Request Demo

NIST Cybersecurity Framework

Your NIST Cybersecurity Framework Assessment Tool - What to Look For

down-arrow

The National Institute of Standards and Technology developed the Framework for Improving Critical Infrastructure Cybersecurity, later dubbed the NIST Cybersecurity Framework (CSF), from a presidential executive order to support critical functions of our society in monitoring and remediating cybersecurity risks. Use of the Framework has since expanded - adopted by businesses of all sizes across the spectrum of industries. As voluntary guidance, the CSF is meant to be customized to fit the organization and as a result, does not have controls baked into it as other standards do. Instead, the CSF helps security practitioners open a dialogue with stakeholders across the organization about the need for cybersecurity and investment in securing the business. Using the five functions of the Framework Core - Identify, Detect, Respond, and Recover - technical and non-technical stakeholders understand where their strengths and weaknesses lie in their organization’s cybersecurity and where to invest time and effort. Implementation of the Cybersecurity Framework begins with the benchmarking assessment - which for most merits an assessment tool.

Now that you’ve decided to work with the CSF, selecting the right tool to implement it is critical.


Critical Capabilities of a NIST Cybersecurity Framework Assessment Tool

Any CSF assessment tool must be built on the Framework itself, using the three main elements as guidance:

  • Framework Profiles: Understand how the solution enables your team to implement Framework Profiles,
  • Implementation Tiers: How it helps you articulate your Implementation Tier
  • Framework Core: How clearly the solution illustrates your strengths and weaknesses in the context of the Five Functions.

Profile Building

A Cybersecurity Framework Assessment tool should employ the NIST CSF Categories and Subcategories, allowing you and your organization to prioritize which are most important based on risk assessment and business drivers. From the Categories and Subcategories assessed, you will need to be able to build out a Current State and Target State profile.

In the case of CyberStrong, the platform will automatically generate a current and target state profile as your team completes an assessment. These visualizations are not only valuable for your team to understand where they need to invest their time, but it is also beneficial to take to your executive leadership to contextualize where financial investment needs to be made.

NIST CSF Assessment Tool_Implementation Tiers

 

Implementation Tiers

NIST stresses in the Framework documentation that the Implementation Tiers are not a maturity model. Rather, the tiers are a means to approach cyber risk management and bridge the gap between technical and business side stakeholders. For assessment tools, the Implementation Tiers can take multiple forms.

 

NIST CSF Assessment Tool_Profile Building

 

CyberStrong uses the implementation tiers in control scoring and rolls that data up to the reporting level to directors and the CEO and Board. This transparency allows contributors and stakeholders to see the Tiers at all levels of granularity - from the control to the assessment, to the asset, and the entire organization.

The Five Functions

The Five Functions of the NIST CSF are the most known element of the CSF. Another lens with which to assess cyber security and risk, the Five Functions - Identify, Protect, Detect, Respond, and Recover - enable stakeholders to contextualize their organization’s strengths and weaknesses from these five high-level buckets.

The CyberStrong platform automatically generates gap-analysis graphs using the Five Functions and can be seen in every assessment regardless of framework (even assessments not using the NIST CSF). By having the Five Functions at arms reach no matter the assessment, they serve as a common thread to tie all assessments and assets together.

NIST CSF Assessment Tool_Five NIST Functions

 

What to consider in a NIST Cybersecurity Framework Assessment Tool

With more business-side stakeholders, especially Boards and CEOs, relying more on information technology and security leaders to interpret cybersecurity and risk, strong communication for those involved is vital. Touted as the gold-standard and the source material for many standards and regulations, the NIST CSF is the most robust foundation to build a forward-thinking cyber program. Ensure that you select a tool capable of enabling an organization-wide conversation around cybersecurity and risk.

To see the CyberStrong NIST CSF Assessment in action schedule a demo now.

You may also like

Prioritizing Cyber Risk Management ...
on July 6, 2020

The risk posed to organizations by cybersecurity threats is large and increasing. COVID-19 related adjustments at home and at work, the move to a remote workforce, and increasing ...

Alison Furneaux
Critical Capabilities of IT Risk ...
on June 22, 2020

Risk management is rapidly becoming the foundation of organizational security efforts, replacing checklist compliance as a cornerstone of a successful security program. This shift ...

What is Cyber Risk Management
on June 21, 2020

Risk management is a fundamental component of any successful organization and has been since the dawn of corporations as we know them. The primary function of risk management as a ...

Cybersecurity Risks Have Changed ...
on June 10, 2020

CyberSaint will host a cybersecurity risk management webinar, live on June 17th, 2020at 12:00pm EST and available on-demand when you register to attend with this link.  The recent ...

Alison Furneaux
What is NIST SP 800 30
on June 10, 2020

The National Institute of Standards and Technology’s Cybersecurity Framework (CSF) is known in cybersecurity as the gold standard framework for computer security guidance, it can ...

Cybersecurity Maturity Model ...
on July 1, 2020

Why DFARS / NIST SP 800-171? A few years back, the United States Department of Defense (DoD) released a new regulation, a Defense Federal Acquisition Regulation Supplement, or ...