One of the best ways for companies and organizations to bolster their cybersecurity is to commit to following a recognized compliance framework. Many compliance programs like HIPAA, PCI DSS, or GDPR are required by industries or governments, but every organization can benefit from voluntary compliance. Those that don’t fall under a specific compliance based on their business sector, type(s) of data they maintain, or state/country can use the National Institute of Standards and Technology Cyber Security Framework or NIST CSF to build a comprehensive security program.
The History of the NIST CSF
Table of Contents
NIST CSF was created in 2014 as a collaboration between private sector and government experts to create a unified framework that allows organizations to understand and reduce their cybersecurity risks. These guidelines were specifically designed to be applied to critical infrastructure systems in the US federal government such as transportation, healthcare and public health, food and agriculture, and many more. The framework has been widely adopted by non-governmental agencies because it provides standardized language to allow staff at all levels in an organization and across diverse businesses in a supply chain to develop a shared understanding of cybersecurity risk.
Here are some frequently asked questions and answers about NIST CSF.
Why use a framework if you don't fall under a compliance requirement?
Aligning to a framework helps to ensure that your organization’s cyber security isn’t missing any critical components. NIST CSF framework includes guidelines to identify, protect, detect, respond and recover, which are all part of a complete cybersecurity program.
Using a known framework allows other stakeholders (your customers, commercial insurer, Board members, etc.) to have confidence that you are covering all areas and if you have a third-party attestation that you are meeting the requirements it is often accepted in lieu of having to complete lengthy questionnaires to confirm your controls and practices.
Should the framework be applied only to the IT department?
NIST CSF provides guidance for the entire organization, including risk management. You will not realize the full benefit of the framework if it is only adopted by the IT team and not embraced, understood, and followed by the management, planning, and operations teams.
Who uses NIST CSF?
Organizations in all a variety of industries from around the world have embraced the NIST CSF. Large enterprises, small/medium-sized businesses, and government agencies have all adopted the framework to make the risk management and compliance process easier to understand. A few examples include JP Morgan Chase, Microsoft, Bank of England, Boeing, Intel, the Ontario Energy Board, and many more.
How is the framework regulated?
NIST CSF was created to provide guidance and does not supersede laws or regulations that may apply to your organization. There is overlap with NIST CSF and many compliance and state requirements, so effort spent meeting NIST CSF would not be wasted if your organization were later subject to other guidelines. Organizations who wish to become compliant with NIST CSF often start with a gap assessment to understand all aspects of the framework, where they are meeting it, and where they have gaps that they need to address. Once all the guidelines are met, a third-party can provide an attestation of compliance, if desired, which can be shared with stakeholders without having to share the details of every aspect of your cyber strategy and controls.
For organizations that must self-attest to a NIST Special Publication, such as NIST 800-171 for subcontractors, a gap assessment can provide assurance that you are in fact meeting all the requirements that you are attesting to, which is critical to minimize your legal exposure should an incident occur. All too often a C-Level executive will sign off on an attestation without knowing the full requirements and how they are being met.
Does the framework change?
The Framework was published in early 2014, and is being updated to provide clarification and new guidelines. The NIST CSF v 1.1 was updated and published in 2018 and now NIST is planning a new, more significant update to the framework: CSF 2.0.
NIST CSF 2.0 is in the later stages of development after a request for information was places in February 2022, comments were received and analyzed as of June 2022, and the first workshop was held on August 17, 2022. A recording of that workshop can be viewed here.
Is the framework one-size-fits-all?
No, the framework serves as guidance for organizations, but shouldn’t be taken as a must-do checklist. The NIST CSF guidelines are meant to be tailored to an individual organization’s specific needs, industry, and risk tolerance. For example, the ideal framework for a large multinational corporation will look much different than that of a small or medium-sized business.
How can I get started using the NIST CSF?
The best way to get started is to perform a cybersecurity assessment to see where on the spectrum of cybersecurity your organization is currently at. Using the Foresite Integrated Risk Management assessment, you’ll get an idea of how your current technology and practices stack up along with an itemized list of tools and services that can increase your security maturity to your desired level. You’ll also get a plan of action and milestones that will allow you to better understand and prioritize your next steps to increase your security.
NIST CSF By the Numbers
Critical infrastructure sectors use the Cybersecurity Framework
States use the Cybersecurity Framework
International translations and adaptations
Total downloads as of March 2022