IBM’s 2022 Data Breach Report shows that 83% of US businesses are expected to experience at least one data breach yearly. With a single data breach costing an average of $9.44 million, and potentially even more, the importance of adopting a solid cybersecurity framework becomes apparent. A prominent one is the NIST framework.
The National Institute of Standards and Technology (NIST) proposes its own Cybersecurity Framework (CSF) to help businesses, both small and large, to prevent and manage the growing cyber risks. Estimates show that about 50% of US businesses are using this framework, based on 2020 data.
In this guide, we take a deep dive into the details of this widely adopted framework.
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary proposal containing principles, guidelines, and best practices for US businesses to achieve data security.
NIST itself is an agency anchored in the US Department of Commerce. Its mandate is to protect US innovation and competitiveness while helping to improve economic security. The NIST CSF is one of its instruments for achieving this purpose.
The framework’s version 1.0 was established in 2013 following Executive Order (EO) 13636. CSF 1.1 serves as the current applicable and most improved release from NIST. It offers a flexible guideline for implementation. This guideline ensures that businesses across dynamic industries and in different stages of cybersecurity implementation have a solid risk management structure that works for them.
What’s more, the uniformity of guidelines allows for shared experiences and seamless collaborations with external entities.
The core functions of NIST CSF
The NIST CSF splits its guidelines, standards, and best practices into five different core functions for implementation. These Functions are additionally split into categories. Categories are also split further into subcategories.
Categories are subjects of consideration for each Function, while Sub-categories are the specific considerations or principles to follow. Categories and subcategories depend on the Function they apply to and, hence, are not the same across all Functions.
The core Functions under NIST CSF include:
Each of these Functions represents different stages of an organization’s cyber risk management workflow, and hence, should be applied one after the other.
The function “Identify” represents the preparation stage. This is where you get to lay your foundations for cybersecurity risk management.
How do you implement the Identify function? You study your business environment and use findings to understand your own cybersecurity needs.
Through the “Identify” function, you determine the best measures for managing data, systems, assets, capabilities, people, and risks.
The categories under Identify include:
i. Asset Management
Asset management is all about information systems, data, and infrastructure components.
You identify all the organization’s data assets and spot the core business processes around them. The assets and processes are then prioritized. Next is to identify hidden risks to these assets and processes.
ii. Business Environment
Business environment takes note of business-related factors or dependencies that have an impact on data management.
These factors could include business objectives, as well as third-party suppliers/vendors and regulatory requirements.
Governance is concerned with considerations about people/access management.
Here, you start by establishing roles and responsibilities. Next, you identify policies around access control, employee skill, employee awareness, and employee training.
iv. Risk Assessment
Risk assessment covers research into the three previous categories to identify areas that pose potential risks.
You establish repeatable processes to continuously assess risks on assets, business, and governance.
v. Risk Management Strategy
The Risk management strategy category is the culminating result of all categories and subcategories, and the ultimate purpose of the Identify Function.
It covers the establishment of a strategy for data asset management, business-impact management, and governance. This strategy has to comprehensively cover your data security.
This is where you come up with security control, incident response, recovery, and business continuity plans to manage risks.
Summary: In short, the “Identify” function allows you to create data-driven core foundations for developing risk management strategies and structures.
The “Protect” Function is all about the active implementation of risk management systems and policies.
This is where you apply your strategies on safeguarding assets, achieving business security goals, solidifying governance, and executing continuous risk assessment.
The categories of considerations under Protect include:
i. Identity Management and Access Control
Identity management refers to the creation, assignment, and maintenance of digital identities. The goal is to have a level of control over assets, systems, and people.
Through identity management, an organization is able to successfully execute access control principles. These control principles could include role-based access control (RBAC), attribute-based access control (ABAC), or least privilege principles.
ii. Awareness and Training
Awareness and training aims to limit human errors as much as possible.
You enroll staff in training programs to continuously educate them on emerging cybersecurity risks, best practices, and policies.
We have a comprehensive guide on this. Please check out the importance of awareness training.
ii. Data Security
As the name suggests, this category covers considerations about protecting data: data-at-rest, data-in-transit, and data-in-use.
