In 2013, the U.S. President, Barack Obama, passed an order to boost cybersecurity. The order required the development of a risk-based cybersecurity framework for managing cybersecurity risks for essential infrastructure services. A framework was later developed through an international partnership between small and large businesses spearheaded by the National Institute of Standards and Technology (NIST). Here is a look at the NIST Cybersecurity framework and why it is essential.
An Overview Of The NIST Cybersecurity Framework
The NIST CF framework aims to help businesses employ an assessment of potential business risks, so they can use the framework efficiently and effectively. The framework has three sections: the Framework Core, Framework Implementation Tiers, and Framework Profiles.
The Framework Core implies a series of activities, consequences, and references that show different approaches to elements of cybersecurity. The core has five functions subdivided into 22 categories and 98 subcategories.
The Framework Implementation Tiers help organizations demonstrate their perception of cybersecurity risks and how to manage these risks. On the other hand, a framework profile details the outcomes an organization has chosen from the categories and subcategories based on its needs and risk assessments.
The Importance of NIST
The Federal Information Security Management Act (2002) and the Federal Information Security Modernization Act (2014) require U.S. Government institutions to apply information security controls through a federal risk-based approach towards information security assessment. Each institution should present its compliance reports on an annual basis to the Office of Management and Budget (OMB). To comply with FISMA requirements, you must be compliant with NIST standards. Information systems run by non-governmental institutions on behalf of U.S. Government corporations are also required to issue reports of their compliance against FISMA.
The NIST Framework
The NIST framework has functions that are further divided into different categories. These functions are as follows:
- Identify: This function requires an organization to identify and quantify the key aspects of their business, including systems, data, personnel, policies and procedures, and the environment. At this stage, an organization should recognize the risks posed by hackers and develop a strategy for addressing these risks.
- Protect: This function requires the introduction of safeguards and protocols that limit exposure to cyber threats. This involves access control, data security, and employee training and awareness.
- Detect: This function requires an organization to implement a security monitoring infrastructure that can detect anomalous activity, which can compromise security. It also involves the constant testing and maintenance of these surveillance measures.
- Respond: This function requires that after the detection of a threat, the organization lays down an effective strategy to address the incident and reduce its impact. It also calls upon the relevant authorities to be informed and for the affected business to learn from the security breach to better defend themselves against similar breaches in the future.
- Recover: This function requires companies to adopt plans and set up an infrastructure that can restore any functionality that has been compromised by a breach and restore a business to its normal operations. It also requires companies to liaise with other parties and share crucial information to better prepare themselves for future breaches.
Each of these functions is split into categories. These are groups of outcomes associated with specific activities. For example, asset control, asset management, and detection processes. Subcategories divide a category further into specific outcomes of management and technical activities. For example, catalogs for information systems, notifications from detection systems are reviewed, and data-at-rest is protected.
How To Implement The NIST Framework?
The first step is for an organization to use the framework to create a profile that lays out its cybersecurity activities and their outcomes. The next step is for the organization to create a target profile that matches the organization’s critical infrastructure sector. The following are some steps used to develop a new cybersecurity program or update your current one. You should repeat these steps where necessary to improve your cybersecurity.
- Set your priorities and scope
- Create a current profile
- Create a target profile
- Perform a risk assessment
- Determine, analyze, and prioritize gaps
- Implement an action plan
While there is no mandatory legal requirement for organizations to implement these measures, some clients and suppliers only work with organizations that use and implement these standards.
How Is FedRAMP Connected To NIST?
FedRAMP permits U.S. Government agencies to benefit from cloud services. Cloud Service Providers (CSPs) provide cloud products like SaaS, PaaS, and IaaS for sale to the government. Since these products should adhere to the standards of FISMA, FedRAMP simplifies the security assessment process. The aim is to develop a faster authorization management program.
FedRAMP depends on NIST SP documents for system controls and risk management protocols. As a result, it is clear the controls that are managed by the CSP and the ones that are managed by an agency that buys the cloud services. For example, a SaaS dealer will provide the same physical security protections to everyone who uses its systems because they will be relying on one data center. This results in a low risk for the users of its systems. The agency that buys the SaaS product is liable for developing suitable password controls that are sufficiently secure.
When a CSP wants to sell their services to a government agency, they must adopt controls that apply to the services they are selling. They should then have their services assessed by a third-party assessment organization. This assessment will be used by any other agencies who are interested in buying the CSP’s services. This saves a lot of time and money since other government agencies will not have to conduct a separate assessment for the same service or product.
NIST Equivalents In The UK
NIST CSF is considered a gold standard of best practice with regards to cybersecurity. It has many language translations and is part of the legislation in many countries. In the UK, there are several pieces of law that are based on CSF’s methods and objectives. These include:
Minimum Cyber Security Standard (MCSS): This standard was developed in June 2018 and is based upon the precepts of the CSF. While it does not include the five functions of the CSF and also omits some categories, it’s a close model of the CSF standard.
Health and Safety Executive (HSE) Operational Guidance on Industrial Automation and Control Systems (IACS): This guide was established in March 2017 to promote safety and reduce health risks in the industrial field. The standard aims to minimize work-related accidents caused by a cybersecurity breach.
Networks and Information Systems (NIS) Directive: Established by the EU in July 2016, the directive aims at standardizing cybersecurity laws in all the EU member states. Each of the EU member states incorporated this directive in their respective laws.
All of these standards are not written in stone because cybersecurity has different applications depending on the industry in question. For example, a business in the IT services will have a different way of applying these standards when compared to an industry in the transportation business. This means the laws are not a one-size fit all legislation system. Therefore, companies are allowed to interpret the laws independently and ensure their security measures are compliant.
Many organizations acknowledge NIST as a resource for improving security operations. FedRAMP uses NIST guidelines to help government agencies apply cloud services more efficiently and securely. UK agencies have also adopted NIST standards in their cloud security legislation. This shows how credible the NIST framework is across the globe.
The NIST is an ideal guideline for transforming an organization’s security posture and risk management approach from a reactive one to a proactive one. The NIST framework does not only help organizations understand security threats and vulnerabilities, but it also enables them to reduce these risks with effective measures. This framework also helps organizations respond and recover from cybersecurity incidents. Organizations that apply these measures never go wrong when it comes to protecting their employees, clients, information, and assets from cybercriminals.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.