Our Guide to Using the NIST Cybersecurity Framework for Your Business

Posted on November 27, 2020 - by Justin Gratto - in Building Your InfoSec Program

The NIST Cybersecurity Framework is a comprehensive approach to security designed to help businesses better understand and manage their risk. If you’re looking for an approachable cybersecurity model that helps your organization adopt current best practices, then using NIST’s framework is a solid place to start.

In this guide, we cover the basics about the NIST Cybersecurity Framework. By the end, you’ll have a good sense of how this framework can help you improve your company’s cybersecurity strategy.

What is NIST?

The National Institute of Standards and Technology is a non-regulatory agency that’s a part of the U.S. Department of Commerce. NIST conducts industrial research intended to advance the United States’ position as a technological and economic leader.

However, for some businesses, NIST is best known for its series of standards and best practices regarding cybersecurity. When you hear NIST mentioned, people often mean the NIST Cybersecurity Framework (sometimes abbreviated as NIST CSF) which helps organizations understand, organize, and manage information security.

The NIST Cybersecurity Framework

The Cybersecurity Framework is the most popular of the frameworks provided by NIST. It is a voluntary set of standards created in 2014 and is often used by government agencies and contractors (though it is mandatory for U.S. federal agencies). A number of industries have broad adoption of the NIST framework, including higher education, transportation, and power grid organizations. NIST release an updated version in 2018, to refine and clarify some elements.

The NIST framework emphasizes the use of business drivers to guide a company’s overall cybersecurity strategy. In other words, you’ll primarily look at your data, personnel, devices, mission, stakeholders, and other details to develop an understanding of your cybersecurity risks and how to manage them.

The Cybersecurity Framework consists of three parts:

1. The NIST Framework Core Functions

The Framework Core consists of five elements that work together to achieve specific cybersecurity outcomes. Each of these functions contains a series of categories or tasks that your cybersecurity strategy may include.

  • Identify the business context, the resources that support your organization’s most critical functions, and the related cybersecurity risks that you must manage. Associated tasks include risk assessments, governance, and analysis of the business environment.
  • Protect the business by implementing the correct safeguards to ensure your most critical infrastructure services remain up and running at all times. Associated tasks include access control measures, security awareness training, or the use of protective technologies.
  • Detect cybersecurity events promptly. Associated tasks include detection processes, monitoring, and the logging of anomalies.
  • Respond to cybersecurity events with the correct activities or processes. Associated tasks include incident response planning, mitigation, and policy reviews.
  • Recover key operations and data to return the business to normal operations as quickly as possible. Associated tasks include business continuity planning, policy reviews, and cybersecurity communications.

2. The Framework Implementation Tiers

The Framework Implementation Tiers consider a company’s current risk management practices, threat environment, compliance requirements, and business details to identify where a business lies with its cybersecurity model. Although NIST recommends that companies at Tier 1 advance to Tier 2, the agency also notes that the Tiers are not maturity models. Companies should consider advancing to a higher tier when it’s cost-effective and reduces your cybersecurity risk.

  • Tier 1: Partial. At Tier 1, cybersecurity strategies are not formalized, and risk is managed ad hoc. Cybersecurity activities aren’t directly informed by threat environment, business requirements, or organizational risk.
  • Tier 2: Risk-Informed. At Tier 2, the company has some risk management practices, but they’re not formalized and standardized across the company. Some cybersecurity activities may be directly informed by business requirements, threat environment, or organizational risk.
  • Tier 3: Repeatable. At Tier 3, a formalized and organization-wide cybersecurity strategy exists. Policies are defined, implemented, and reviewed.
  • Tier 4: Adaptive. At Tier 4, the company displays a sophisticated approach to cybersecurity that relies on previous experience and predictive indicators within the threat environment.

3. The Framework Profile

This combines your business objectives and threat environment with any cybersecurity requirements and controls you may have. It reflects the alignment of your company’s organizational requirements, risk management, and resources that you need to meet both.

The Framework Profile will consist of your current (and desired) cybersecurity activities mapped onto the Core Functions above. Using that, you’ll identify your Tier then review your Profile against it to determine what you still need to accomplish.

Framework Profiles are useful because they let you compare the current state of your cybersecurity strategy with the desired target state. They may reveal gaps in your strategy or blind spots in your risk management objectives. They’re also a strong starting point when formalizing policies and procedures across an entire organization.

Why Use a Framework?

Some companies use one framework to set their security policies and the backbone of their program. But companies may also want to extend their information security program to achieve compliance with multiple frameworks (such as SOC 2 or the CIS Controls framework, which are covered within Securicy’s information security management platform) which can open up opportunities with different industries. Most frameworks have some overlapping best practices, so once you have one framework in place it becomes easier to meet the requirements of an additional one. Cybersecurity professionals love frameworks for a few reasons:

  • They provide a methodical yet flexible approach to security: When you use a framework, you have all you need for the basis of building an information security program at your fingertips. While your security may not look exactly like the framework, that’s fine, its a framework, not a stone tablet. Some controls or strategies in the framework may not be relevant, others not included in the framework may be adopted.
  • They promote best practices: Frameworks like NIST represents a forward-thinking approach to cybersecurity.
  • They’re meant to be approachable: Some frameworks, like NIST CSF or CIS Controls, are designed to be approachable so that small businesses can implement them.
  • They get a cybersecurity policy in place quickly: Cybercriminals aren’t going to wait for you to get protected before they attack. Using a framework is one way to fast-track your cybersecurity strategy.
  • They can be weighted by impact: Frameworks such as CIS Controls are ranked from most impactful to least impactful. The CIS Controls are a ranked list of top 20 most critical controls for organizations. It is claimed that just implementing the top 5 controls in the framework will prevent 85% of all cyber attacks while implementing all 20 will prevent 96%.

Implement the NIST Cybersecurity Framework with Securicy

Developing cybersecurity policies can be a chore, but not if you have the right tools. If you’re just getting started developing your policies, pick up a free trial of Securicy to generate five free policies and see how you can use our platform to strengthen your security posture.

The NIST Cybersecurity Framework is one of the top frameworks available for businesses to implement and widely recognized. By using a framework like NIST, you can assure customers you’re able to protect their data and win over prospects to close bigger deals.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free

About the author

Justin Gratto is a Canadian Army veteran, experienced information security professional, and the Senior Director of Product at Securicy. Justin is responsible for product ownership at Securicy, a SaaS platform that assists businesses through creating, implementing, and managing their information security and privacy compliance program. He is also involved in advisory service delivery, and holds the responsibility of Security and Privacy Officer at Securicy. When Justin isn’t performing his duties at Securicy, he likes to go on adventures to new places to visit, learn about, and taste different cultures. He is from Nova Scotia, Canada.