What is the NIST Cybersecurity Framework

Cyber-attacks, especially on critical infrastructures, can lead to financial losses and data manipulation. They could even be a risk to public safety. Thus, there is a pressing need to defend such organizations against cybersecurity events.   This realization prompted the U.S. to develop a voluntary cybersecurity framework for critical infrastructures and other organizations. This framework has proven to be a practical guide for organizations to create and improve their cybersecurity program.

This post will walk you through the NIST cybersecurity framework, discussing its history, components, and how to use this technology to establish or improve your cybersecurity program.

What is the NIST Cybersecurity Framework?

The NIST cybersecurity framework was designed by the National Institute of Standards and Technology as a voluntary framework resource to help businesses, especially critical infrastructures, to understand, reduce, and manage their cybersecurity risks and protect their data and resources.

Although organizations are bound to encounter unique cybersecurity risks, the framework is useful for reducing and managing threats. Hence, you must not consider the NIST framework as a replacement for your risk management and cybersecurity program.

It is only meant to complement your program by helping you identify areas of improvement and fix loopholes. Organizations that have yet to create a cybersecurity program can also leverage the NIST framework as a reference to establish their own.

History of the NIST Cybersecurity Framework

The creation of the NIST framework started with the Executive Order 13636, released on February 12, 2013. The order entailed sharing cybersecurity threat information and building current, successful approaches to reduce cyber risks. The NIST, being an unbiased source of scientific data and practices, was chosen to design the framework. The framework was developed through inputs from government, industry, and academia stakeholders through a Request for Information (RFI), a Request for Comment (RFC), an extensive outreach, and five workshops around the country.

The first framework, Framework 1.0, was published on February 12, 2014, and a second version, version 1.1, was released on April 16, 2018. The second version clarifies, refines, and improves the framework, making it more valuable for cybersecurity. The NIST hasn’t stopped working towards improving the cybersecurity framework, and as such, the framework continues to evolve. Currently, the institute has released a draft for version 2.0 and plans to publish the new framework in the early part of the year.

Components of the NIST Framework

The NIST framework has three parts. Each component plays a crucial role in the framework’s effectiveness for businesses.

  • The framework core.
  • The framework implementation tiers.
  • The framework profiles.

NIST Cybersecurity Framework Core Structure

The framework core is a set of activities created to achieve desired cybersecurity outcomes. It comprises industry standards, guidelines, and practices that support effective communication of cybersecurity activities and outcomes throughout the organization.  The framework core comprises four elements: Functions, categories, subcategories, and informative references.

Functions  

Functions help to organize cybersecurity activities and information. This process helps to manage risk by enabling you to make risk management decisions, address possible threats, and learn from previous cybersecurity activities. There are five functions, which include:

  • Identify – The organization must understand the assets, resources, and risks to manage cybersecurity risks. The activities under the identify function enable you to focus and prioritize efforts toward cybersecurity risk management.
  • Protect – The second function requires an organization to develop and implement safety measures to facilitate the delivery of critical services. Thus, you can protect the organization by limiting or containing the impact of a possible cybersecurity activity.
  • Detect – It entails developing and implementing activities necessary to identify a cybersecurity event, enabling timely discovery of such incidents.
  • Respond-  Here, organizations develop and implement activities to take action when they detect a cybersecurity event. Outcome categories within this function enable you to contain the impact of the cybersecurity incident.
  • Recover – The recovery function is designed to enable prompt recovery after a cybersecurity incident. It requires creating and implementing activities to support plans for resilience and restoration of any services affected by the cybersecurity event.

Categories 

Categories are the subdivision of the functions into more minor cybersecurity outcomes tied to specific activities. Here are some examples of categories under each function:

  • Identify Governance, risk management strategy, asset management, business environment, and risk assessment.
  • Protect Awareness and training, data security, information protection processes and procedures, identity management and access control, and protective technology.
  • Detect – Detection processes, anomalies and events, security, and continuous monitoring.
  • Respond – Response planning, analysis, mitigation, and improvements.
  • Recover Recovery planning, improvements, and communications.

Subcategories 

The above categories can be further broken down into subcategories. The subcategory helps to divide categories into more specific outcomes of technical and management activities. Each subdivision supports the attainment of the outcome of its category.

Examples of subcategories include “Data-at-rest is protected” and “Notifications from detection systems are investigated.”

Informative References 

Informative references comprise specific standards, guidelines, and practices commonly used in the critical service sector, providing a method to achieve the outcomes for each subcategory. The informative references in the core framework are illustrative but not exhaustive.

Framework Implementation Tiers 

The framework implementation tiers explore the organization’s view on cybersecurity and its plans for managing the risks. The tier system describes the degree of sophistication of an organization’s cybersecurity system.

