All You Need to Know about NIST Cybersecurity Framework
In 2022, cyberthreats are a considerably common issue for organizations big and small, no matter the industry they're in. Unfortunately, most businesses still have a limited understanding of cybersecurity measures. A lot of them decide to improve their security only reactively (in response to undesirable events that have already occurred). Implementing a proactive security strategy is a difficult task. But it becomes much easier when following the NIST Cybersecurity Framework guidelines.
Maxima Consulting has regarded cybersecurity as one of our top priorities since its inception in 1993. You can learn why it is so important in our blog post here.
What does NIST stand for?
NIST is the acronym for the National Institute of Standards and Technology, a US non-regulatory government agency that replaced the National Bureau of Standards in 1988. Its mission is to promote innovation and industrial competitiveness in America, but they are influential and highly regarded internationally.
What is the NIST Cybersecurity Framework?
The Framework is based on existing standards, guidelines, and practices. It serves as guidance for all organizations that seek to reduce cybersecurity risk by providing a set of recommendations that enable businesses to:
- determine their current cybersecurity status (including weak points),
- define the desired level of cybersecurity,
- better identify and prioritize areas for improvement,
- assess progress towards set goals,
- effectively communicate on the topic of cybersecurity risk with internal and external stakeholders,
- be in control of your organization’s cybersecurity efforts.
It’s important to note that individual businesses should always customize their use of the Framework to suit their unique needs. As different organizations struggle with various risks, their approach to cybersecurity has to reflect that. If you don’t know where to start, consider contacting the Maxima Consulting security experts.
The main components of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework consists of three parts:
- The Framework Core is a set of industry standards, guidelines, and practices presented in a way that allows for unambiguous communication of cybersecurity-related issues. The core consists of 5 functions (Identify, Protect, Detect, Respond, Recover) that provide a strategic view of cybersecurity risk management in any organization.
- Framework Implementation Tiers describe the degree to which an organization follows the guidelines defined in the NIST Framework, from Tier 1: Partial (informal and/or reactive responses to threats) to Tier 4: Adaptive (agile and risk-informed approach).
- A Framework Profile serves as a tool for adjusting the Framework Core standards and guidelines to the needs of a particular organization. Organizations also use it for tracking the progress from the current to a desired state of cybersecurity.
Four elements of the Framework Core
The NIST Cybersecurity Framework Core arranges various cybersecurity actions in sets designed to support specific outcomes. It's not a checklist of actions to perform but rather a guide presenting key cybersecurity outcomes in a helpful and organized manner.
The Core comprises four elements:
- Functions represent basic sets of cybersecurity activities at their highest level.
- Categories divide Functions into groups of outcomes by particular needs (e.g., “Asset Management” and “Detection Processes”).
- Subcategories that further divide Categories into more specific outcomes.
- Informative References present common standards, guidelines, and practices that serve as examples of methods to achieve the specific outcomes.
What are the 5 functions described in the NIST Cybersecurity Framework Core?
The Framework Core organizes elementary cybersecurity activities in five sets, known as Functions: Identify, Protect, Detect, Respond, Recover. Each set consists of several actions needed to achieve specific cybersecurity outcomes. To effectively address the dynamically changing cybersecurity risks and impact the company culture permanently, these Functions have to be performed concurrently and continuously.
The first Core Function’s goal is to gain insight into your organization and IT environment. In other words, it’s about identifying what you have, what you need to protect, and where the cybersecurity risks are. The Identify Function is crucial for effective use of this Framework, as understanding the business context and available resources will serve as a base for all other activities.
Identify Function is used to map your organizational environment and resources that support critical functions. You decide where the focus should be and prioritize your cybersecurity efforts. All this, of course, should be done in accordance with the previously constituted risk management strategy and organizational requirements.
After you understand where your company stands when it comes to cybersecurity, you can start developing and implementing solutions for preventing cybersecurity incidents. The actions in this Function include:
- setting up appropriate security measures to guarantee the delivery of critical infrastructure services,
- limiting or preventing the impact of a security incident,
- using the best practices in protecting key data.
Some activities that fall under the Protect Functions are: firewalling, DDoS car wash, and Backup as a Service.
"A DDoS attack cannot be prevented. There are only measures to avert them so that the impact is minimal.
The first method is Blackholing, which literally means creating a “black hole”. This method is turning all traffic flowing to the affected site into a “black hole”. This may eliminate problems with the provider, but it also makes the target's services unreachable.
