This Guide will cover everything that you need to know to start and improve your NIST Framework-based program.
The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is motivating action from not only U.S. federal agencies, but also from U.S. businesses. Recent cyberattacks and breaches have resulted in heightened private sector awareness, which is driving businesses to reevaluate how they can reduce enterprise risk.
Frameworks create a common language for cyber that unifies the conversation around enterprise risk and security.
Some organizations are even requiring their vendors to adopt frameworks as they scale. Likewise, financial and healthcare companies are also realizing the importance of securing their data following this set of best practices. Europe, too, clearly sees the value of the framework as they look to it while finalizing the NIS Directive.
When CyberSaint's Founder George Wrenn left his position as a global CSO to start CyberSaint, he set out to accomplish one goal: Realizing that the frameworks' nature—by far the most comprehensive approach—implicitly makes it the most complex. As a result, there needed to be a clear path to implement this framework at scale - enter CyberSaint.
Our first conclusion: cybersecurity must be managed proactively and not reactively.
Our second conclusion: Companies have to be strategic when building their programs.
As business leaders, there is a substantial responsibility to execute, keep our companies protected. and effectively relay our progress back to our peers. This pressure can be crushing - we see what can go wrong in revenue lost and reputations damaged, sometimes beyond repair. A proactive information security professional will certainly stay informed and advocate for increased resilience via a standards-based approach.
As noted above, the NIST Cybersecurity Framework is by far the most comprehensive framework, but it is also the most complex to navigate.
The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, formally titled The Framework for Improving Critical Infrastructure Cybersecurity, can overwhelm even experienced security professionals with its complexity. Yet, increasingly, it is recognized as a national gold standard. Its popularity and support are apparent: 61 percent of U.S. businesses are actively working to adopt the framework as of 2017, and that number continues to grow.
With the release of Version 1.1 of the Framework, it is even more robust, and still flexible. With the ability to be adopted by organizations of any size voluntarily, its rapid adoption across industries proves its strength as a foundation for any cybersecurity program.
The Under Secretary of Commerce for NIST, Walter Copan, noted
"From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry, and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally."
According to NIST,
"This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017."
"The voluntary NIST Cybersecurity Framework should be every company's first line of defense. Adopting version 1.1 is a must do for all CEOs."
- U.S. Secretary of Commerce Wilbur Ross
Small and mid-sized businesses need to be aware that not only large enterprises are targets, and the Framework may be the most robust method to implement best practices.
The U.S. National Cybersecurity Alliance says that the cost of cleaning up after an attack for a small to mid-sized business can range from $690,000 to over $1 million. The NIST Interagency Report (NISTIR) 7621 entitled “Small Business Information Security: The Fundamentals” states “Because small businesses typically don’t have the resources to invest in information security the way larger businesses can, many cybersecurity criminals view them as soft targets.” The report also notes that some hackers are attacking not simply for profit, but out of revenge or the thrill of causing havoc. To a small business, a strong cybersecurity program is often seen as a task too difficult because of the resource requirements.
Nonetheless, the benefits greatly exceed the cost, as adopting a strong program and creating a business process will help gain and retain customers especially in light of publicized cybersecurity attacks, as customers expect sensitive information to be protected from compromise. The NIST Framework is truly applicable to any organization regardless of size as a jumping-off point to establish their cybersecurity posture. It turns in traditional, more audit-based policies for a risk-based approach to cybersecurity management. It’s a guideline for businesses to update their risk management approach, as many U.S. organizations across sizes and industries already leverage some type of security framework. Businesses of all sizes and industries are seeing the importance of building a robust cybersecurity program and are seeking more proactive strategies. Its five core functions: identify, protect, detect, respond, and recover, are a blueprint to mitigate cybersecurity risk. Implemented properly, an organization will have the most powerful set of tools and procedures in place.
In a sense, the Framework is a dynamic Deming cycle—continuous, logical, and always learning.
A Profile enables an organization to establish a roadmap for reducing cybersecurity risk that is well-aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.
Given the complexity of many organizations, they may choose to have multiple profiles, aligned with particular components and recognizing their individual needs. Framework Profiles can be used to describe the current state or the desired target state of specific cybersecurity activities.
Your Current and Target Profile
The Current Profile indicates the cybersecurity outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals.
It's important here to loop in goals from all business segments both business and security. That way, you'll have a more well-rounded goal set that aligns with your business's vision for the future.
The Value of Profiles
Profiles support business/mission requirements within your organization to all constituents, and also aid in the communication of risk between organizations. If you have a difficult time translating your current and target-risk and cybersecurity strength to your partners, vendors, and the like, creating these profiles will be monumental in boosting communication between all parties involved. The better the communication is within and around your organization, the more progress you'll make in building a robust program or even creating a faster response plan.
If you're interested in baselining your organization against NIST Cybersecurity Framework best practices in hours, check out CyberStrong. You'll be able to see areas for improvement and gaps across all five NIST functions, and you'll have a plan of action on how to close those gaps within your organization.