Some of the measures that are implemented in this category include encryption, Transport Layer Security (TLS), data masking, and secure data storage. Others include data backup and data disposal activities. Talking of back up, it’s always important to understand the different types of backup.
iii. Protective Technology
Protective technology refers to all the tools through which you implement continuous protection and risk management. It covers the solutions and stacks for various activities
Examples include NordLayer for identification and access control Apache Hadoop for data storage, Nagios for systems monitoring, and Datadog for responding to breaches.
Here, system configurations are updated to adapt to changes in risk profiles. Other activities include updating roles and responsibilities based on practical results, and upgrading cybersecurity tools, tool stacks, and technology suppliers to maintain complete cyber-integrity..
Summary: In short, the “Protect” function focuses on implementing secure access control, data encryption and protection, and continuous improvement procedures.
The «Detect» Function has a more specific focus on data and infrastructure monitoring workflows.
Through considerations within the Detect Function, you continuously watch over the data infrastructure, parsing through cybersecurity events to detect unauthorized or abnormal activity.
Modern applications for the Detect Function utilize AI and machine learning (ML) for intelligence gathering and event/behavioral data analysis. This advancement helps to reduce false positives and keep incident response efficient. The categories under “Detect” include:
i. Anomalies and Events
The anomalies and events Category is all about utilizing advanced AI and ML tools to benchmark internal/external access patterns and usage behaviors.
This is accomplished by creating a measure for normalcy in system logs, network traffic, and other relevant data. Through this, you are able to more accurately identify abnormal behavior and cybersecurity events.
You might want to check this related about AI & ML in cybersecurity
ii. Security Continuous Monitoring
This Category focuses on maintaining 24/7 surveillance over the organization’s IT infrastructure.
Security Information and Event Management (SIEM) tools are typically utilized for this purpose. They help with constant intelligence gathering from multiple cybersecurity solutions, as well as unified data analysis. This way, you are able to get alerts and manage threats from one platform.
iii. Detection Processes
Under this category, the ML-powered anomaly benchmarks are unified with automated threat intelligence gathering. Through this, accurate alerts are created. The alerts then trigger the necessary response workflows from the cybersecurity team or automated tools.
Summary: In short, the “Detect” Function is all about adopting tools and strategies that help you maintain a continuous overview over the data infrastructure and reduce false positives.
The «Respond» Function is where your post-incident cybersecurity workflows start.
It covers the strategies, systems, and policies for incident response through which you mitigate the effects of an attack and prevent future events from happening.
There are five categories under the «Response» Function.
i. Response Planning
Response planning covers the development of a response plan. Here, you outline team responsibilities and response procedures in the event of an attack, breach, or infrastructure outage.
You clearly lay out the roles of the IT, legal, human resources, and communications team, as well as the tools and workflows towards containing and terminating threats.
You also continuously update plans to fit emerging threats, better response practices, and changing team skills.
Quite straightforward, The communications category is all about information sharing and collaboration between the internal and external stakeholders in your cybersecurity architecture.
This category involves internal communication between development and operations teams. Together, they coordinate response and external information sharing with law enforcement, providers, partners, and customers to curb threat sources.
Communication is also important for public relations and trust-rebuilding purposes.
Analysis covers data collection and interpretation. The aim is to understand where the attack is from, what systems were compromised, how they were compromised, and the impact of the compromise.
Analysis simply helps you deal with threats in a comprehensive manner.
Mitigation covers the actual steps that the organization takes to curb attacks. You implement your response plans, communicate with appropriate stakeholders, and utilize analysis reports to build efficient response workflows.
Automated response tools are typically utilized to maintain proactive protection over the infrastructure.
The Improvements category takes data from your event analysis considerations. You utilize incident data from past cybersecurity events to upgrade security procedures, infrastructure, and policies
Security Orchestration Automation and Response (SOAR) tools are utilized for the «Respond» Function. They speed up incident response through automations.
The «Recover» Function is all about remediating the effects of a cyber attack. The goal is to restore IT systems/infrastructure and bring back impaired capabilities.
There are four categories under Recover.
i. Recovery Planning
This category is about developing a response plan. Through this plan, you delegate team responsibilities and identify response procedures to remediate the effects of an attack, breach, or infrastructure outage.
