How Your Organization Can Benefit from the NIST Cybersecurity Framework

Everyone loves a good life hack, right? I’ve found that one such hack for those in cybersecurity is the NIST Cybersecurity Framework.

When the National Institute of Standards and Technology (NIST) first released its cybersecurity framework (now known as the NIST CSF) in 2014, it was looked to as a “gold standard” for how organizations should organize and improve their cybersecurity program. Many chose to emulate the NIST CSF since it’s the simplest one to implement and follow. But don’t let the previous sentence fool you. The NIST CSF is also complex when you really get into the weeds.

While the NIST cybersecurity framework serves several purposes, its primary goal is to reduce cybersecurity risk to an acceptable level for an organization. I’d say the close second is to provide a common language for all organization stakeholders to use to maintain clear and consistent messaging. It keeps everyone aligned and informed on the direction the organization wants to take regarding its cybersecurity posture.

In addition to having the NIST CSF as a guiding light, it also aids in identifying gaps in your knowledge. We simply don’t know what we don’t know, and often that’s due to not having experienced certain learning opportunities in our day-to-day activities. While the NIST CSF is not a one-size-fits-all framework, it’s meant to provide guidance and complement an existing risk management program. And, in the absence such a program, the framework should be leveraged to initiate one.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a set of guidelines designed to help organizations secure their critical infrastructure and improve their ability to identify, prevent, detect, respond and recover from cyber incidents. Today, it is embraced by many to help manage their organization’s cybersecurity risks and provide a common language to leverage between technical and non-technical teams.

While other standards and guidance have existed for many years, the need to create the NIST CSF specifically came from Executive Order 13636 Improving Critical Infrastructure Cybersecurity, which was signed in February 2013. Since then, versions 1.0 and 1.1 of the framework have been released. Version 1.1, the most recent, was released in April 2018. The NIST CSF will likely see an update soon, as the organization has indicated the goal of updating at least every three years.

So, if the framework was created to address critical infrastructure, does that mean that some organizations won’t benefit from it? Not at all.

The documentation clearly calls out that the framework can and should be used by any organization in any sector: “While the Framework has been developed to improve cybersecurity risk management as it relates to critical infrastructure, it can be used by organizations in any sector of the economy or society. It is intended to be useful to companies, government agencies, and not-for-profit organizations regardless of their focus or size.”

Essentially, all organizations should be using it to some extent to help guide them through the process of securing their assets. If I had to elevator pitch the NIST CSF, I’d say it’s a framework that provides a standardized common language for organizations to identify, assess and mitigate cybersecurity risks—resulting in a stronger cybersecurity posture. Its value is found in the simplified approach of helping organizations continuously iterate to uncover and address evolving cybersecurity risks.

So, what’s in the NIST CSF? It is composed of a Framework Core that includes Functions, Categories, Subcategories and Informative References.

Click here for a full review the five functions and some of the categories within each function.

Want some help evaluating your existing stack against the NIST CSF? Watch our on-demand webinar, Leveraging A Proven Framework to Evolve Your Stack, for some expert insight.

This guest blog is part of a Channel Futures sponsorship.