The National Institute of Standards and Technology (NIST) developed a voluntary framework for reducing cyber risks to critical infrastructure in February 2014. This framework is being used by organizations of all sizes and sectors across the U.S. as a standard for developing policies, procedures and practices when the organization does not fall under a specific regulatory compliance.
Foresite uses NIST as a standard when evaluating the cyber security posture of clients. We are often asked these questions about NIST:
Are organizations who don’t fall under a specific compliance (PCI, HIPAA, SOX, etc.) required to follow NIST?
No, use of the NIST framework is voluntary, but it provides a common structure for reviewing what is in place for risk management.
Does NIST provide a checklist of what all organizations should do?
The NIST framework is guidance that needs to be customized based on the individual configuration and risks of each organization. Your risks and the level of tolerance you have need to be factored in when determining how to implement the framework for your organization. As an example, NIST would indicate that all operating systems be current versions and fully patched, but if you were a manufacturer running a machine that didn’t have a version available that is compatible with a current operating system, and that machine was not connected to the internet and did not maintain or transmit sensitive data, the implementation might be to segregate that machine and leave it “as is”.
Who developed the standards within NIST?
Over 3,000 people from the tech industry, academia, and the US government collaborated via workshops and webinars to create the framework.
How often is the NIST framework updated?
The NIST framework was designed to be a “living” document that is updated as needed to address evolving threats. The first version was released in February of 2014, and in December of 2014, NIST sent out a Request for Information and held a cyber workshop to gather information about how well the framework was addressing the needs of the users. There was widespread agreement that it was too early to update the framework, but NIST will continue to review feedback to determine when an update is warranted.
How can I apply the NIST framework to my organization?
The first step is typically a gap assessment to confirm which aspects of the framework you have in place, which (if any) do not apply, and what areas may need remediation to minimize risks. The resulting gap assessment report will provide specific recommendations for addressing areas where controls or process and policies need to be addressed.