Organizations that don’t fall under a specific compliance based on their business sector, type(s) of data they maintain, or State can use the National Institute of Standards and Technology Cyber Security Framework or NIST CSF to build a comprehensive security program.

Here are some frequently asked questions and answers about NIST CSF:

1) Why use a framework if you don’t fall under a compliance requirement? Aligning to a framework helps to ensure that your organization’s cyber security isn’t missing any critical components.  NIST CSF framework includes guidelines to identify, protect, detect, respond and recover, which are all part of a complete cybersecurity program.

Using a known framework allows other stakeholders (your customers, commercial insurer, Board members, etc.) to have confidence that you are covering all areas and if you have a third-party attestation that you are meeting the requirements it is often accepted in lieu of having to complete lengthy questionnaires to confirm your controls and practices.

2) Should the framework be applied only to the IT department?  NIST CSF provides guidance for the entire organization, including risk management.  You will not realize the full benefit of the framework if it is only adopted by the IT team and not embraced, understood and followed by the management.

3) How is the framework regulated?  NIST CSF was created to provide guidance, and does not supercede laws or regulations that may apply to your organization.  There is overlap with NIST CSF and many compliance and state requirements, so effort spent meeting NIST CSF would not be wasted if your organization was later subject to other guidelines.  Organizations who wish to become compliant with NIST CSF often start with a gap assessment to understand all aspects of the framework, where they are meeting it, and where they have gaps that they need to address.  Once all of the guidelines are being met, a third-party can provide an attestation of compliance if desired, which can be shared with stakeholders without having to share the details of every aspect of your cyber strategy and controls.  For organizations that must self-attest to a NIST Special Publication, such as NIST 800-171 for subcontractors, a gap assessment can provide assurance that you are in fact meeting all of the requirements that you are attesting to, which is critical to minimize your legal exposure should an incident occur.  All too often a C-Level executive will sign off on an attestation without knowing the full requirements and how they are being met.

4) Does the framework change?  The Framework was published in 2014, and is being updated to provide clarification and new guidelines.  The draft of NIST CSF v 1.1 is in final revisions.  Stay tuned for an upcoming blog post that will explain the changes once the final version is released in early 2018.