The NIST Cybersecurity Framework - An Overview

Many people think of important dates in history and may think of July 4, 1776, the date the U.S declares independence, or July 20, 1969, Neil Armstrong walking on the moon. Another important date, while maybe not on the same scale, is still an important date in NIST history. On January 1, 2018 the federal government began requiring every federal government contractor to apply the security controls outlined in NIST 800-171. With this new guidance many organizations are taking a deeper look into what exactly is NIST, and what their organizations need to do to be in adherence with the various NIST standards. This blog series will outline the different parts of the NIST cybersecurity framework and show why all organizations should apply the standards, guidelines, and best practices outlined in the NIST cybersecurity frameworks.

The NIST cybersecurity framework consists of five different functions (Identify, Protect, Detect, Respond, & Recover) which outline standards, guidelines, and best practices to manage cybersecurity risk. These functions are separated into 22 categories, and then divided into 98 subcategories. For each subcategory "Informative Resources", most of which require a paid membership or purchase to access their respective guides, reference specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and the Council on Cybersecurity Critical Security Controls. The cost and complexity of the framework has resulted in bills from both the House of Representatives and the Senate that directed NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses. Now if that doesn’t make you feel a stressed about completing a NIST assessment then maybe you are of those people that have one of the Top 10 most stressful jobs in the U.S.!

The first function that will be discussed is Identify. The NIST Cybersecurity framework defines the Identify category as; "Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities." The Identify function is further broken down into five categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 24 are addressed within the Identify function.

• Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
• Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
• Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
• Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
• Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

Now if that isn’t exciting I don’t know what is (insert sarcasm as appropriate). While NIST may be dry and somewhat complicated, as mentioned before, all organizations, regardless of size should take a closer look into the standards and begin formulating a risk analysis based on the framework. If this blog peaked your interest and you can’t wait until the next installment, feel free to download a copy of the framework at the official website https://www.nist.gov/framework. The next part of this series will be discussing the “Protect” function. See you then!