Introduction to the NIST Cybersecurity Framework
Cybersecurity Frameworks Series, part 2
This is the second in my series on cybersecurity frameworks. Today, I’ll be giving an overview of the National Institute of Standards Cybersecurity Framework (NIST CSF) – the history and background behind the CSF, the main functions of the CSF, the benefits, the downsides, and some flavor of what it takes to implement.
Now, if you asked me to name all the cybersecurity frameworks in existence, the National Institute of Standards Cybersecurity Framework (NIST CSF) may be first that comes to mind, but it was not the first cybersecurity framework created – not even close. ISO27001 (which will be featured in a future deep dive) has been around much longer, and the United States Government developed standards for Department of Defense and NASA in the 1980s. It does seem however, that the NIST CSF has done quite a bit to raise awareness and adoption of cybersecurity frameworks.
What is the NIST Cybersecurity Framework (CSF)?
The NIST CSF was developed in 2013 as a result of Executive Order 13636, the purpose of which was to reduce the risks to the nation’s critical infrastructure. NIST defines critical infrastructure as follows: “System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”1 The NIST CSF is voluntary as NIST does not create regulations and does not enforce the CSF requirements.
However, the CSF has gained wide adoption outside of critical infrastructure, and today it is the most common framework I see implemented by clients. Further, unless there is a specific reason (usually regulatory requirements) to select another framework, the NIST CSF is the one I recommend for its relative simplicity and common language.
Overview of the Functions
With the recent release of NIST CSF 2.0 there are now six main functions of the CSF:
GOVERN
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
There had previously been five functions. The new function is GOVERN, but it is largely made up of sub-functions that already existed in other functions.
Implementation Tiers
The CSF you may or may not know uses implementation tiers to score the level at which the organization’s security operates (for functions and sub-functions of the NIST CSF). There are four implementation tiers:
Tier 1: Partial
Tier 2: Risk Informed
Tier 3: Repeatable
Tier 4: Adaptive
Benefits of the NIST CSF
Some benefits to implementing the CSF include:
Common language for communicating cybersecurity issues and remediation.
Flexible approach that can be tailored to your organization’s needs (though if you are implementing, it may not always feel flexible).
Simple transition to other frameworks. A less often stated benefit is that it’s not a difficult transition to other frameworks, or even add a framework should you ever need to (at the request of a customer, perhaps). For example, if you need to go from the CSF to ISO27001 or CMMC, it might be a little bit more than a tweak, but it’s not like starting over.
Better positioning for litigation that may come from a breach if you have one. It will be clear that you acted in a reasonable—rather than negligent—manner.
A balance of flexibility and thoroughness that provides adequate guidance both to implement the operating day-to-day and technology configurations and to represent cybersecurity status to leadership clearly.
Drawbacks to the NIST CSF
There are two main drawbacks I want to highlight. The first is a common knock on the CSF, namely that there is no certification process to formally attest to an organization’s compliance to the CSF. After doing all the work and going through the steps of implementing the CSF, it would be nice to have an independent certification that you can give customers and prospects for marketing purposes.
The second drawback I see is more of an opinion. Although the CSF is a solid framework that works well for most organizations, the threat environment for critical infrastructure has escalated to another level. Critical infrastructure is being targeted continually by well-organized and often state-funded bad actors. Is the CSF “next level”? I don’t think so, and I know some cybersecurity thought leaders who agree.
Implementing the NIST CSF
One of the most common questions I’ve gotten about the CSF is “how long does it take to implement?”. As much as I hate giving an “it depends” answer, it does. It depends on:
How mature your organization is today. E.g. are you currently following any frameworks? Do you conduct regular reviews or tests?
How large and complex your organization and your IT environment are. E.g. How big is your IP block? What tools do you use, and how many?
How committed senior management is. E.g. how well will you be supported? Do you have enough resources in house? Can add external resources if needed?
If pressed for an answer, I’ll say that it usually takes 12 – 18 months. However, it will never get done if you don’t start; it will never get done if you don’t have organizational support at high levels.
Some recommendations for implementing the CSF:
Use outside resources in an advisory capacity at a minimum unless you have internal resources that have done this before.
Treat this as an enterprise project following project management disciplines including resource planning, establishing milestones, and tracking progress. You will need at least a few resources from across the organization, including HR and Legal, but ideally the COO or equivalent who understands the organization and can provide support for the initiative.
Leverage your team. Somebody who is good at writing technical documentation and procedures is a huge plus.
Provide for transitions from project state to steady state. Most of what you’ll be putting in place will not be once and done. It will be rinse and repeat. Assign resources and responsibility for steady state functions and tasks.
In the next post, we’ll be looking at what’s new in the NIST CSF 2.0, released in February of this year.
Footnotes
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
Previous Blog:
Cybersecurity Frameworks Series part 1, So Many Frameworks
Next Blog:
Cybersecurity Frameworks Series part 3, NIST Cybersecurity Framework 2.0: What’s New?