National Institute of Standards and Technology (NIST) Cybersecurity Framework v1.1

By: Edris Ahmady

Introduction

Trying to understand which frameworks to learn about and which to ignore (for the time being) can be a daunting task, especially if you are new to cybersecurity and looking to land your first job. I personally believe that diving into the NIST cybersecurity framework first is a good place to start, due to its nature of being straight to the point and very flexible when it comes to implementation within an organization. I hope that by reading through this summary of the framework, you will gain a functional understanding as to what the NIST cybersecurity framework is, how it functions, and why it is a valuable tool for an organization to implement.


What is The NIST Cybersecurity Framework?

Under the Cybersecurity Enhancement Act of 2014 (CEA) the National Institute of Standards and Technology (NIST) was assigned to create a standardized cybersecurity risk framework to aid any entity deemed to be part of the United States’s critical infrastructure. As a result, the NIST Cybersecurity Framework was born. Its goal was to provide participating organizations a way to approach and mitigate risk as much as possible, in addition to creating a process that would continue to manage risk well into the future.


NIST Cybersecurity Framework v1.1

When creating this framework, The National Institute of Standards and Technology wanted to come up with something that would be agile, have the ability to be continuously worked on, and be implemented in a wide range of industries that may deal with cybersecurity risks. Because of that, the framework was built to have the following three aspects:

The Core - is a set of activities and outcomes that are unique to an organization but represents industry standards and best practices. This aspect of the framework facilitates communication within an organization to ensure the creation of a process for which risk is mitigated. The Core is made up of five high level functions which are, Identify, Protect, Detect, Respond, Recover. Additionally each function consists of categories and subcategories that better define and identify outcomes, and match them to existing standards and guidelines.

Framework Implementation Tiers - provides a visualization on how an organization views cybersecurity risks, and the processes it has put in place to mitigate said risk. This aspect of the framework consists of four tiers, each describing how much security measures are put in place within an organization.

Framework Profile - encapsulates the above-mentioned parts all together and clearly identifies measures taken to mitigate risk. Additionally to clearly stating security goals the organization wishes to achieve. Multiple profiles may exist and can outline the current state of the organization and the state the organization wishes to reach in the future.


The Core Functions

Identify - In this function an organizations duty is to assess and discover all areas where risk may occur. This may involve reviewing systems, people, assets, data, and capabilities. By doing so, will give an organization the ability to clearly document where risk may occur and provide a clear view as to which risk should be prioritized.

Protect - In this function appropriate measures are taken to remedy all issues present in the identify function.

Detect - In this function an organization will develop and implement appropriate measures to ensure a cybersecurity event is properly identified in a timely manner, with the least amount of losses incurred.

Respond - In this function an organization develops and implements a response plan in case of a cybersecurity incident. This involves documentation and communication of any occurrence of a cybersecurity incident.

Recover - In this function the organization develops and implements appropriate activities in order to restore functions otherwise affected by an incident. Additionally in this function an analysis of the entire framework is done, and improvements are made to prevent the same indecent from occurring again.

***Each function consists of categories and subcategories that are explained in detail within the official NIST Cybersecurity Framework PDF. Below is an image of a table found in that PDF to help you visualize the core functions and categories***

Framework for Improving Critical Infrastructure Cybersecurity PDF, pg. 23

Framework Implementation Tiers

The framework implementation tier provides a way for an organization to see how well they have implemented cybersecurity processes and methodologies to mitigate risk. The tiers range from Partial (tier 1) to Adaptive (tier 4), and as an organization moves up in tier, they also move up in the level of sophistication in managing and assessing risk. Below the tiers are explained, and the components that make them up are provided. Additionally, successful completion of all aspects of a tier allows an organization to move up within the tier list.

Tier 1 (Partial)

Tier 2 (Risk Informed)

Tier 3 (Repeatable)

Tier 4 (Adaptive)


Why NIST?

The NIST cybersecurity framework is a very important tool for any organization looking to mitigate risk within their processes. It allows an organization to review itself by taking into account possible areas where risk may occur, and allow for correction. Doing so provides many benefits ranging from decreasing potential financial losses to increasing confidence within shareholders knowing that the most up to date industry standards are being practiced.


Reference