This is the second in my series on cybersecurity frameworks. Today, I’ll be giving an overview of the National Institute of Standards Cybersecurity Framework (NIST CSF) – the history and background behind the CSF, the main functions of the CSF, the benefits, the downsides, and some flavor of what it takes to implement.
Now, if you asked me to name all the cybersecurity frameworks in existence, the National Institute of Standards Cybersecurity Framework (NIST CSF) may be first that comes to mind, but it was not the first cybersecurity framework created – not even close. ISO27001 (which will be featured in a future deep dive) has been around much longer, and the United States Government developed standards for Department of Defense and NASA in the 1980s. It does seem however, that the NIST CSF has done quite a bit to raise awareness and adoption of cybersecurity frameworks.
The NIST CSF was developed in 2013 as a result of Executive Order 13636, the purpose of which was to reduce the risks to the nation’s critical infrastructure. NIST defines critical infrastructure as follows: “System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”1 The NIST CSF is voluntary as NIST does not create regulations and does not enforce the CSF requirements.
However, the CSF has gained wide adoption outside of critical infrastructure, and today it is the most common framework I see implemented by clients. Further, unless there is a specific reason (usually regulatory requirements) to select another framework, the NIST CSF is the one I recommend for its relative simplicity and common language.
With the recent release of NIST CSF 2.0 there are now six main functions of the CSF:
There had previously been five functions. The new function is GOVERN, but it is largely made up of sub-functions that already existed in other functions.
The CSF you may or may not know uses implementation tiers to score the level at which the organization’s security operates (for functions and sub-functions of the NIST CSF). There are four implementation tiers:
Tier 1: Partial
Tier 2: Risk Informed
Tier 3: Repeatable
Tier 4: Adaptive
Some benefits to implementing the CSF include:
There are two main drawbacks I want to highlight. The first is a common knock on the CSF, namely that there is no certification process to formally attest to an organization’s compliance to the CSF. After doing all the work and going through the steps of implementing the CSF, it would be nice to have an independent certification that you can give customers and prospects for marketing purposes.
The second drawback I see is more of an opinion. Although the CSF is a solid framework that works well for most organizations, the threat environment for critical infrastructure has escalated to another level. Critical infrastructure is being targeted continually by well-organized and often state-funded bad actors. Is the CSF “next level”? I don’t think so, and I know some cybersecurity thought leaders who agree.
One of the most common questions I’ve gotten about the CSF is “how long does it take to implement?”. As much as I hate giving an “it depends” answer, it does. It depends on:
If pressed for an answer, I’ll say that it usually takes 12 – 18 months. However, it will never get done if you don’t start; it will never get done if you don’t have organizational support at high levels.
In the next post, we’ll be looking at what’s new in the NIST CSF 2.0, released in February of this year.