Although not a regulatory framework, the U.S. National Institute of Standards and Technology (NIST) framework is considered an industry best practice for to identifying, measuring, and managing cybersecurity risk.
In the 2016 Tenable Trends in Security Framework Adoption Survey, nearly a third of the IT and security professionals surveyed said the NIST cybersecurity framework was being leveraged by their organization, and 70 percent of those that adopted the framework did so because of its clout as a best practice standard.
The NIST framework has been updated from the Cybersecurity Enhancement Act of 2014 to make the framework easier to use and more refined.
The new version includes:
- New assessments against supply chain risks,
- New measurement methods, and
- Clarifications on key terms.
The NIST Framework: Core, tiers, and profiles explained
The framework is made of three parts – the core, the tiers, and the profiles.
The core of the framework is made up of 4 components:
- Functions: There are five functions: identify, protect, detect, respond, and recover. These functions are the foundation that can be used to organize the organizations cybersecurity efforts.
- Categories: Within each of the five functions, there are three to five categories. These categories identify tasks or challenges associated with each function.
- Subcategories: Within each of the categories, there are subcategories which break down the task or challenge even further. For example, within the category named Risk Management Strategy, there are three subcategories which cover the areas of risk management processes and organizational risk tolerance.
- Informative references: includes any resources, documents, and steps for execution of tasks or challenges.
The tiers are the cybersecurity outcomes that are based on the organization’s business needs that they’ve selected from the core categories and subcategories that can range from partial (tier 1) to adaptive (tier 4) For example, a more mature, or adaptive, organization would have a risk management approach that is informed by business needs and works in tandem with the overall risk management program. Having a tiered approach to the NIST framework has allowed organizations to measure their individual level of cybersecurity maturity and share this with senior management or a board of directors, essentially enabling them to benchmark performance. Once performance is measured and benchmarked, the board can understand how the organization adheres to the NIST security controls.
The organization’s current cybersecurity status and their roadmap towards NIST goals are outlined under profiles. The profiles are used to help organizations identify areas of opportunity by outlining their current state and comparing it to their desired state.
This two-pronged approach can help uncover areas of opportunity in which the organization can improve its cybersecurity implementations and ultimately adjust the ease in which the organization can move between tiers. The two profiles an organization has helps connect the core elements to business requirements, risk tolerance, and resources of the larger organization it serves.
NIST’s recent update helps ensure that organizations abiding by the three components, described above, are in a better position to not only react to malicious cyber activity, but also to prevent this type of activity from happening.