Taking Action on The Framework for Improving Critical Infrastructure Cybersecurity
The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is starting to result in actions by not only U.S. federal agencies but also by U.S. businesses. Recent attacks and hacks have resulted in a more aware private sector, and businesses are asking what they can do to reduce their risks.
Some are overwhelmed by the Framework because of its complexity, but the National Institute of Standards and Technology’s Framework, formally titled The Framework for Improving Critical Infrastructure Cybersecurity, is what many call the closest thing to a national gold-standard for cybersecurity. Its popularity and support already covers about 30% of U.S. businesses who have adopted it and that number is growing rapidly according to Gartner. The NIST CSF builds upon existing frameworks like NIST 800-53, ISO 27001 and others and was built by over 3,000 public and private security professionals. The new version that is set to be released also has an immense amount of input and feedback from those who started to implement version 1.0. Therefore, it’s only right that both the public and private entities that support our economy and ultimately support the comings and goings of our daily lives would take it seriously.
The Framework is a risk-based approach to managing cybersecurity, and NIST further stated that its purpose is to create a common language that spans risk, cyber, and management communications, internally and externally in both public and private organizations. It might seem like a far-fetched goal, but now couldn’t be a better time to execute on efforts to strengthen your cyber posture considering the increase in attacks on businesses of all sizes. It's time to be proactive about cybersecurity management and strategic about how companies build their programs. Some organizations are even requiring their vendors to adopt the Framework as they scale their businesses, and for good reason considering the number of attacks even in the last few months. Likewise, some financial and healthcare entities are starting to map regulations to the framework and are realizing the importance of securing their data more than ever before.
[ Interested in learning how to strategically deploy the NIST Cybersecurity Framework? Sign up for our upcoming Webinar: How to Simplify The NIST CSF to learn from industry experts]
The executive order specified that federal entities should run an assessment to build their target profile in relation to the NIST Cybersecurity Framework. Then, these organizations would identify gaps and put remediation plans in place to be submitted to the Office of Management and Budget.
For both public and private organizations, running an assessment and identifying gaps are critical to creating a sound budget to strengthen your cybersecurity program. Mitigation and remediation steps should be identified with various paths to choose from, for example using one technology versus another to fulfill a certain area in the Framework. Having a proactive plan in place for all areas, especially if you are able to prioritize them and thus won’t get to all of them immediately, will give you more flexibility when you actually start to execute your budget.
Running a risk-based program is the proactive way to manage your cyber posture as every move and measure should be in response to the related risk - not in response to a breach after the fact. The NIST Cybersecurity Framework promotes this strategy and is helping to give businesses and organizations that are critical to our economy guidance in making cybersecurity management a priority.
Learn the steps you should take to prepare for adoption and how to assemble your resources in CyberSaint’s NIST CSF whitepaper.