You’ve SOC 2-ed from here to eternity, and you’ve got GDPR in the bag, but if you’re truly focused on security maturity, you know that your work is never done. So, what’s next? Perhaps it’s time to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Unlike GDPR and SOC 2, organizations will face no penalties for noncompliance with the NIST CSF: It’s purely voluntary. Nevertheless, it serves as a singular guideline that CISOs can look to in a world of fragmented cybersecurity regulations.
The framework was first developed in 2014, after President Obama recognized the growing risk to critical infrastructure. His Cybersecurity Enhancement Act (CEA) of that year called to expand the role of NIST to create a voluntary framework in order to identify “a prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cyber threats. A 2017 executive order by President Trump took the framework a step further by making it federal government policy.
After years of gathering feedback, version 1.1 of the framework was released in 2018 to provide “a more comprehensive treatment of identity management,” as well as additional information on managing supply chain cybersecurity. As a living document, the NIST CSF will continue to evolve as the industry provides feedback on implementation.
As the standard developed by the United States for managing cybersecurity risk, organizations would do well to take heed. As with any standard, choosing to comply with the NIST CSF demonstrates to your clients that you’re serious about security, while improving your overall security posture and lessening the risk of a data breach and the resulting financial losses, client churn, and reputational loss that go along with it.
Below we’ll help you understand some of the main points of the NIST CSF so you can begin putting it into practice.
NIST CSF Components
The framework is broken down into three main components, with each component driving home the connection between business drivers and cybersecurity activities:
The Framework Core
The Framework Core is a concrete set of activities to achieve desired results, along with references across all sectors to help organizations achieve the desired outcomes. The Core enables communication of cybersecurity activities from the executive level down to the operations level and consists of five concurrent and continuous Functions — identify, protect, detect, respond, and recover. Taken together, these Functions offer a high-level view of an organization’s ability to manage threats. The Core then lays out underlying outcomes (called “Categories” and “Subcategories”) for each Function, matching them with example Informative References, which include existing standards, guidelines, and documentation.
Framework Implementation Tiers
Framework Implementation Tiers are not meant to signify cybersecurity maturity, but they might as well. The higher the tier, the better an organization’s risk management practices match those defined within the framework. The four tiers are “Partial,” “Risk Informed,” “Repeatable,” and “Adaptable,” in that order. Moving from Tier 1 to Tier 4, they progress from ad hoc processes and a reactive security posture to proactive threat detection and a risk-informed, agile approach. When selecting which tier to implement, the framework suggests that organizations consider their current threat management practices alongside their individualized risk profiles, legal and regulatory requirements, and any organizational constraints.
A Framework Profile represents an organization’s current cybersecurity maturity, while also serving as a roadmap to improvement toward framework goals. As a tool for self-assessment, a current profile can be compared to a target profile, poking holes in current practices to identify areas for improvement. Again, NIST urges organizations to prioritize the mitigation of gaps in a cost-effective way that meets individualized business needs.
Implementing the NIST CSF
If there’s one overarching theme of the NIST CSF when it comes to implementation, it’s that there’s no one-size-fits-all solution. Your risk profile, regulatory requirements, and financial and time constraints are unique, and NIST urges each organization to take these factors into account when implementing the CSF.
Moreover, implementation is not an all-or-nothing proposition. Want to focus on the Framework Core but ignore the Profile for now? Fine. Can you boost your organization from Tier 2 to Tier 3, but Tier 4 is still out of reach? Great! The goal with the NIST CSF is improvement, not perfection. Without the penalties of a formal compliance regulation to hold you back, you are free to implement the NIST framework in whatever way best fits your business needs in order to boost your security maturity in an efficient and cost-effective manner.
Final Words . . .
Read to get started? In order to get a clear view of where your organization’s security maturity currently stands, take Threat Stack’s Cloud SecOps Maturity Assessment. With a clear picture of your cybersecurity strengths and weaknesses, you can know exactly where to prioritize your efforts when it comes to implementing the NIST CSF, enabling you to make the most of these guiding principles.