How to Get Started with the NIST Cybersecurity Framework
Cybersecurity is a growing concern for businesses everywhere as cyber criminals become increasingly agile. Businesses are not only at risk for cyber-attacks, but also for data overexposure and leak risks from employees, vendors, and partners. In fact, half of organizations admit their people are their biggest weakness when it comes to cybersecurity. These security weaknesses can cause major problems for businesses in any industry, from difficulties qualifying for cyber security insurance to suffering breaches that hurt the bottom line. The best way to protect against cybersecurity issues is to build and enforce a robust cybersecurity plan tailored to the specifics of the business. And the National Institute of Standards and Technology (NIST) out of the U.S. Department of Commerce has an extremely accessible cybersecurity framework, often referred to as the NIST CSF, that any business can use at any stage of their cybersecurity journey to create this kind of specialized security plan.
Find Out How to Build a More Secure Business with the NIST CSF:
What Is NIST CSF?
NIST CSF consists of security standards and best practices. The framework was introduced in 2013 and was intended for critical infrastructure in the US, which includes utilities supplying energy and water as well as sectors covering transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, key manufacturers, emergency services and several others. While use of the framework is mandatory for U.S. federal government agencies, it’s optional for everyone else. The intention behind the framework was to bolster national security, but its use extends far beyond critical infrastructure. Many businesses have benefited from utilizing the framework, and we often recommend NIST CSF for businesses that are actively developing a cybersecurity program, or don’t currently have a solid framework in place. Because it’s voluntary and highly customizable, NIST CSF is scalable, and ultimately workable within the budgetary and labor restraints of all industries.
How the NIST CSF Is Structured:
The framework has three main components: Core, Implementation Tiers, and Framework Profile. These components work together to help an organization develop a specialized cybersecurity policy that’s in line with industry best practices. The core is essentially a list of cybersecurity goals in common language that an organization can apply across departments. There are five sections, or “functions,” within the core that guide these goals:
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
- Identify Management and Access Control
- Awareness and Training
- Data Security
- Information Protection Process & Procedures
- Protective Technology
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
- Response Planning
- Recovery Planning
These functions describe actions an organization can take in each “step” of the security process. For example, the “identify” function for a business could include the following objective: “Identify a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions.” Meanwhile, the “respond” function could include something like, “Conduct analysis to ensure effective response and support recovery activities.”
The implementation tiers are meant to guide conversations about developing a cybersecurity program within an organization. The tiers help organizations think about the necessary rigor they will need in their programs, what can be realistically achieved with a given budget and timeframe, and further considerations about how to set and implement useful cybersecurity goals.
Framework profiles are where everything comes together. NIST describes the profiles as an “organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.” A profile helps organizations prioritize their goals and stay aligned to the plans set in the core and implementation tiers. NIST provides many example profiles, such as “Company B does not have any documented, or consistently verbalized, privacy values.” The complementary target profile would then be something like, “Policies, processes, and procedures have been created, vetted, and implemented to promulgate privacy values throughout the entirety of Company B.”
Why Your Business Should Use the NIST CSF:
Cybersecurity is no joke— according to IBM’s Cost of a Data Breach Report, “Data breach average cost increased 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022.” And this isn’t a new phenomenon—instances of cyber-attacks have been on the rise for years. If you don’t have a cybersecurity plan in place, you’re a lot more likely to be a part of that statistic next year than businesses who follow a security program. Even if you do have a plan, the technological ecosystem is ever-changing, and cybersecurity should be an ongoing focus. The remarkable thing about the NIST CSF is that it can supplement any existing security plan for any industry, as well as provide a foundation for a new plan, as it was designed for broad adoption. Here are just a few potential business benefits of the NIST CSF:
- Improved communication across departments
- Better articulation of privacy practices in both privacy policies and training programs
- Proactive, coordinated responses to security events resulting in minimal downtime and losses
- Documentation of all cybersecurity policies and procedures will be available in case an auditor from a regulatory agency or assessor from insurance company comes knocking; by routinely applying and adapting the framework based on lessons learned, you can be sure you’re up to date on industry best-practices
A helpful case study came out of NIST CSF application by multinational technology company Intel. Intel decided to utilize the NIST Cybersecurity Framework and achieved the following results with a cost of under 175 full-time employee hours:
- Improved visibility of risk landscape based on organizational trends and groupings
- Improved alignment to common risk management methodology and language across internal stakeholder communities
- Developed tools for reuse such as a risk scoring worksheet, a heat map, customized tier definitions, and training materials for assessors and facilitators
- Found value in dialogue around implementation which provided improved cross-team alignment and more insight into what areas needed more detailed assessment
Intel isn’t the only organization that’s found success with the NIST CSF. The University of Kansas Medical Center developed a crosswalk to the NIST Cybersecurity Framework from the Baldridge Cybersecurity Initiative (BCEB), using CSF standards as a complementary resource for cybersecurity. A “crosswalk” is a term used to describe the overlap of multiple cybersecurity frameworks, which brings up a previously mentioned, excellent feature of the NIST CSF: compatibility with other compliance frameworks. Because it’s scalable, and because it utilizes industry-specific best practices, NIST CSF works well as a supplemental framework in industries whose data privacy is already regulated (such as healthcare). Other success stories include nonprofit cybersecurity organization, ISACA, benefitted from the coherent security policies they were able to develop and enact across their international organization.
How to Get Started with the NIST CSF:
The versatility of the NIST framework is made possible by industry-specific frameworks, such as Manufacturing, Supply Chain, Power Grid, and more! These frameworks take into account the workforce type, work conditions, locations, risks, and other security-related factors of these specific industries. For example, in manufacturing, it’s important to account for physical risks alongside data risks, whereas in the financial sector, most of the risk lies in data management.
For a manufacturing company, a target profile might sound something like, “Limit external connections to the manufacturing system. Monitor and use managed interfaces to conduct external system connections. Deny by default connections to the managed interface. Disable split tunneling and covert channel options in conjunction with remote devices. Ensure the manufacturing system fails securely in the event of the operational failure of a boundary protection device.” For a financial institution, you’re more likely to see a target profile that says, “Most ransomware attacks are conducted through network connections, and ransomware attacks often start with credential compromise (e.g., unauthorized sharing or capture of login identity and password). Proper credential management is essential, although not the only mitigation needed.”
All said, the way a business should use the NIST CSF is highly dependent on the specific context of that organization. Luckily, NIST offers several self-assessment and auditing tools to get organizations started. They also developed a kind of “quick start” implementation model called, Ready, Set, Go. You’d use the Identify-P and Govern-P Functions to get “ready.” You’d then “set” an action plan based on the differences between Current and Target Profile(s). Finally, “go” forward with implementing the action plan.
"Ready, Set, Go" may sound simple, but each phase requires input from all departments in the organization from all levels, as well as expertise surrounding IT systems, software, and data management. For some businesses, an in-house IT department will be able to build out a cybersecurity program in a few months, depending on project workflow. For many others, building out a robust policy will be a larger undertaking. When considering the steps you’ll need to take to get a cybersecurity program up and running, you may find that outsourcing the project to an IT service provider is the most cost-effective way to achieve your goals in a timely manner. IT partners like iCorps will provide experience with the framework, expertise across several industries thanks to constant exposure in the field, and the manpower needed to create and enact a cybersecurity plan that works for your business. Reach out for a free consultation today!