National Institute of Standards and Technology (NIST) Cybersecurity Framework v1.1
By: Edris Ahmady
Introduction
Trying to understand which frameworks to learn about and which to ignore (for the time being) can be a daunting task, especially if you are new to cybersecurity and looking to land your first job. I personally believe that diving into the NIST cybersecurity framework first is a good place to start, due to its nature of being straight to the point and very flexible when it comes to implementation within an organization. I hope that by reading through this summary of the framework, you will gain a functional understanding as to what the NIST cybersecurity framework is, how it functions, and why it is a valuable tool for an organization to implement.
What is The NIST Cybersecurity Framework?
Under the Cybersecurity Enhancement Act of 2014 (CEA) the National Institute of Standards and Technology (NIST) was assigned to create a standardized cybersecurity risk framework to aid any entity deemed to be part of the United States’s critical infrastructure. As a result, the NIST Cybersecurity Framework was born. Its goal was to provide participating organizations a way to approach and mitigate risk as much as possible, in addition to creating a process that would continue to manage risk well into the future.
NIST Cybersecurity Framework v1.1
When creating this framework, The National Institute of Standards and Technology wanted to come up with something that would be agile, have the ability to be continuously worked on, and be implemented in a wide range of industries that may deal with cybersecurity risks. Because of that, the framework was built to have the following three aspects:
The Core - is a set of activities and outcomes that are unique to an organization but represents industry standards and best practices. This aspect of the framework facilitates communication within an organization to ensure the creation of a process for which risk is mitigated. The Core is made up of five high level functions which are, Identify, Protect, Detect, Respond, Recover. Additionally each function consists of categories and subcategories that better define and identify outcomes, and match them to existing standards and guidelines.
Framework Implementation Tiers - provides a visualization on how an organization views cybersecurity risks, and the processes it has put in place to mitigate said risk. This aspect of the framework consists of four tiers, each describing how much security measures are put in place within an organization.
Framework Profile - encapsulates the above-mentioned parts all together and clearly identifies measures taken to mitigate risk. Additionally to clearly stating security goals the organization wishes to achieve. Multiple profiles may exist and can outline the current state of the organization and the state the organization wishes to reach in the future.
The Core Functions
Identify - In this function an organizations duty is to assess and discover all areas where risk may occur. This may involve reviewing systems, people, assets, data, and capabilities. By doing so, will give an organization the ability to clearly document where risk may occur and provide a clear view as to which risk should be prioritized.
Protect - In this function appropriate measures are taken to remedy all issues present in the identify function.
Detect - In this function an organization will develop and implement appropriate measures to ensure a cybersecurity event is properly identified in a timely manner, with the least amount of losses incurred.
Respond - In this function an organization develops and implements a response plan in case of a cybersecurity incident. This involves documentation and communication of any occurrence of a cybersecurity incident.
Recover - In this function the organization develops and implements appropriate activities in order to restore functions otherwise affected by an incident. Additionally in this function an analysis of the entire framework is done, and improvements are made to prevent the same indecent from occurring again.
***Each function consists of categories and subcategories that are explained in detail within the official NIST Cybersecurity Framework PDF. Below is an image of a table found in that PDF to help you visualize the core functions and categories***
Framework Implementation Tiers
The framework implementation tier provides a way for an organization to see how well they have implemented cybersecurity processes and methodologies to mitigate risk. The tiers range from Partial (tier 1) to Adaptive (tier 4), and as an organization moves up in tier, they also move up in the level of sophistication in managing and assessing risk. Below the tiers are explained, and the components that make them up are provided. Additionally, successful completion of all aspects of a tier allows an organization to move up within the tier list.
Tier 1 (Partial)
- Risk Management Process - the organizations risk management process is not formalized. Risk is managed in a reactive manner and cybersecurity activities are not in accordance with the organizations risk objectives.
- Integrated Risk Management Program - There is limited awareness of cybersecurity risk within the organizational level. Additionally, the organization implements risk management processes in a case-by-case basis, also the organization lacks the ability to share cybersecurity information within itself.
- External Participation - The Organization does not understand it’s place in the larger ecosystem it exists in. Additionally, the organization does not share, receive, or gather information from other entities in order to improve the overall cybersecurity landscape.
Tier 2 (Risk Informed)
- Risk Management Process - The organizations risk management process gets approved by management but is still not implemented across the entire organization. Risk is managed by the organizations risk objectives.
- Integrated Risk Management Program - There is an awareness of cybersecurity risk within the organizational level, but an organization wide approach to manage the risk has not been established. Additionally, cybersecurity information is shared within the organization but on a purely informal basis.
- External Participation - The organization generally understands it’s role within the ecosystem with respects to either it’s dependencies or dependents but not both. The organization has the ability to receive and provide information to and from other entities, but this may not always be the case.
Tier 3 (Repeatable)
- Risk Management Process - The organization has a risk management process that is formally practiced, approved, and expressed in policy. Additionally, the organizations cybersecurity practices are regularly updated based on best practices.
- Integrated Risk Management Program - There is an established, organization wide approach in managing risk. Clear risk policies, processes and procedures are defined, implemented, and reviewed.
- External Participation - The organization understands its role in regard to dependencies and dependents in the larger ecosystem. The organization may contribute to the understanding of managing risk in the larger landscape.
Tier 4 (Adaptive)
- Risk Management Process - The organization implements its cybersecurity best practices from learned experiences, industry best practices, and predictive indicators.
- Integrated Risk Management Program - There is an organization wide effort in managing cybersecurity risk that is done by risk-informed policies, processes, and procedures. There is a clear relationship between organizations objectives and cybersecurity risks.
- External Participation - The organization understands its role, dependencies, and dependents in the larger ecosystem. Additionally the organization contributes to the broader landscape to improve cybersecurity best practices.
Why NIST?
The NIST cybersecurity framework is a very important tool for any organization looking to mitigate risk within their processes. It allows an organization to review itself by taking into account possible areas where risk may occur, and allow for correction. Doing so provides many benefits ranging from decreasing potential financial losses to increasing confidence within shareholders knowing that the most up to date industry standards are being practiced.
Reference