NIST Cyber Security Framework (CSF)
NIST Cybersecurity Framework Compliance - NIST 800-53 Policies & Standards
The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, drafted the Cybersecurity Framework (CSF). The Cybersecurity Framework does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO). The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.
The Cybersecurity Framework is a process designed to evolve with changes in cybersecurity threats, processes, and technologies. In effect, the Cybersecurity Framework envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions. As a result, organizations that adopt the Cybersecurity Framework may be better positioned to comply with future cybersecurity and privacy regulations. At the least, businesses that operate in regulated industries should begin monitoring how regulators, examiners, and other sector-specific entities are changing their review processes in response to the Cybersecurity Framework.
Our Written Information Security Program (WISP) is designed to allow organizations to comply with the NIST Cybersecurity Framework. The WISP maps the NIST CSF controls directly to standards and policies so that you can easily integrate business-as-usual operations to meet Cybersecurity Framework requirements.
NIST Cybersecurity Framework Due Care Considerations
Due to a lack of other benchmarking frameworks, the Cybersecurity Framework may establish itself as a cybersecurity standard that will be used as a measure for future legal rulings. If, for instance, the security practices of an organization are questioned in a legal proceeding, the courts could identify the Cybersecurity Framework as a baseline for “reasonably expected” cybersecurity standards. Organizations that have not adopted the Cybersecurity Framework to a sufficient degree may be considered negligent and may be held liable for fines and other damages. Adoption of the Cybersecurity Framework, therefore, should be seen as an exercise of due care, and organizations should understand that their corporate officers and boards may have a fiduciary obligation to comply with the guidelines.
Using the NIST Cybersecurity Framework To Manage Service Providers
It is possible to use the Cybersecurity Framework as business requirement for third-party providers. The Cybersecurity Framework may become a business requirement for companies that provide services. For example, an organization that adopts the Cybersecurity Framework may require that its vendors and suppliers to achieve the same. Doing so will help the organization protect itself from a potential weak link in its supply chain. Service providers should be prepared for future requests for proposals (RFPs) and partnerships to require some level of implementation with the Cybersecurity Framework.
Cybersecurity Framework Core Functions
The NIST Cybersecurity Framework formally defines its Core as “a set of cybersecurity activities, desired outcomes, and applicable references across critical infrastructure sectors.” The Core consists of standard cybersecurity controls slotted into a taxonomy of five Functions, 22 Categories or subdivisions of the Functions, and 98 Subcategories. Core Functions form the “operational culture” that addresses cybersecurity risks. The Core Functions are:
Identify Functions are foundational. These controls help an organization understand how to manage cybersecurity risk to systems, assets, data, and capabilities. Relating these to a business context is critical for prioritizing efforts.
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
Protect Functions are the safeguards that ensure delivery of critical infrastructure services. In terms of ensuring resilience, these safeguards help to limit or contain the impact of a cybersecurity event.
- Access Control
- Awareness and Training
- Data Security
- Information Protection Processes and Procedures
- Protective Technology
Detect Functions identify the occurrence of a cybersecurity event.
- Anomalies and Events
- Security Continuous Monitoring
- Detection Processes
Respond Functions allow an organization to take action on a detected cybersecurity event. The goal of Respond Functions is to contain the impact of a cybersecurity event and remediate vulnerabilities.
- Response Planning
Recover Functions are for resilience planning – particularly the restoration of capabilities or services impaired by a cybersecurity event.
- Recovery Planning