You identify the roles of the IT team, communication channels, and the tools/workflows through which the affected systems are restored and improved.
With the improvements category, you update plans to fit emerging/identified threats, apply better response practices, and change team responsibilities to fit new skill requirements.
This category covers information sharing between internal and external stakeholders to implement recovery plans and improvement strategies.
You collaborate with IT service providers, law enforcement, and victims to unify efforts toward bringing everyone back to pre-attack status.
The Recovery Function is a crucial part of the NIST Cybersecurity Framework as it makes up for lapses in an organization's attack prevention and mitigation measures.
The implementation tiers under NIST CSF
The NIST CSF tiers indicate where an organization is in their implementation journey. It is a measure of an organization’s application of the NIST Framework Functions, categories, and sub-categories.
The higher your implementation tier is, the more comprehensive and rigid your cybersecurity is deemed to be. It is a way of grouping businesses and organizations for easy identification of peers in CSF implementation so that collaboration for improvements is easier.
There are four tiers in the NIST CSF implementation:
- Partial (Tier 1)
- Risk-Informed (Tier 2)
- Repeatable (Tier 3)
- Adaptive (Tier 4)
Each of these tiers is rated based on the following indicators:
- Risk Management Process
- Integrated Risk Management Programs
- External Participation.
Tier 1: Partial
- Risk Management Process: There is no established knowledge base on business goals, threats, and risk objectives used to inform the company about its risk management process. Risk is handled only when there are incidents, and this is usually not organized.
- Integrated Risk Management Programs: There is a lack of awareness and information sharing within the organization. Response to incidents is irregular and based on un-informed processes from external sources.
- External Participation: The organization's risk management practices suffer from isolation due to the lack of information sharing with external entities, such as dependencies, dependents, vendors, customers, and researchers. Consequently, it fails to grasp crucial external factors and remains unaware of potential supply chain risks from vendors to its customers. .
Tier 2: Risk-Informed
- Risk Management Process: There is an established knowledge base on business goals, threats, and risk objectives. However, this information isn’t translated to formal policies. Risks and incident response are prioritized based on this knowledge base.
- Integrated Risk Management Programs: There is an awareness of risks as there is information sharing at an organizational level. However, an organization-wide collaborative approach to tackling cyber risks isn’t implemented. Additionally, though the company conducts assessments on how external organizations tackle risks to improve its internal risk management, this process is not continuous.
- External Participation: The organization engages with external entities, but participation isn’t comprehensive. There is no information sharing to external entities, but information may be received from dependencies, dependents, vendors, customers, or researchers, among others. The organization understands supply chain risks from vendors and to its customers but does not enforce formal policies to act on these risks.
Tier 3: Repeatable
- Risk Management Process: There is an established knowledge base on business goals, threats, and risk objectives, and this is translated into formal policies that guide the organization’s risk management process. Risk management practices are also updated based on changes in threat and business factors.
- Integrated Risk Management Programs: There is an awareness of risks at an organizational level and an organization-wide collaborative approach to tackling cyber risks is implemented. Skills fit responsibilities, the company engages in consistent asset monitoring. The senior executive and non-executive personnel maintain constant communication to stay updated with internal risks.
- External Participation: The organization engages with external entities, and participation within its industry is comprehensive. There is information sharing to and information receipt from dependencies, dependents, vendors, customers, and researchers, among others. The organization understands supply chain risks from vendors and to its customers and uses this to enforce baseline requirements, governance structures, and policies to manage these risks.
Tier 4: Adaptive
- Risk Management Process: There is an established knowledge base on business goals, threats, and risk objectives, and this is translated into formal policies that guide the organization’s risk management process. Continuous improvement is adopted so that management practices are updated more swiftly, based on almost real-time changes to threats and business factors.
- Integrated Risk Management Programs: An improvement on Tier 3, here, there are additional considerations for financial risks, predicted risk environment, and changing risk tolerance. There is continuous assessment of previous and current IT systems, and this allows for a swift approach to change management, risk communication, and incident response.
