How to Implement the NIST Cybersecurity Framework

One effective way to better reduce your organization’s cybersecurity risk is to adopt the NIST Framework. Standing for National Institute of Standards and Technology, NIST is a unit of the U.S. Commerce Department that promotes and maintains measurement standards. Ultimately, the NIST Framework can keep you and your colleagues on the same page as you work to minimize cybersecurity risk throughout your organization.

An In-Depth Guide to the National Institute of Standards and Technology (NIST) Framework:

What Is the NIST Framework?

The NIST Framework was established in 2013, to support organizations that worked with critical IT infrastructure. However, companies in the private sector were quick to adopt NIST as a way to improve their own cybersecurity posture. The Framework has three main components: the Core, Implementation Tiers, and Profiles. The Core offers desired cybersecurity activities and outcomes that can easily complement your company's existing cybersecurity work. The Core has several functions, categories, and subcategories that cover the breadth of cybersecurity objectives for any organization. For instance, the five high-level functions are Identify, Protect, Detect, Respond and Recover.

[DIAGRAM] NIST Core Functions

The great part of all of these functions, categories, and subcategories is that they are outcome-driven, and can be tailored to meet specific company needs. After Core, there are Implementation Tiers. These are tools that describe the degree to which your organization’s risk management policies exhibit the characteristics that are in the NIST Framework. There are four tiers: Partial, Risk Informed, Repeatable, and Adaptive. They describe how cybersecurity risk decisions are integrated within overall risk decisions in your organization. They also help you identify how your organization shares and receives cybersecurity information from third-parties.

[DIAGRAM] NIST Cybersecurity Tiers

Finally, the NIST Framework contains Profiles. Essentially, these can be used by any organization to identify opportunities to improve its cybersecurity posture. They are a snapshot of the organization’s current organizational requirements and objectives, risk appetite and resources. By comparing them against a “Target” Profile, organizations can have a clear idea of what they need to improve in order to eliminate their cybersecurity risk.

[DIAGRAM] NIST Responsibilities by Role

Ultimately, the NIST Framework is important for several reasons. It provides a uniform set of guidelines and principles that all companies can use to improve their cybersecurity efforts. Instead of piecing together a patchwork of solutions, the designers of the Framework make it much easier for you to design a customized and comprehensive cybersecurity strategy. It is stringent enough that you will manage a significant amount of cybersecurity risks, yet it is flexible enough that you can manage those risks in the most efficient way for your organization.

How to Implement the NIST Framework

The NIST Framework can also solve a variety of cybersecurity issues within your organization. It can go a long way in convincing your organization to implement certain risk management procedures to minimize cybersecurity risk. You and your colleagues will need to determine how the NIST Framework can best suit your organization’s cybersecurity needs. Here are several considerations: 

  1. Ensure all key stakeholders are on board. Educate key stakeholders on the benefits of the NIST Framework, how it can reduce your organization’s cybersecurity risk, and the plan to actually achieve these benefits.

  2. Next, ensure that you are coming to an agreement on how you will measure the effectiveness of implementation. According to NIST, overall effectiveness depends on your organization’s goals and approach in its use. You may want to develop quantitative metrics to better measure effectiveness, but NIST does not provide any specific recommendations.

  3. Finally, stay committed. It can be easy to think about moving on from the NIST Framework if you aren’t quickly seeing the expected results. By doing so and continuing to measure your progress, you will inevitably see positive results.


For more information about NIST and other security frameworks, reach out to iCorps for a free IT consultation

Request a Free IT Consultation

Related Content:
GDPR: A Sign of What's to Come
How to Implement a Thorough Data Retention Policy