Adopt the NIST Cybersecurity Framework - Understand the CSF in 10 Minutes or Less

This Guide will cover everything you need to know to start and improve your NIST Framework-based program.

The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is motivating action from U.S. federal agencies and U.S. businesses. Recent cyberattacks and breaches have resulted in heightened private sector awareness, which is driving businesses to reevaluate how they can reduce enterprise risk. 

Frameworks create a common language for cyber that unifies the conversation around enterprise risk and security.

Some organizations are even requiring their vendors to adopt frameworks as they scale. Likewise, financial and healthcare companies are realizing the importance of securing their data following this set of best practices. Europe, too, clearly sees the value of the framework as it looks to it while finalizing the NIS Directive.

As business leaders, we have a substantial responsibility to execute, keep our companies protected, and effectively relay our progress back to our peers. This pressure can be crushing—we see what can go wrong, including revenue lost and reputations damaged, sometimes beyond repair. A proactive information security professional will stay informed and advocate for increased resilience via a standards-based approach.

As noted above, the NIST Cybersecurity Framework is by far the most comprehensive framework, but it is also the most complex to navigate.

The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, formally titled The Framework for Improving Critical Infrastructure Cybersecurity, can overwhelm even experienced security professionals with its complexity. Yet, increasingly, it is recognized as a national gold standard. Its popularity and support are apparent: 61 percent of U.S. businesses are actively working to adopt the framework as of 2017, and that number continues to grow.

The release of Version 1.1 of the Framework makes it even more robust and flexible. It can be voluntarily adopted by organizations of any size, and its rapid adoption across industries proves its strength as a foundation for any cybersecurity program.

The Under Secretary of Commerce for NIST, Walter Copan, noted

"From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry, and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally."

According to NIST,

"This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017."

"The voluntary NIST Cybersecurity Framework should be every company's first line of defense. Adopting version 1.1 is a must do for all CEOs."

- U.S. Secretary of Commerce Wilbur Ross

Small and mid-sized businesses need to be aware that not only are large enterprises targets, but the framework may also be the most robust method for implementing best practices.

The U.S. National Cybersecurity Alliance says cleaning up after an attack for a small to mid-sized business can range from $690,000 to over $1 million. The NIST Interagency Report (NISTIR) 7621, entitled “Small Business Information Security: The Fundamentals,” states, “Because small businesses typically don’t have the resources to invest in information security the way larger businesses can, many cybersecurity criminals view them as soft targets.” The report also notes that some hackers are attacking not simply for profit but out of revenge or the thrill of causing havoc. To a small business, a strong cybersecurity program is often seen as a task too difficult because of the resource requirements.

Nonetheless, the benefits greatly exceed the cost, as adopting a strong program and creating a business process will help gain and retain customers, especially in light of publicized cybersecurity attacks, as customers expect sensitive information to be protected from compromise. The NIST Framework applies to any cybersecurity program, regardless of size, as a jumping-off point to establish their cybersecurity posture. It turns in traditional, more audit-based policies for a risk-based approach to cybersecurity management. It’s a guideline for businesses to update their risk management approach, as many U.S. organizations across sizes and industries already leverage some security framework. Businesses of all sizes and industries see the importance of building a robust cyber risk management plan and seek more proactive strategies. Its five core functions- Identify, Protect, Detect, Respond, and Recover- are a blueprint for mitigating cybersecurity risk. Appropriately implemented, an organization will have the most powerful set of tools and procedures in place. 

Since this article was published, the NIST CSF has been updated. NIST CSF 2.0 includes updates to the core function with the 'Govern' Function, widespread applicability beyond critical infrastructure, and a renewed emphasis on supply chain risk management. 

A Profile enables an organization to establish a roadmap for reducing cybersecurity risk that is well-aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.

Given the complexity of many organizations, they may choose to have multiple profiles aligned with particular components and recognize their individual needs. Framework Profiles can be used to describe the current state or the desired target state of specific cybersecurity activities.

Your Current and Target Profile

The Current Profile indicates the cybersecurity outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals.

It's important to loop in goals from all business segments, including business and security. That way, you'll have a more well-rounded goal set that aligns with your business's vision for the future.

The Value of Profiles

Profiles support business/mission requirements within your organization to all constituents and aid in the communication of risk between organizations. If you have difficulty translating your current and target-risk and cybersecurity strengths to your partners, vendors, and the like, creating these profiles will boost communication between all parties involved. The better the communication within and around your organization, the more progress you'll make in building a robust program or creating a faster response plan.

If you're interested in analyzing your organization against NIST Cybersecurity Framework best practices in hours, check out CyberStrong. You'll see areas for improvement and gaps across all five NIST functions, and you'll have a plan of action to close those gaps within your organization.

NIST Identify Function

NIST defines the Identify function as calling on " developing the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.". In this function, as a CISO, you can work on laying a foundation in your organization for effective use of the Framework moving forward. Identify focuses on the business and how it relates to cybersecurity risk, especially considering the resources at hand.