A better, but also technically more complicated and more expensive method is "mitigation". Mitigation is comparable to a car wash for internet traffic. All traffic goes through the car wash and is flushed. The dirty internet traffic stays behind, and only the clean (real) traffic goes outside.
Here, it is a challenging job to spot the bad traffic. This is done by software that continuously learns what comes in and makes decisions based on the behavior of the traffic. Also, an attacker can switch the gun from side to side, forcing the software to relearn what is right and wrong. Mitigation provides a solution whereby the services can continue to run, but it is not flawless and can sometimes also cause downtime."
- Peter Ticoalu, Business Development Manager Benelux at Maxima Consulting
The Detect Function is about recognizing when a cybersecurity event happens. Creating proper plans allows you to identify and interpret suspicious traffic and behavior in a timely manner. Solutions included in that functions may be:
- applying continuous monitoring of the network and users,
- ensuring that processes and procedures are in place and in line with the cybersecurity needs of a company,
- other ways to recognize potential threats and anomalies.
The fourth Function, Respond, is used to plan an appropriate response to when a cybersecurity incident really happens. The aim is to create processes that will reduce the impact of a cybersecurity threat as much as possible. For example, making a schedule that describes who will take which actions and when. This Function requires a thorough communication plan and an extensive analysis of what is happening. Being serious about the Respond Function means the company has procedures for mitigation measures, and the cybersecurity team learns from the incidents that already happened.
The last Function of the NIST Cybersecurity Framework is Recover. It comprises activities and plans that support the resilience of the systems and the process of restoring any impaired capabilities or services afflicted by a cybersecurity incident. The organization uses Recover to ensure that the team knows how to restore the services and systems to normal quickly and thoroughly. You can achieve this by creating procedures that increase the resistance of your systems and offer possibilities to restore what has been affected by the incident.
What are the NIST Framework Implementation Tiers?
The Framework Implementation Tiers describe the degree of sophistication in an organization’s cybersecurity risk management. An organization willing to benefit from the Framework should determine the desired Tier after considering:
- business, legal, financial, and organizational constraints,
- the company goals,
- the probability of successful implementation of that chosen Tier,
- the degree of cybersecurity risk reduction it provides.
There are four Tiers in NIST Cybersecurity Framework:
- Tier 1: Partial, where cybersecurity risk management is not formalized, resulting in risk being managed in an ad hoc way. In Tier 1 organizations, the awareness of cybersecurity risks and security collaboration with external entities is limited.
- Tier 2: Risk Informed, where practices regarding risk management are defined but not established organization-wide. In Tier 2 organizations, cyber risk assessment and information sharing are typically limited.
- Tier 3: Repeatable, where cybersecurity policy is formally established on an organizational level and regularly updated. In Tier 3 organizations, response to changes in risk is based on consistent methods, and external cybersecurity collaboration goes both ways.
- Tier 4: Adaptive, where cybersecurity practices are continuously improved based on previous and current events. In Tier 4 organizations, risk-informed policies and processes are defined and used organization-wide. Cybersecurity is a part of the organizational culture. Security information is structured, understood, and shared with internal and external collaborators.
Framework Implementation Tiers Vs. Maturity Levels
Tiers don’t represent the cybersecurity maturity levels. They support the decision-making process by establishing how the cybersecurity risk should be managed and simplifying prioritization. Measuring the maturity levels of an organization requires leveraging one of the existing maturity models, like the Capability Maturity Model Integration.
Although Tier 1 organizations are encouraged to move towards a greater Tier, this progression should only come after a thorough cost-benefit analysis.
What is a NIST Framework Profile?
Organizations create the Framework Profile to align the Functions, Categories, and Subcategories with its business requirements, risk tolerance, and available resources. Building Current and Target Profiles is a first step in establishing the business' cybersecurity risk reduction roadmap that is compatible with and achievable by the organization:
- The Current Profile serves as a clue about the current state of cybersecurity.
- The Target Profile expresses what outcomes are needed to obtain the desired security goals.
NIST Framework Profile examples
You will find some profile examples demonstrating how various organizations apply the NIST Security Framework on the NIST website, including profiles from Cyber Risk Institute, IRS Security Summit, and US Coast Guard.
Why should your company use the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework was designed to support businesses in a number of cybersecurity issues. It helps in prioritizing the investments regarding cybersecurity risk management and provides a common language to discuss security issues with internal and external stakeholders.
Maxima Consulting expert consultants understand the rules of cybersecurity risk management very well, and their experience can be a valuable asset to your organization. Consider booking a complimentary meeting so we can talk about the adaptation of the NIST Cybersecurity Framework to your company’s unique requirements.