The NIST Cybersecurity Framework

The NIST Cybersecurity Framework

The ​NIST (National Institute of Standards Technology) Cybersecurity Framework, sometimes just called the “NIST cybersecurity framework,” is, as its name suggests, is intended to be used protecting critical infrastructure like power plants and dams from cyber attack. The NIST CSF is recognized by many as a resource to help improve the security operations and governance for public and private organizations. While the NIST CSF is a terrific guideline for transforming the organizational security posture and risk management from a reactive to proactive approach.



 
NIST CSF.jpg
 

The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cybersecurity risk. Definitions for each Function are as follows:

  • Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

  • Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

  • Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.

  • Respond: Develop and implement the appropriate activities when facing a detected security event.

  • Recover:  Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.


With each of the Functions noted in the Figure above, there are twenty-one categories and over a hundred subcategories. The subcategories provide context to each category with reference to other frameworks such as COBIT, ISO, ISA, and others.




 
NIST CSF Example.jpg
 

Tiers
The NIST CSF Tiers represent the organization's maturity in addressing cybersecurity risk and the processes in place to mitigate risks. This helps provide organizations a benchmark on how their current operations compare to their desired state of cybersecurity risk management maturity.

  • Tier 1 – Partial: Organizational cybersecurity risk management strategy is not formalized and is mitigated in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.

  • Tier 2 – Risk-Informed: An organizational-wide policy for security risk management has not been formalized. Management's risk awareness has increased and the organization handles cybersecurity risk management based on risks as they happen.

  • Tier 3 – Repeatable: A formal organizational risk management process is followed by a defined security policy.

  • Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and is analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.