Here are some of the outcome Categories associated with this function:

• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy

The importance of the Identify function is clear: it lays the groundwork for cybersecurity-related actions that your organization will take moving forward. Identifying what exists, what risks are associated with those environments, and how that relates to your business goals are crucial to success with the Framework. 

Successful implementation of the Identify function could result in multiple outcomes, for example:

• Defining all assets and environments
• Defining the current and target states of controls
• Making a plan to remediate those gaps
• Prioritizing how to approach mitigation in a business context
• Prioritizing the needs of all stakeholders and business leaders involved
• Defining how to communicate cybersecurity issues with all related stakeholders

Organizations must evolve their cybersecurity practices and implement vital safeguards to contain and limit the impacts of potential cybersecurity incidents. All digital and physical assets must be accounted for, and roles must be defined with clear communication workflows around incidents and risks. The policies and procedures you implement will provide the stability your cybersecurity program needs as it matures through all five functions.

NIST Protect Function

NIST says that the framework functions "aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities." 

The Protect function is important because it aims to "develop and implement appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology," according to NIST. 

Protect covers these categories:

• Access Control: validating identities and access to different systems, facilities, etc.
• Awareness and Training: Giving employees and others the ability to be part of your cybersecurity plan with education and training.
• Data Security: Manage your data according to company standards to mitigate cybersecurity risks and proactively protect its Availability, Integrity, and Confidentiality.
• Information Protection Processes & Procedures: Establish the policies, processes, and procedures you need to protect your assets.
• Maintenance: Continuously repair your Information System components and mitigate them
• Protective Technology: Deploy the security solutions needed to protect them in line with company policies

Some examples of ways to attain these requirements are:

• Prevent data breaches by using 2FA and MFA and controlling access to your environments and data.
• Ensure your people are properly trained in handling your company's critical data and their various levels of access. Prevent accidents as much as possible.
• Make sure your data is encrypted, in motion, and protected in all ways possible

Organizations must evolve as breaches become increasingly common. By focusing on the Protect function, you can establish policies and procedures to lay a strong foundation for your cybersecurity program as it matures in all five functions.

NIST Detect Function

The NIST CSF Detect function requires that you develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

"The Detect function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes."

• Anomalies & Events: Your program will detect unusual activity as soon as possible, and the impact of events will be understood by everyone on your team and beyond.
• Security & Continuous Monitoring: You monitor your information systems and environments at specified intervals to identify cybersecurity events in your organization.
• Detection Processes: Procedures and processes for detection are put in place and tested to ensure timely and broad awareness of cybersecurity events.

The Detect function is a critical step to a robust cybersecurity program - the faster you can detect a cybersecurity event, the faster you can mitigate the effects of it. Examples of how to accomplish steps towards a thorough detect function are as follows:

• Anomalies & Events: Prepare your team to have the knowledge to collect and analyze data from multiple points to detect an event.
• Security & Continuous Monitoring: Have your team monitor your assets 24/7, or consider involving an MSS to supplement.
• Detection Processes: Attempt to know about a breach as soon as possible and follow disclosure requirements as needed. Your program should be able to detect inappropriate access to your data as soon as possible.

Clearly, the detect function is one of the most important, as detecting a breach or event can be life or death for your business. Following these best practices and implementing these solutions will undoubtedly help you scale your program and mitigate cybersecurity risk. In our next blog post, we will explore the Respond function.

NIST Respond Function

NIST defines Respond as "Develop and implement appropriate activities to take action regarding a detected cybersecurity incident."

"The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include Response Planning, Communications, Analysis, Mitigation, and Improvements".

Here are the parts of the Respond function and their importance:

• Response Planning: Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events.
• Analysis: Analysis is conducted to ensure adequate response and support recovery activities.
• Mitigation: Activities are performed to prevent the expansion of an event, mitigate its effects, and eradicate the incident.
• Communications: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
• Improvements: Organizational response activities are improved by incorporating lessons from current and previous detection/response activities.

When company breaches occur, an incident response plan is critical to managing the immediate aftermath. Surprisingly, many organizations don't have an incident response plan or just haven't tested the plan they have in place.

• Your Response Plan: Ensure you're reporting breaches if they occur.
• Mitigate: Make sure you plan to mitigate any event that could occur in-house and with third parties.
• Analyze: Go over your plan with experts inside and outside your team.

NIST Recover Function

According to NIST, the Recover function is defined as the need to "develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity security event.

"The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity event. Examples of outcomes for this function include Recovery Planning, Improvements, and Communications."

Recover includes these areas:

• Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later
• Improvement: Recovery planning and processes are improved when events happen, areas for improvement are identified, and solutions are put together
• Communication: Coordinate internally and externally for greater organization, thorough planning, and execution

The Recover function is important not only in the eyes of your business or organization in recovering from an attack but also in the eyes of your customers or market. Swift recovery handled with grace and tactfulness will allow you to end up in a much stronger position internally and externally than you would otherwise.

Prioritizing these focus areas within recover will ensure that your organization has a recovery plan that is up to date and matches your organization's goals and objectives.