<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Cybersecurity Framework, implement

How to Implement the NIST Cybersecurity Framework

down-arrow

The National Institutes of Standard and Technology’s Framework for Improving Critical Infrastructure Cybersecurity - later dubbed the NIST Cybersecurity Framework (CSF) - is regarded as the gold-standard framework profile on which to build your cybersecurity program. Designed to facilitate conversations around cybersecurity risk management between cybersecurity professionals and stakeholders across both public and private-sector organizations, the NIST CSF, when coupled with the NIST Risk Management Framework (RMF), is a powerful tool. The RMF is a process-based framework practically applied using multiple more directly practical special publications from NIST and SP 800-30 is one of them. While the NIST CSF is the gold standard for cybersecurity management, being the most comprehensive and flexible, it is also one of the most challenging to implement. In his most recent webinar, CyberSaint Chief Product Officer Padraic O’Reilly discusses the connections between the CSF, RMF, and new Privacy Framework - on our official website. Here we’ll dive into how to use the RMF, SP 800-30, and steps to implement this cyber security framework.

What is NIST SP 800-30

According to NIST: The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations…

SP 800-30 gives risk management teams the ability to examine risk through the lenses necessary to relay that risk back to business leaders: threat type, business impact, and financial impact. Relaying these identified risks in this format helps bridge the gap between cybersecurity events and business leaders - as information security becomes an increasing concern at the CEO and Board level, using the same terminology is paramount. SP 800-30 helps technical leaders put cyber risks into a business context.

Using a NIST Risk Assessment to Implement the NIST Cybersecurity Framework

The NIST RMF is predicated on actively conducting assessments for risk-informed control implementation, making SP 800-30 critical to both NIST’s framework for risk management and cybersecurity management. The CSF is driven by outcomes and maps onto specific security controls - overall, though for strategic planning, the NIST CSF needs a risk assessment to inform where to begin. While O'Reilly sees any framework for risk quantification as a step in the right direction (from a three-by-three matrix through to 800-30 and the FAIR model) he believes that it comes down to how much value the outcomes are to the other members of your organization.

The NIST CSF relies on three main tenets of the Framework for implementation: Profiles, Implementation Tiers, and implementing the Framework Core functions (Identify, Protect, Detect, Respond, Recover). Starting with a risk assessment allows your organization to baseline and integrate that into a baseline CSF Profile. From there, determining your implementation tier level (current and desired) helps contextualize your organization’s current posture further. Finally, the Framework Core will guide where you need to invest resources based on gaps in your security program and perform continuous monitoring. 

A NIST SP 800-30 risk assessment specifically is of value since it rolls up well into the CSF, given that they were developed by the same organization. While the CSF is flexible enough to use any risk assessment framework, O'Reilly recommends SP 800-30 for established infosec programs and uses a combination of 800-30 and the FAIR model in the CyberStrong platform.

Tools for Conducting An SP 800-30 Risk Assessment

Implementing both the NIST RMF and CSF relies on a baseline security risk assessment - both frameworks are designed to be as valuable as fast as possible. Baselining with a risk assessment informs where organizations should start when implementing the NIST CSF and the RMF. Although, this integrated approach can be stifled by the tools organizations use to support their teams, using spreadsheets with these two gold standards is insufficient. Integrated risk management tools like the CyberStrong platform help organizations integrate the risk and security assessments into one platform - helping security leaders understand how these two pieces fit together.

For more information on how to implement the NIST CSF, contact us

You may also like

Leveraging Cyber Risk Dashboard ...
on March 20, 2023

Cybersecurity risks have a far-reaching impact. As we’ve come to know, the effect of cyber has grown far beyond information systems and can render a company obsolete. The data and ...

Private Equity Firms are Embracing ...
on March 15, 2023

Private Equity firms pride themselves on implementing best practices in every functional area within their portfolio companies. Cyber Risk Management is emerging as a core ...

How to Use Cyber Risk Analysis to ...
on February 28, 2023

Cyber risk management has become more challenging to manage and monitor as the cybersecurity landscape has developed and digitized. Numerous endpoints, regulatory changes, cloud ...

The Top 10 Cybersecurity Dashboard ...
on February 23, 2023

As cybersecurity continues to become a more significant focus for organizations, other C-suite leaders must get up to speed on cyber risks and their impact on the organization's ...

Leveraging CISO Dashboard Metrics ...
on February 21, 2023

As a Chief Information Security Officer (CISO), it is essential to clearly understand your organization’s cybersecurity posture and how to improve it continuously. One way to do ...

The Importance of Monitoring Cyber ...
on February 14, 2023

Cybersecurity has become a critical concern for businesses and organizations in today’s digital age. With the increasing number of cyber threats and attacks, monitoring ...