NIST (National Institute of Standards and Technology)
What is NIST?
NIST is a non-regulatory agency that promotes and maintains standards of measurement to enhance economic security and business performance.
In response to growing cybersecurity concerns, NIST created the CSF (Cybersecurity Framework) and RMF (Risk Management Framework) for organizations to use as guidance for cybersecurity best practice.
NIST CSF (Cybersecurity Framework)
The CSF is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs. As such, version 1.1 was recently released.
Part of the CSF’s flexibility lies in how it recognizes five main activities (‘categories’) within cybersecurity – identify, protect, detect, respond, and recover – that can be further broken down into more specific and organization-dependent activities and objectives (‘subcategories’). This helps organizations to take and maintain a structured approach, while meeting their specific requirements.
At the core of these activities lies risk management. Taking a risk-based approach is generally key to effective security, which is also reflected in ISO 27001, the international standard for information security. To help organizations better manage their risk, NIST has published its dedicated RMF.
Find out how the NIST CSF and ISO 27001 can work in conjunction to help your organization achieve its cybersecurity needs >>
NIST RMF (Risk Management Framework)
NIST’s RMF provides a structured approach to risk management, ensuring that risk is managed in line with the organization’s requirements, business objectives, and risk appetite. And as stated earlier, effective risk management is fundamental to an organization’s cybersecurity.
The RMF is effectively a six-step cycle. After identifying your critical assets and their associated risks, you have to determine how significant these risks are, and whether they require treatment. If they do, you should implement appropriate controls, which have to be documented and checked. Once these controls have been authorized, they then have to be monitored, ultimately allowing for continual improvement.
NIST implementation and compliance
In May 2017, President Trump signed an executive order mandating agency heads to manage their cybersecurity risk using NIST’s CSF. They were also required to provide a “risk management report” to the Secretary of Homeland Security and the Director of the OMB (Office of Management and Budget), which needs to include an implementation action plan.
Even without this requirement, implementing the CSF has several notable advantages for organizations in general. Due to its flexible nature, the Framework is a good way of achieving compliance with laws and regulations where information security is key, including HIPAA (Health Insurance Portability and Accountability Act), FISMA (Federal Information Systems Management Act), and SOX (Sarbanes–Oxley Act). Knowing that the CSF is widely implemented by similar organizations also allows for a ‘common language’, resulting in better communication when sharing threat information.
NIST SPs (Special Publications) 800-53 and 800-171
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” details which controls it recommends for all US federal information systems (excluding those in national security). As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.
NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” details requirements to protect CUI (Controlled Unclassified Information) – information that necessitates protecting or dispersing controls consistent with laws, regulations, and policies.
The cybersecurity requirements in the DFARS (Defense Federal Acquisition Regulation Supplement) mandate all DoD contractors and subcontractors to be compliant with the NIST SP 800-171 security controls, with the goal of making organizations more secure. Failing to comply with SP 800-171 could result in the loss of federal contracts.
Accountability and auditing
Federal contractors aiming to achieve compliance with NIST SP 800-171 can find guidelines for reviewing their security systems in the “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”.
There are three ways that contractors can comply:
- Self-assess their compliance, and make an attestation that they are complying with the DFARS and have implemented the NIST SP 800-171 security controls.
- A third-party organization can provide external auditing on the contractor or certification that the contractor has met the requirements for certification.
- A federal team can be dispatched to inspect the contractor’s security plan.
The first level of assessment is the easiest to implement but lacks the credibility that the other two levels would provide. The third level – an inspection conducted by a federal team – is only available to certain contractors.
The second level of compliance with a third-party organization is achievable in various ways. One way for contractors to get started on their compliance journey is by achieving ISO 27001 certification.