An Introduction to the NIST Framework

The NIST framework is one of the key cybersecurity frameworks that helps businesses secure their assets, systems, and processes. In this blog, we take a look at understanding the framework and all that it entails. 

Who is NIST?

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories.

How did the Framework come to be? 

In February 2013, the US President, having realised that national and economic security was dependent on the reliable function of critical infrastructure, introduced executive order (EO) 13636; ‘Improving Critical Infrastructure Cybersecurity’. The order instructed the NIST to work with various key stakeholders towards creating a voluntary framework to mitigate cyber risks to critical infrastructure. The Cybersecurity Enhancement Act that followed in 2014 re-emphasised  NIST’s EO 13636 role.

What is the NIST Framework? 

The NIST Framework is globally accepted as the gold standard to building a cybersecurity program for your organization.The NIST Cybersecurity Framework is a dynamic tool for businesses of all sizes to improve their cybersecurity. It is a set of guidelines and best practices to help organizations build and improve their cybersecurity posture. The Framework provides a common language for understanding, managing, and expressing cybersecurity risk to all stakeholders, whether that be internal or external. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. 

The Framework Core

Although the core framework doesn’t act like a checklist of actions to perform, it provides a list of activities to achieve specific cybersecurity outcomes with examples and guidance on how exactly to achieve these outcomes. 

The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into these 5 core functions:

1. Identify - Which processes and assets within an organization require protection?
2. Protect - Implement appropriate safeguards to ensure the protection of enterprise assets
3. Detect - Implement appropriate mechanisms to identify the occurrence of cybersecurity incidents 
4. Respond - Develop techniques to contain the impacts of cybersecurity incidents 
5. Recover - Implement the appropriate processes to restore capabilities and services impaired by cybersecurity incidents 

Implementation Tiers 

Implementation Tiers are the tools used to describe the degree to which your organization's current risk management strategies already exhibit characteristics of the NIST Framework. It consists of the following four tiers:

1. Partial
2. Risk Informed 
3. Repeatable 
4. Adaptive 

Profiles 

The NIST Framework’s final component is 'profiles'. They are used by organizations to identify where they can improve their overall cybersecurity posture. This is done by creating a current outline of organizational requirements and objectives, ability to take risk and resources, and comparing it with a target profile. By doing this organizations can identify where they can improve in order to eliminate risk. 

Why NIST?

In conclusion, the NIST Framework is important for the following reasons. It provides an organization with a list of guidelines and principles that can be used to improve their cybersecurity efforts. Instead of providing users with a list of solutions, the designers of the Framework make it much easier for your organization to customise their cybersecurity strategy. It is precise and strict enough that you can manage a significant amount of cybersecurity risks, yet it provides flexibility to manage risks in a method that is most effective for your organization.

Looking to manage your cybersecurity with the NIST framework approach? StickmanCyber's NIST Cybersecurity Framework services deploys a 5-step methodology to bring you a proactive, broad-scale and customised approach to managing cyber risk.