The four framework implementation tiers are:  

  • Tier 1 – Partial risk management process.
  • Tier 2 – Risk-Informed Risk Management Process.
  • Tier 3 – Repeatable risk management process.
  • Tier 4 – Adaptive risk management process.

There’s a progression in complexity from the lowest to the highest tier. However, tiers don’t represent maturity levels. Instead, they are designed to support an organization’s cybersecurity decisions. Hence, the selected level should be in sync with the organizational goals. It must also be feasible to implement and able to lessen cybersecurity threats to the bearable minimum acceptable to the organization.

When selecting a suitable tier, an organization must consider its current risk management practices, organizational constraints, objectives, threat environment, and legal and regulatory requirements. Other things to consider when selecting the appropriate tier level are external guidance from Federal government departments and agencies, Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), existing maturity models, and other sources.

Framework Profile

The last component of the NIST framework is the profile. The framework profile constitutes the organization’s selection from the framework categories and subcategories. To develop a suitable framework, you can review all the categories and subcategories and determine which are most relevant based on the business drivers and risk assessment. Then, add the chosen categories and subcategories needed to tackle its cybersecurity risks.

You can use profiles to conduct self-assessments and communicate within the organization and with other organizations.  It also helps identify possible ways to enhance your cybersecurity system by comparing the current and target profiles. The current profile can then serve to measure the organization’s progress towards the target profile.

Establishing or Improving a Cybersecurity Program

The NIST also provided steps to help organizations apply the framework when creating their cybersecurity system or improving on an existing program. You must note that you must repeat these steps when necessary to continuously enhance your program.

Step 1: Prioritize and Scope 

Step one involves identifying your business/mission objectives and high-level organizational priorities. Once these have been defined, you can make strategic decisions about implementing your cybersecurity program. Also, identify the related systems and assets relevant to your organization, as well as

Step 2: Orient 

After determining the scope of your cybersecurity program suitable for your organization and having taken all the actions described in step 1, the next step is to consult sources to identify threats related to the systems and assets.

Step 3: Create a Current Profile 

In step 3, the organization creates a current profile by finding out which category and subcategory in the framework’s core are being achieved at the time the framework is being designed.

Step 4: Conduct a Risk Assessment   

Your overall risk management process, previous risk assessment activities, or both should guide the risk assessment process.  Analyze your operational environment to assess the chances of a cybersecurity event and its possible impact on the organization.

Also, use cyber threat information from internal and external sources to increase your knowledge of possible events and their impact.

Step 5: Create a Target Profile 

Create a target profile. This profile should include categories and subcategories that define your organization’s desired cybersecurity outcomes. You can also create your categories and subcategories to account for unique cybersecurity risks.

Step 6: Determine, Analyze, and Prioritize Gaps 

Compare your current profile with the target profile to identify gaps. Next, create a prioritized action plan to address this gap. Ensure you consider the mission drivers, costs, risks, and benefits. Also, determine the resources needed to cover the disparity.

Step 7: Implement Action Plan 

Now, use the action plan developed in step 7 to adjust your current practices to achieve the target profile. Remember to repeat the steps frequently to improve your cybersecurity practices.

The Role of Storware

Storware Backup and Recovery can contribute to a company’s compliance with the NIST Cybersecurity Framework in several ways, although it’s important to acknowledge it’s just one piece of the puzzle. Here are some key aspects:

  • Identify – Storware helps catalog and track data assets across various environments, supporting asset identification within the Identify Function. By classifying data based on sensitivity, Storware aids in prioritizing critical assets for protection.
  • Protect – Granular access control mechanisms within Storware restrict unauthorized access to backups, aligning with Protect Function principles. Encryption of backups at rest strengthens data confidentiality as recommended by the framework. Features like immutability can hinder ransomware attacks, contributing to data integrity.
  • Detect – Detailed audit logs within Storware track backup activities, supporting anomaly detection and incident response.
  • Respond – Storware facilitates quick restoration of data after incidents, minimizing downtime and business impact. The platform enables regular testing of backup and recovery procedures, ensuring readiness for incident response.
  • Recover – By enabling swift data recovery, Storware helps organizations restore normal operations quickly after disruptions. The ability to recover from cyberattacks and other incidents contributes to overall organizational resilience.

To Sum it Up

The NIST cybersecurity framework is a voluntary framework designed to help critical infrastructures and other businesses understand, reduce, and manage cybersecurity threats. This detailed framework is essentially made of three components and five core elements. Note that the framework is not meant to replace an organization’s existing cybersecurity program but rather to help understand and fix the gap in their system or act as a basis for creating a new security program. To create your unique cybersecurity, follow the seven steps provided by the NIST and ensure you repeat them as necessary to improve your business cybersecurity program.

text written by:

Angelika Jeżewska, CMO at Storware