NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) created the Framework for Improving Critical Infrastructure (CSF) in response to the Cybersecurity Act of 2014 (CEA) which called for a “prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks”1. The NIST CSF is applicable to any organization of any size and provides guidance on how to protect the confidentiality of information, the integrity of information, and the availability of information. The structure of the CSF includes the core, profiles, and implementation tiers. The CSF CORE has four elements:
Functions. Outline how to organize cybersecurity activities by:
- Identifying potential cybersecurity risks to your information assets
- Protecting yourself against these risk by developing and implementing safeguards
- Detecting any irregular activity to determine if breaches have occurred
- Responding to any detected breaches to contain their impact
- Recovering from these breaches by restoring any undermined assets
Categories. Categories are aligned to their relevant functions:
- Identify -> Risk assessment
- Protect -> Identity management and access control
- Detect -> Security continuous monitoring
- Respond -> Analysis
- Recover -> Recovery planning
Subcategories. Subcategories align to their relevant functions and categories:
- Identify -> Risk assessment -> Threats, both internal and external, are identified and documented
- Protect -> Identity management and access control -> Remote access is managed
- Detect -> Security continuous monitoring -> Vulnerability scans are performed
- Respond -> Analysis -> Forensics are performed
- Recover -> Recovery planning -> Recovery plan is executed during or after a cybersecurity incident
Informative references. Informative references are references for subcategories that specify sources of best practices. Examples of sources are ISO/IEC 27001:2013 (ISO 27001), COBIT® 5 (COBIT), NIST Special Publication 800-53 Revision 4 (NIST SP 800-53), ISA 62443-2-1:2009 4.2.3 and ISA 62443-3-3:2013 (ISA 62443), and Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSC)2.
The CSF instructs that organizations should only take cybersecurity measures that are appropriate to the risk, making this a risk-based cybersecurity framework. General risk management processes:
- Identifying risks
- Determining level of risk in terms of impact and likelihood/frequency
- Comparing those risks to the organization’s risk appetite/tolerance
- Determining an appropriate response to the level and type of risk
Risk assessment and management methodologies may be asset-based assessments (examining relationships between assets and vulnerabilities) or scenario-based (examining the consequences of general events). Risk responses are: avoid, modify, share, or retain.
The Framework PROFILES describes how cybersecurity is handled within the organization currently (current profile) or as an aspiration (target profile). The organization’s cybersecurity outcomes, obligations, and requirements must be solidly understood in order to achieve cybersecurity objectives.
The Framework IMPLEMENTATION TIERS describe different degrees of sophistication that an organization’s cybersecurity measures might have:
- Partial
- Risk-informed
- Repeatable
- Adaptive
By implementing the CSF, existing cybersecurity programs can be improved, or new ones can be established. This is the seven-step process:
- Determine objectives, priorities, and scope
- Identify assets and risks
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Perform a gap analysis
- Implement the action plan
1 NIST, 2021, “Cybersecurity Framework”
2 Calder, 2018, “NIST Cybersecurity Framework: A Pocket Guide”