What Is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is an outline of security best practices. Produced by the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce for federal government agencies, the NIST Cybersecurity Framework is publicly available to any organization seeking to understand, manage, and protect their networks and data by reducing their cybersecurity risk.
The guidelines set forth in the NIST Cybersecurity Framework provide cybersecurity standards that apply to all government agencies as well as organizations that work in the private sector. Data users (e.g., businesses, and government agencies) benefit from the added protection of NIST’s cybersecurity controls.
The three key components of the NIST Cybersecurity Framework are:
1. The Framework Core
Defines what must be done to achieve different cybersecurity results, the Framework Core is divided into four parts:
A. Functions—the five functions outlined in the NIST Cybersecurity Framework are identify, detect, protect, respond, and recover
B. Categories—for each of the five functions, categories detail specific risks and tasks that must be carried out to protect systems and data (e.g., implement software updates, install antivirus and antimalware programs, establish and enforce access control policies)
C. Subcategories—the tasks or challenges associated with each category (e.g., for the implementing software updates category, turn on auto-updates on all Windows machines
D. Informative sources—documentation for how to execute specific tasks (e.g., how to set up auto-updates on Windows machines)
2. Implementation tiers
Define the four levels of compliance, with the highest being the most compliant
3. Profiles
Provide an overview of an organization’s current status with regard to programs and processes in place to become NIST Cybersecurity Framework compliant
Let’s jump in and learn:
Core Functions of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides details around five functions that work in concert to protect against threats.
1. Identify
“Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.”
– NIST Cybersecurity Framework
- Create an inventory of all systems in use (e.g., servers, laptops, desktops, software, services, smart devices, IoT devices)
- Develop a cybersecurity governance plan that details risks and requirements
- Identify who (e.g., employees, partners, and vendors) has access to sensitive systems and data and document roles and responsibilities, along with why access is required and the duration that access is needed
2. Protect
“Develop and implement appropriate safeguards to ensure delivery of critical services.” – NIST Cybersecurity Framework
- Prevent unauthorized access to systems (e.g., networks, computers)
- Encrypt sensitive data at rest and in transit
- Back up data regularly to a remote location
- Install software updates and patches as they are available
- Train users on cybersecurity best practices (e.g., password protocols, social engineering threats)
3. Detect
“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.”
– NIST Cybersecurity Framework
- Monitor all systems (e.g., computers, networks) for unauthorized access, devices (e.g., removable storage), connections, and software
- Investigate any unusual activities
4. Respond
“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.”
– NIST Cybersecurity Framework
- Develop a plan for communicating to customers, employees, and anyone else who a cyber incident may have impacted
- Ensure that procedures are in place to restore operations and minimize downtime
- Report details about the incident to law enforcement and other authorities (e.g., regulators)
- Identify the root cause and contain the situation
5. Recover
“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.”
– NIST Cybersecurity Framework
- Review the incident in its entirety
- Apply lessons learned to policies
- Repair and reinforce any impacted systems
- Communicate lessons learned to employee
Which Organizations Should Consider the NIST Cybersecurity Framework?
Experts regard the NIST Cybersecurity Framework as a tool that can and should be used by all organizations. It is a requirement for federal agencies and organizations that work for them. US Federal regulations such as CMMC are based on the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and NIST SP 800-172. There are no legal or regulatory requirements for non-governmental organizations to follow the NIST Cybersecurity Framework, but it can improve overall security postures by helping:
- Assess current levels of protection against cyber threats
- Identify gaps in cybersecurity protocols
- Create new cybersecurity programs and requirements
- Implement additional cybersecurity standards and policies
Getting Started with the NIST Cybersecurity Framework
Before implementing the NIST Cybersecurity Framework, an organization should:
- Assess the maturity of an organization’s cybersecurity to establish what tier it fits into
- Determine initial objectives and future goals
- Develop plans to achieve short-term and long-term goals
The NIST Cybersecurity Framework implementation is based on tiers that provide orientation and guidance for organizations as they move through the process. The implementation tiers for the NIST Cybersecurity Framework mirror the maturity levels.
Tier 1—Partial
Tier 2—Risk-Informed
Tier 3—Repeatable
Tier 4—Adaptable
Maturity Levels in the NIST Cybersecurity Framework
Level 1: Partial
The organization has partial cybersecurity processes in place, but lacks security and risk management practices documentation. Security measures are reactive and not repeatable, measurable, or scalable.
Level 2: Risk-Informed
Security and risk management practices have been implemented, but not formally established as an organization-wide practice. Some processes have been documented and repeatable, but there is no formalized overarching plan.
Level 3: Repeatable
The organization’s security and risk management practices are proactive and repeatable. Programs and processes are standardized and defined to ensure the organization’s consistent application of security measures.
Level 4: Adaptable
Security and risk management are data-driven based on lessons learned and predictive indicators to refine and adapt security measures to improve efficacy and efficiency.
Level 5: Optimized
The organization’s security and risk management practices are stable and flexible, with processes in place to support continuous improvement and innovation.
Take Advantage of Free Advice Endorsed by Security Experts
There is no such thing as a free lunch—most of the time. The NIST Cybersecurity Framework is one of the exceptions. Endorsed by experts, the NIST Cybersecurity Framework is considered to be a valuable resource in the fight against cyberthreats.
While implementing the NIST Cybersecurity Framework can be cumbersome, the results are well worth the effort. In addition, following the NIST cybersecurity guidelines helps to facilitate compliance with federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), and Sarbanes–Oxley Act (SOX).
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 27th July, 2022