The NIST Cyber Security Framework, or NIST CSF, is the result of a February 2013 Executive Order titled “Improving Critical Infrastructure Cybersecurity” and 10 months of collaborative discussions with more than 3,000 security professionals. It comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The Framework is designed to evolve in sync with changes in cybersecurity threats, processes, and technologies.
Despite being developed for ‘Critical Infrastructure’ specifically, the Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.
The framework establishes the five core functions of effective cybersecurity as Identify, Protect, Detect, Respond, and Recover. Each of the five functions are then expanded into 23 categories with 108 sub categories. The attempt was to provide a logical flow of objectives. First is to identify the business standards for risk and to provide governance to the employees tasked with the implementation of the organizations documented and defined standards. The second step is to Protect the assets we have identified in step 1.
The Protect function outlines appropriate safeguards to ensure delivery of critical services and supports the ability to limit or contain the impact of a potential cybersecurity event.
Examples of outcome Categories within this Function include:
- Protections for identity management and access control within the organization including physical and remote access
- Empowering staff within the organization through awareness and training including role based and privileged user training
- Establishing data security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
- Implementing information protection processes and procedures to maintain and manage the protections of information systems and assets
- Protecting organizational resources through Maintenance, including remote maintenance, activities
- Managing protective technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures, and agreements
Some may look at the 6 categories and the 39 sub-categories and think, ‘well that’s sort of light when compared with other frameworks and standards’. It’s true and intentional. The goal is to make this framework accessible to all organizations no matter the size and complexity. The great part about the NIST CSF is the crosswalk. Each sub-category has crosswalks to many other frameworks and standards. So it can be what you want and need it to be. You may think the 7 sub-categories for “Identity Management, Authentication and Access Control” are just not detailed enough for your organization. Not to worry! As just one example, the sub-category PR.AC.1 “Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes” maps to the following:
|CIS||1, 5, 15|
|ISA 62443-3-3:2013||SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9|
|ISO/IEC 27001:2013||A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4,A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3|
|NIST SP 800-53 Rev. 4||AC-1,AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11|
Add that one table for each of the 39 sub-categories and you’ll see why this framework is adaptable to both the most advanced and the most remedial of organizations.
Using the NIST CSF along with ISO 27001 on the administrative side, and the CIS Top 20 on the technical side will provide the most comprehensive implementation of the NIST CSF.
Remember that the first step is making a ‘target profile’ of where you want your organization to be, that will help you determine where you need the crosswalk to go deeper and where the CSF itself is sufficient. Each organization will be different based on their, needs, data classifications, budget, etc.
So far we have identified and protected, what’s next? Well even the greatest protections in the word can be defeated. How do we detect when the bad thing happens? Stay tuned!