helping organizations establish profiles and guiding them end-to-end in bringing the practices to the organization in full. And, because the NIST Cybersecurity Framework isn’t specific to any one organization, businesses can use a common language to communicate with other parties, like customers or suppliers, who may also need to discuss cybersecurity issues.

When Intel implemented the framework, they elected to modify it for their organization by adding four key tiers important in the pilot program: people, processes, technology and environment. Then, they established four phases to apply the framework. First, they created a heat map of functional areas by defining target stores and assessing current status. This heat map drove prioritization and budget activities, as Intel had a clear picture of focus areas.

NIST Cybersecurity Framework Updates

In 2016 and 2017, NIST examined feedback from public calls, questions and workshops to inform April’s 2018 release of version 1.1. The updates center on four key areas:

1. Authentication and identity
2. Self-assessing cybersecurity risk
3. Managing cybersecurity within the supply chain
4. Vulnerability disclosure

The intent for flexibility hasn’t changed, according to Matt Barrett, program manager for the Cybersecurity Framework. Instead, updates have honed and simplified the original version, while broadening the application to include technologies like the Internet of Things (IoT) and industrial control systems.

NIST is advising companies to adopt 1.1 immediately, and given the rate at which technology – and cybersecurity challenges – can evolve, it’s likely that organizations should plan to remain flexible and adaptive in the future, even in the application of the NIST Cybersecurity Framework.