Each year, the U.S. government manages many different departments and agencies to protect its citizens and businesses, including providing military defense, promoting health safety measures, passing consumer protection laws, and enforcing labor laws. That’s just to name a few.
But what about more complex and evolving risks like cybersecurity? Is there any type of resource provided by the federal government for businesses to protect themselves from a cyber attack? What about guidelines recommended that could help evaluate an organizations’ cybersecurity risks?
The answer is yes, yes, and yes. Within the Department of Commerce is the National Institute of Science and Technology (NIST). This agency does plenty to promote innovation and industrial improvements within technology. However, one of their most important initiatives is their work in providing businesses the knowledge and resources to protect their data, network system, applications, and devices from cyber-related threats.
All of this is provided by the NIST Cybersecurity Framework.
What is the NIST Cybersecurity Framework?
The word “framework” is a conceptual (non-physical) structure that can guide someone into creating something useful. In this case, the NIST Cybersecurity Framework is the guide to help a business evaluate, develop, or enhance a cybersecurity program (something very useful).
The idea behind having a universal framework and the main reason that the NIST framework is extremely important for businesses is that it allows a uniform set of methods and terminology to be used for businesses to communicate with one another and their stakeholders.
Before introducing the NIST framework in 2014, businesses would have to use resources from various, non-collaborative sources such as guidelines from their state government, best practices from their industry’s associations, or whatever their IT management and security consultants were using to develop their cybersecurity programs.
It’s important to note that the NIST framework is not a law that businesses must adhere to. Many compliance requirements, however, will use the NIST Framework as a starting point. So among other things, adopting the NIST framework can be a stepping stone for legal requirements depending on your industry.
Main Components of the NIST Security Framework
The complete NIST Framework is lengthy and can come off as dry and intimidating. However, once you realize how its sections are broken down, it starts making much more sense as to how to use the framework to better your cybersecurity program.
Here are the three main components of the NIST Security Framework:
The framework core is the most important part of the NIST Framework as it goes over some of the things your business can do to fill in gaps or update its security. This section is very hierarchical, meaning that there is a top-down approach to evaluating and developing a cybersecurity program that starts with the overall functionality, various achievable outcomes within those functions, and then the specific security activities (controls, processes, or practices) to achieve those outcomes.
Starting from the top, the purpose of each cybersecurity activity laid out in the framework core is to achieve one of the five security functions outlined:
- To Identify your potential security risks
- To Protect your assets from a cyber-related event
- To Detect the occurrence of a cyber-related event
- To Respond to a cyber-related event
- To Recover from a cyber-related event
The five functions are divided into their “outcome” categories or objectives. The framework indicates between three to six security objectives per function. Some examples of an outcome for each function include:
- Risk Assessment→ to Identify your potential security risks
- Awareness and Training→ to Protect your assets from a cyber-related event
- Security Continuous Monitoring→ to Detect the occurrence of a cyber-related event
- Response Planning→ to Respond to a cyber-related event
- Communications→ to Recover from a cyber-related event
Then, the actual activities (controls, processes, or practices) needed to achieve the outcomes are provided at the lowest tier of the hierarchy. Here are a few real-world examples, based on the activities explained in the NIST framework, of security activities to achieve an objective:
- A large accounting business does a vulnerability test from a third-party security firm→ as part of a Risk Assessment→ to Identify your potential security risks.
- All employees of an insurance agency must complete monthly security tutorials → to provide Awareness and Training→ to Protect their assets from a cyber-related event.
- A large publishing company enrolls in a 24/7 threat intelligence service → to ensure Security Continuous Monitoring→ to Detect the occurrence of a cyber-related event.
- All unknown devices found to have access to the network are removed by the system administrator → as part of Response Planning→ to Respond to a cyber-related event.
- A dental office uses a PR firm to inform their customers of their compromised data→ to handle Communications→ to Recover from a cyber-related event.
This section discusses how to measure an organization’s security practices based on its ability to understand and implement the security activities mentioned in the core section. It uses a universal tier-system rating each organization as one of the following:
- Partial (lowest implementation)
- Adaptive (highest implementation)
While all businesses should strive to be at an “Adaptive” level of cybersecurity risk management, NIST only suggests doing so if improvements would reduce cybersecurity risk without putting the business in a financial hole. It should also be noted that it can take years to move an organization through each tier, emphasizing the importance of long-term security planning.
The profiles section explains how a business can look at where they are compared to where they would like to be from a security perspective. It’s good to think of a profile as a current cybersecurity status of a business based on what’s included in their cybersecurity program compared to where they should be due to compliance reasons or for just general desire to improve.
Why Adopt the NIST Framework?
As mentioned previously, the NIST Security Framework provides a universal language for all businesses to communicate with each other and their stakeholders, and offers a baseline for security compliance requirements through some of their best-practice guidelines.
On top of that, the NIST Framework is understandable for both technical and non-technical audiences as it doesn’t use very complex terminology and provides concept definitions to its readers. This makes cross-collaboration between all departments smoother when determining things like security budgets, technology strategies, and solutions for communicating with stakeholders.
One risk factor that many organizations forget to consider is a cyber incident’s ability to directly affect their business and put their suppliers, vendors, and contractors at risk. The framework allows you to better understand your 3rd-party cybersecurity risks and controls. For instance, you could request a “Profile” from potential partners before agreeing to work with them to ensure that you are protected from their risks.
The framework also creates an environment where a business can constantly improve its cybersecurity. Many activities in the “Core” section of the framework detail learning from an incident to adapt to new controls or processes. So it’s basically like having a never-ending security audit to develop your program.
This framework is constantly evolving based on rising threats and the needs of organizations. For instance, there were few updates in 2018 on new security activities added to the guidelines and better explanations for supply chain cyber risks. Then in 2020, NIST created a special publication in addition to the framework, specifically for core elements of Zero Trust Architecture to adjust for the rise of remote and cloud-based environments.
How the NIST Framework Can Implement Zero Trust
Zero Trust Security is a set of principles for organizations to improve their cybersecurity programs and arguably the best framework to live by, no matter the size and scope of an organization.
Some of the philosophies that Zero Trust lives by is “never trust, always verify,” micro-segmentation in a network for security enhancement and incident isolation, following the principle of least privilege, and continuous access control and monitoring.
Many of the NIST best practices overlap with the principles of Zero Trust Architecture, which is why following the NIST framework can be a starting point for moving into the Zero Trust model. Below are examples of the NIST practices helping implement Zero Trust security:
- Managing system access to Protect includes activities like using multi-factor authentication to confirm further user identification, part of the “never trust, always verify” principle of Zero Trust.
- Measuring the impact of a cyber-related incident to Detect includes determining the breadth of an incident to see how widespread an attack was. This can be monitored and managed using the micro-segmentation principle of Zero Trust.
- Managing system access to Protect includes only allowing personnel system access to data and applications needed to perform their job, directly related to the least privilege principle of Zero Trust.
- Developing detection processes and monitoring system access logs to Detect includes using software to track system access which is part of the continuous monitoring and access control principle of Zero Trust.
Time to Take Action
The NIST Cybersecurity Framework can be a solid baseline to begin easing your business into a Zero Trust Architecture and does not have to be a scary endeavor. Ascension Global Technology can help you bridge that gap to getting your cybersecurity program to Zero Trust by seeing where Zero Trust is needed and implementing the right solutions for comprehensive Zero Trust. Schedule a consultation with one of AGT’s security experts today to get started.
Written by: AGT Cybersecurity practitioner, Jack Pittas