What Is the NIST Cybersecurity Framework?
NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards. The NIST Cybersecurity Framework CSF is a voluntary framework that provides guidance for managing cybersecurity risk based on existing standards, guidelines, and practices. Although primarily intended for US critical infrastructure organizations, the Framework is flexible enough to be used by any organization anywhere globally.
The Cybersecurity Framework (CSF) is a set of cybersecurity best practices and recommendations from the National Institute of Standards and Technology (NIST). The CSF makes it easier to understand cyber risks and improve your defenses. Organizations around the world use it to make better risk-based investment decisions.
What is NIST?
Founded in 1901, NIST is an agency of the U.S. Department of Commerce. It advances measurement science, standards, and technology to improve our quality of life. NIST has provided important computer security guidance for many decades.
Why is the CSF important?
There are many cyber best practices available, but they are long and difficult to understand. The CSF makes cyber-risk management easier, so that you can take the right action right away. It also simplifies the language of cybersecurity so that everyone can understand–both inside and outside your organization.
What makes the CSF easy to use?
The CSF uses a simple structure with just five key functions: Identify, Protect, Detect, Respond, and Recover. Each function uses clear, outcome-based language without extensive technical detail. The CSF also outlines a simple process to help improve your cybersecurity program.
Is the CSF a compliance mandate?
No, the CSF is not a compliance mandate. It is a voluntary, flexible framework available for everyone to use and customize to their unique needs.
Who uses the CSF?
The NIST CSF was originally intended for use by critical infrastructure sectors like healthcare, utilities, and manufacturers. That’s why its official title is the Framework for Improving Critical Infrastructure Cybersecurity. But organizations of all sizes, all around the world have recognized its value and adopted the framework.
Core functions of the NIST CSF
The CSF contains three key components: the core, the implementation tiers, and the profiles.
The core is a set of activities, outcomes, and references that detail approaches to aspects of cybersecurity. The core has four elements: functions, categories, subcategories, and informative references. Each function is divided into categories, which are the activities necessary to fulfill each function. These might include asset management, risk assessment, awareness and training, and detection processes. Subcategories further subdivide categories, describing specific results of these activities that are necessary to fulfill each category. Finally, informative references specify sources of best practice from a range of publications, including standards and guidelines.
Identify: Identify potential cybersecurity risks to your information assets
The Identify function helps you to develop an overall risk management approach to cybersecurity. It helps you understand your critical assets, business environment, governance model, and supply chain.
Protect: Protect yourself against these risks by developing and implementing safeguards
Protect helps you put important defensive controls in place based on your critical assets, risk tolerance, and other input from the Identify function. Protect highlights the importance of managing identities, securing access, protecting data, and training users.
Detect: Detect any irregular activity to determine if breaches have occurred
When you are under attack, you may not always know right away. The Detect function shortens the time to discovery by spotting anomalies, investigating events, continuously monitoring, and other detection processes.
Respond: Respond to any detected breaches to contain their impact
When you know you are under attack, you have to act fast. Respond helps you take the right action immediately through incident response planning, analysis, mitigation, communication, and ongoing improvement.
Recover: Recover from these breaches by restoring any undermined assets
And once you have stopped the attack, you need to get back to normal. The Recover function helps you restore operations through recovery planning, continuous improvement, and communications.
Framework Implementation Tiers
Framework Implementation Tiers describe the sophistication of the organization’s cybersecurity measures based on its risk management process, integrated risk management program, and external participation in risk management. The four tiers are partial, risk-informed, repeatable, and adaptive.
The Current profile
The current profile is a picture of an organization’s ongoing cybersecurity activities and their outcomes. It is an opportunity for an organization to establish its current cybersecurity activities. The current profile can also effectively communicate the organization’s cybersecurity posture internally or with external partners.
The Target profile
The target profile describes the organization’s intended destination for cybersecurity risk management activities. These destinations are strongly tied to the organization’s legal and regulatory requirements, contractual obligations, and business objectives.
Source: What is the NIST Cybersecurity Framework (CSF)? | IT Governance USA