NIST defines the identify function as calling on the need to "develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.". In this function, as a cybersecurity stakeholder, you can work on laying a foundation in your organization for effective use of the Framework moving forward. The focus of identify is on the business and how it relates to cybersecurity risk, especially taking into account the resources at hand. Here are some of the outcome Categories associated with this function:
The importance of the identify function is clear: it lays the groundwork for cybersecurity-related actions that your organization will take moving forward. Identifying what exists, what risks are associated with those environments, and how that relates in context with your business goals are crucial to having success with the Framework.
Successful implementation of the identify function could result in multiple outcomes, for example:
Organizations have to evolve in their cybersecurity practices and implement the vital safeguards to contain and limit the impacts of potential cybersecurity incidents. All digital and physical assets must be accounted for, and roles must be defined with clear communication workflows around incidents and risk. The policies and procedures that you implement will provide the stability needed for your cybersecurity program as it works through all five functions and matures.
NIST says that the framework functions "aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities".
The protect function is important because its purpose is to "develop and implement appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology" according to NIST.
Protect covers these categories:
Some examples of ways to attain these requirements are:
Organizations must evolve as breaches are becoming all the more common. By focusing on the protect function, you can put in place the policies and procedures to lay a strong foundation for your cybersecurity program as it matures in all five functions.
The detect function requires that you develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
"The detect function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes."
The detect function is a critical step to a robust cybersecurity program - the faster you can detect a cybersecurity event, the faster you can mitigate the effects of it. Examples of how to accomplish steps towards a thorough detect function are as follows:
Clearly, the detect function is one of the most important, as detecting a breach or event can be life or death for your business. There is no doubt that following these best practices and implementing these solutions will help you scale your program and mitigate cybersecurity risk. In our next blog post, we will explore the respond function.
NIST defines respond as "Develop and implement appropriate activities to take action regarding a detected cybersecurity incident".
"The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements".
Here are the parts to the respond function and their importance:
When breaches occur in companies, an incident response plan is critical to managing the immediate aftermath. Surprisingly, lots of organizations don't have an incident response plan or just haven't tested the plan that they have in place.
According to NIST, the recover function is defined as the need to "develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity security event.
"The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcomes for this function include: Recovery Planning, Improvements, and Communications."
Recover includes these areas:
The recover function is important not only in the eyes of your business or organization in recovering from an attack, but also in the eyes of your customers or market. Swift recovery handled with grace and tactfulness will allow you to end up in a much stronger position internally and externally than you would otherwise.
Prioritizing these focus areas within recover will ensure that your organization has a recovery plan that is up to date and matches your organization's goals and objectives.
There’s little doubt that the NIST CSF is effective, but it’s also a complex framework that needs to be tailored to meet an organization’s risk reduction goals. When Dimensional Research surveyed 300 IT and security professionals in the US, it found that 64% of respondents using the NIST CSF reported that they were not using all the recommended controls, just some of them.
Also, 83% of organizations with plans to implement in the coming year reported an intention to adopt some, rather than all, the CSF controls. Selective adoption can yield results if done properly. This can be a great starting point for organizations with limited resources. What’s required is a way to reduce the complexity and make the NIST CSF just a little more digestible for your organization.
Below are some key concepts that can both simplify and accelerate your NIST CSF program.
Step #1 – Align NIST Program with Business Objectives
Map your objectives to the NIST control families. For example, if your organization requires “availability” of systems as the top priority, then starting with “Contingency Planning” (CP) controls is going to better align your program with your business objectives.
Step #2 – Focus on Foundational “Primary Controls” First
Start with a subset of the control families selected and limit your initial custom framework control list to the vital “Primary Controls.” This will save “Control Enhancements” for later when your NIST CSF program is more mature. Control enhancements include details beyond the base control, such as frequency of testing, automation, and extensive documentation of the process surrounding the control. While important, these control enhancements only matter if the base control is already in place.
Step #3 – Get the Low-Hanging Fruit by Implementing NIST SP 800-171
Select your base framework controls using an existing framework profile or selection such as the NIST SP 800-171, which covers more than 80% of the full NIST CSF but requires approximately 20% of the effort, significantly reducing the number of controls that need to be adopted. Similar to the 80/20 principle, this approach can greatly improve security with a fraction of the effort required to implement the full NIST CSF.
Step #4 – Balance the Five Framework Functions Evenly
Distribute your effort equally across all five phases of the NIST CSF. Creating a balanced program.
If we follow the natural phases embodied with the NIST CSF, we can break the various stages down into smaller pieces that are easier to digest and implement.
Suggestion #5 – Leverage the Entire Organization
Make NIST CSF adoption a team sport. Engage business units and other resources across your organization. Many of the framework’s controls can be assigned to business functions such as HR, finance, or IT. The security team doesn’t have to own every control.