- External Participation: Building on tier 3, organizations here engage in continuous risk assessment to stay informed on the threat landscape. There is real-time monitoring of the supply chain to constantly feed intelligence on risks and maintain strong supply chain structures and relationships.
NIST advises that all organizations should, at least, strive for a level above Tier 1 (Partial ). Although Tier 4 (Adaptive) is deemed the most comprehensive, a cost-benefit balance should be considered when settling within a tier to ensure implementations fit financial budgets and other organizational needs.
Benefits of NIST CSF
The NIST CSF delivers the following major benefits:
1. Long-term cyber-risk management
The implementation of an adaptive approach that prioritizes continuous improvement workflows means that your cybersecurity architecture remains effective as times, threats, and business requirements change.
While this framework is not mandatory, Executive Order 13800 made it compulsory for certain organizations including all government agencies and contractors who wish to work with the agencies.
Please note as well that long-term, adaptive cybersecurity coverage means your organization maintains long-term compliance with industry standards.
One of the most critical benefits of the NIST CSF is its ease of adoption regardless of industry or business model.
It is a flexible framework that, through the Identify Function, permits customization based on the business environment, assets, and compliance requirements.
The adaptive approach allows organizations to scale cybersecurity risk management measures vertically or horizontally as threat environments and the business landscape change.
The NIST CSF considerations on external participation and integrated risk management encourage information sharing between organizations.
As a result, cybersecurity management becomes easier, as businesses have support from external contributors. Improvements against emerging threats are faster and more efficient. You secure processes and data against supply chain risks, and this enables your organization to build its brand through increased trust from vendors and customers.
4. Global Standard to improve critical infrastructure
The fact that NIST CSF is developed through the knowledge and experience of professionals from around the world makes it a comprehensive framework through which you may apply global best practices.
Besides the US, other governments around the world are also using this framework, including Japan and Israel. Representatives from Canada, Brazil, Japan, Saudi Arabia, and the United Kingdom, among others, have met with NIST CSF stakeholders to either adopt it or expand its implementation.
NIST CSF in action: A case study from Western Australia
How do you implement the NIST CSF to assess your cybersecurity posture and, resultantly, improve on cybersecurity measures?
A case study by Ahmed Ibrahim, Craig Valli, Ian McAteer, and Juniaid Chaudhry on a local government organization in Western Australia gives us a glance into this.
Problem: A Western Australian local government organization didn’t have a good idea of its overall cyber risk coverage.
Assessment: The researchers used the NIST CSF to create an assessment tool. The tool helped to analyze the different CSF Functions and Categories as they relate to the organization and provided a detailed understanding of the organization’s cybersecurity coverage. Based on the findings, the researchers then clarified the types of improvements to be made to strengthen protection.
Through questions on Categories, an organization-wide understanding of requirements and risk mitigation measures was gained from executive, management, and technical personnel. Ratings were given on a scale of “0 — 10”, with choices limited to the scores of “0”, “5”, and “10”. The main goal here was to determine the organization’s implementation tier.
The findings showed that cybersecurity measures covered 36% of the Identify Function, 45% of the Protect Function, 25% of the Detect Function, 38% of the Respond Function, and 100% of the Recover Function.
Recommendations: The organization was deemed Tier 1-compliant, and measures were recommended to improve its cybersecurity profile. Some of these measures, to summarily mention a few, included;
- Establishing an asset inventory and Information Security policies, and identifying organization roles and threats.
- Strengthening access control policies
- Adopting tools to determine behavioral baselines
- Adopting response procedures that hasten and coordinate incidence response across the organization.
Microsoft Power BI was utilized to maintain consistent organization-wide visibility and monitoring over the cybersecurity infrastructure.
Result: The organization achieved rapid coordinated organization-wide response to incidents and efficiently prioritized events based on severity and cost. They gained the much-needed direction toward achieving higher tiers.
You can find the full case study here.
The future of the NIST CSF can be seen through the NIST Cybersecurity Framework 2.0 Concept Paper released in January 2023.
NIST CSF 2.0 is projected to build on NIST CSF 1.1 by identifying exemplary Sub-categories, developing a CSF profile template, and, the most impactful of all, adding a new Govern Function. NIST 2.0 will also improve the coverage of supply chain risks.