What is NIST?
NIST (The National Institue of Standards and Technology) is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance.
In response to growing security concerns, NIST created the CSF (Cybersecurity Framework) and RMF (Risk Management Framework) for organizations to use as guidance for cybersecurity best practice. In January 2020, it released the Privacy Framework to help organizations better protect personal data.
What is the NIST CSF (Cybersecurity Framework)?
The CSF is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.
However, the CSF has proven flexible enough to be implemented by non-US and non-critical infrastructure organizations. The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs.
The framework is divided into three sections: the core, profiles, and implementation tiers:
- The core comprises five functions (Identify, Protect, Detect, Respond, and Recover), which are further divided into categories and subcategories. These describe activities and outcomes that can help organizations manage their cybersecurity risks.
- Profiles are selections of core functions, categories, and subcategories that help organizations prioritize the outcomes and activities that best meet their risks or business needs. An organization’s current profile sets out its existing cybersecurity risk management outcomes, and a target profile indicates the outcomes it wishes to achieve.
- The four implementation tiers (partial, risk informed, repeatable, and adaptive) have been designed to help organizations reach their desired target profile. They can progress from one tier to the next as the maturity of their cybersecurity risk management processes increases.
At the center of these activities lies risk management. Taking a risk-based approach is generally key to effective security, which is also reflected in the international standard for information security – ISO 27001. To help organizations better manage their risk, NIST published its dedicated RMF.
Find out how the NIST CSF and ISO 27001 can work in conjunction to help your organization achieve its cybersecurity needs >>
Want to find out more information about the NIST Cybersecurity Framework?
Download our free green paper 'Implementing Cybersecurity – The case for the NIST CSF' to find out more about the framework and how it can help protect your organization.
NIST RMF (Risk Management Framework)
NIST’s RMF provides a structured approach to risk management, ensuring that risk is managed in line with the organization’s requirements, business objectives, and risk appetite. And, as stated earlier, effective risk management is fundamental to an organization’s cybersecurity.
The RMF is effectively a six-step cycle. After identifying your critical assets and their associated risks, you have to determine how significant these risks are and whether they require treatment. If they do, you should implement appropriate controls, which need to be documented and checked. Once these controls have been authorized, they then must be monitored, ultimately allowing for continual improvement.
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management
The Privacy Framework is a tool to help organizations manage their privacy risks and demonstrate compliance with laws such as the CCPA (California Consumer Privacy Act) and the European Union’s GDPR (General Data Protection Regulation).
Designed to complement the CSF, the Privacy Framework applies the same approach, describing the core, profiles, and implementation tiers applied to privacy concerns.
The Privacy Framework core’s five functions are Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P.
Organizations can also use the CSF’s Detect, Respond, and Recover functions to address cybersecurity-related privacy events, or can use the functions from both frameworks to address cybersecurity and privacy risks collectively.
Version 1.0 of the NIST Privacy Framework was released in January 2020.
NIST implementation and compliance
In May 2017, President Trump signed an executive order mandating agency heads to manage their cybersecurity risk using NIST’s CSF. They were also required to provide a “risk management report” to the Secretary of Homeland Security and the Director of the OMB (Office of Management and Budget), which needs to include an implementation action plan.
Even without this requirement, implementing the CSF has several notable advantages for organizations in general. Due to its flexible nature, the Framework is a good way of achieving compliance with laws and regulations where information security is key, including HIPAA (Health Insurance Portability and Accountability Act), FISMA (Federal Information Systems Management Act), and SOX (Sarbanes–Oxley Act). Knowing that the CSF is widely implemented by similar organizations also allows for a ‘common language’, resulting in better communication when sharing threat information.
NIST SPs (Special Publications) 800-53 and 800-171
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” details the controls it recommends for all US federal information systems (excluding those in national security). As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.
NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” details requirements to protect CUI (Controlled Unclassified Information) – information that necessitates protecting or dispersing controls consistent with laws, regulations, and policies.
The cybersecurity requirements in the DFARS (Defense Federal Acquisition Regulation Supplement) mandate all DoD contractors and subcontractors to be compliant with the NIST SP 800-171 security controls, with the goal of making organizations more secure. Failing to comply with SP 800-171 could result in the loss of federal contracts.
Accountability and auditing
Federal contractors aiming to achieve compliance with NIST SP 800-171 can find guidelines for reviewing their security systems in the “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”.
There are three ways that contractors can comply:
- Self-assess their compliance, and make an attestation that they are complying with the DFARS and have implemented the NIST SP 800-171 security controls.
- A third-party organization can provide external auditing on the contractor or certification that the contractor has met the requirements for certification.
- A federal team can be dispatched to inspect the contractor’s security plan.
The first level of assessment is the easiest to implement but lacks the credibility that the other two levels would provide. The third level – an inspection conducted by a federal team – is only available to certain contractors.
The second level of compliance with a third-party organization is achievable in various ways. One way for contractors to get started on their compliance journey is by achieving ISO 27001 certification.