The NIST Cybersecurity Framework

Jerry Beasley, Security Services Manager

Despite a growing focus on defensive efforts, the number of successful cybersecurity breaches continues to rise. To address the growing threat, in 2013 an Executive Order (EO) was issued that provided a mandate to establish a voluntary common framework for cybersecurity defense.

As a result, the National Institute of Standards and Technology (NIST) was tasked with the development of a common framework to strengthen cybersecurity defenses across critical infrastructure in all industries and organizations. This is more commonly known as the Cybersecurity Framework (CF). The NIST CF consists of standards, guidelines, and practices to promote the protection of critical infrastructure. Since its inception, the CF has been adopted in various industries.

Three Primary Elements

The NIST CF consists of three primary elements: implementation guidance, the framework core, and a framework profile. NIST provides guidance for implementation that includes a cyclic approach to evaluate risks, identify gaps in program implementation, and implement action plans to address any discovered gaps. Because risk management is the foundation of a cybersecurity program, the CF guidance emphasizes the integration of the CF into an organization’s overall risk management program.

The framework core is the meat of the CF and provides a common baseline of cybersecurity activities applicable across different industries and sectors. The framework core is aligned to the common cybersecurity functions of threat identification, protection mechanisms, threat detection, incident response, and incident recovery.

The framework profile documents the current status of an organization, or for a new program, the objective status of the organization. It is essentially a snapshot of an organization’s prescribed and implemented controls. This snapshot is compared to the objective framework to identify any gaps, and the gaps then drive plans to address any deficiencies in the program.

What NIST Can Do For You

For organizations with an existing cybersecurity program, the CF is intended to complement, not replace, existing risk management processes. Organizations with well-established programs should consider comparing their existing cybersecurity program to the CF in order to identify possible opportunities for improvement. Where warranted, elements of the CF can be incorporated into existing programs. Alternatively, organizations without a cybersecurity program can use the CF as a model to establish one.

Once the framework is implemented, a process to measure success should be defined. As indicated in the NIST CF guidance, one essential measurement is risk. A risk assessment identifies the risk remaining after implementation of the framework and associated controls. As part of a cyclic process, risk assessments should be conducted, and any residual risk identified must be accepted, avoided, or further mitigated by the implementation of additional or enhanced existing security controls. In this way, risk management provides the foundation of the framework and a means to identify elements of the framework that should be strengthened.

The most successful cybersecurity programs are those that don’t simply rely on technical controls, but clearly define a framework to address each of the essential cybersecurity functions. Combined with an ongoing risk management program, the CF can help build a strong foundation for any cybersecurity program.