Implementing the NIST Cybersecurity Framework

In recent years, public and private sector organizations in the United States have made increasing the strength of their cybersecurity defenses a top priority. In response to Executive Order 13636:Improving Critical Infrastructure Cybersecurity, the US National Institute of Standards and Technology (NIST) developed and published the NIST Cybersecurity Framework (CSF) in 2014. The NIST CSF highlights the importance of proactive risk management and offers IT security guidance to help organizations prevent, detect, and respond to cyber attacks.

The Executive Order defines critical infrastructure as “systems and assets…so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Technically, critical infrastructure consists of 16 sectors: chemicals; commercial facilities; communications; critical manufacturing; dams; defense; emergency services; energy; financial services; food and agriculture; government; healthcare; information technology; nuclear reactors; waste and materials; transportation systems; and water and wastewater systems. However, the Framework guidance also applies to non-critical infrastructure. It may be less of a necessity, but non-critical infrastructure organizations should also consider adopting the NIST CSF as the foundation of an effective cybersecurity program.

The NIST CSF is organized into five core functions:

1. Identify – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”

2. Protect – “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”

3. Detect – “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”

4. Respond – “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”

5. Recover – “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”

The Framework Core further divides these five functions into 22 Categories and 98 Subcategories. Categories are high-level cybersecurity requirements, or outcomes – Access Management, for example; Subcategories are specific technical or management requirements that, implemented appropriately, support the attainment of the outcomes in each Category. Each Subcategory is linked to Informative References, specific sections of standards and best practices, such as NIST Special Publication 800-53, ISO 27001 and 27002, and COBIT, that offer methods, or controls, to meet the requirements of that Subcategory. Many organizations like the fact that the Framework does not prescribe a particular set of controls: its non-prescriptive nature lends it broad applicability and means that it can be used in conjunction with any control-based framework, or a combination of frameworks.

Organizations that want to use the NIST CSF to generate a long-term cybersecurity roadmap should conduct a gap analysis as the first step in the implementation process. In the gap analysis, an organization compares current cybersecurity outcomes to the Framework’s Categories and Subcategories, and defines its Current Profile based on the results. The Target Profile describes the organization’s desired end state – or the outcomes that it wishes to achieve, taking into consideration business objectives and existing cybersecurity risks. From there, the organization generates an action plan, or roadmap, to improve cybersecurity practices and progress towards the Target State.