The NIST Cybersecurity Framework Functions - Protect

As promised in last month’s blog about the NIST Cybersecurity Framework Identify function, this month we are discussing the Protect function. After an organization has addressed the five categories within the Identify function (Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), and Risk Management Strategy (ID.RM)) the next step that should be considered is how / what will protect those items within the categories. While all parts of the framework are important and serve a critical purpose in the overall security of an organization, in my opinion, the protect function should be considered the most important. The Protect function is the largest portion of the NIST Cybersecurity framework and is defined as; "Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services." The Protect function is further broken down into six categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 35 are addressed within the Identify function.

• Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions
• Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements
• Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
• Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets
• Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures
• Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements

The Protect function and its numerous categories and subcategories may seem like an assessment and may take several days if not weeks to document and to ensure that controls are in place to protect the organization and its assets. Once complete, other areas of the NIST Cybersecurity framework become easier to assess and implement controls where necessary, that may also be because 59 of the 98 subcategories have been addresses in just the first two functions! If this blog peaked your interest and you can’t wait until the next installment, feel free to download a copy of the framework at the official website https://www.nist.gov/framework. 

In the next part of this series we will be discussing the “Detect” function. See you then!