#HowTo: Demystify the NIST Cybersecurity Framework

The NIST Cybersecurity Framework’s comprehensiveness makes it the de facto standard across industries. However, the Framework has one major weakness: its guidelines can be particularly confusing for newcomers to understand.

The Framework is organized into five core functions (Identify, Protect, Detect, Respond, Recover). Those are further divided into more than 100 subcategories. While they provide the meat of the specific technology and practice guidance organizations should follow, much of that crucial content is obscured by a messy presentation. Categories and functions are often redundant and include subcategories that seem better suited to other categories.

Yet despite the overwhelming amount of information contained in it – and despite its sometimes-confusing organization – don’t be dissuaded from using it. Here’s what I think is a more easily digestible primer that will help you avoid confusion as you begin to introduce NIST-recommended practices within your organization:

Core Function #1: Identify

The NIST Cybersecurity Framework’s first core function covers best practices for identifying and managing risks across systems, data, assets, etc. This includes guidance on:           

  • Asset management. The Framework requires that crucial personnel, data, facilities, and systems risks be consistently addressed with security best practices. Organizations must identify and protect all assets and activities critical to their continuing business viability (essential sites, databases, applications, etc.).
  • Business environment. Organizations must ensure that relevant stakeholders fully understand their business mission and objectives from a security perspective.
  • Governance. The Framework mandates procedures, policies, and processes that inform proper risk management and ensure legal and regulatory compliance.
  • Risk assessment. Organizations must achieve a comprehensive understanding of their cybersecurity business risks.
  • Supply chain. Organizations must identify supply chain risks and have processes prepared for mitigation.

Core Function #2: Protect

The Framework’s second core function addresses organizations’ needs to enact protections safeguarding the delivery of their critical infrastructure services. These protections include:

  • Access controls. The Framework requires organizations to limit access to only authorized users, processes and devices.
  • Awareness and training. Organizations must educate and train employees (and partners) to understand cybersecurity risks and the mitigation policies/procedures to address them.
  • Data security. Organizations must manage data and records in adherence to policies and procedures that protect data confidentiality, integrity and availability.
  • Information protection. Policies, procedures and processes must also protect information systems and data. 
  • Maintenance. The Framework calls for organizations to keep security controls and information systems in good working order and compliant with standing policies and procedures.
  • Protective technology. Effective technology solutions must be in place to fully secure organizations’ information systems.

Core Function #3: Detect

The Framework’s third core function ensures that organizations are doing enough to detect cybersecurity attacks. This function addresses:

  • Anomalies and events. Cybersecurity solutions must provide fast identification of anomalous activities and the insights required for rapid remediation.
  • Continuous security monitoring. Detection solutions must have continuous threat-monitoring capabilities.
  • Detection process assessments. Detection processes and procedures must undergo regular testing to assess and maintain ongoing effectiveness.

Core Function #4: Respond

The Framework’s fourth core function defines how organizations should best prepare effective responses to detected cybersecurity events. Specific areas for applying best practices include:

  • Response planning. Organizations must have plans, processes and procedures ready for when cybersecurity events occur.
  • Communications. The Framework calls for organizations to effectively coordinate all internal cyber threat response activities and, under certain scenarios, coordinate with external parties such as law enforcement.
  • Analysis. Cyber threat analysis is crucial for appropriate response and recovery measures. 
  • Mitigation. Organizations must take steps to prevent threat events from expanding, eliminate existing threats and mitigate any potentially-lasting effects.
  • Improvements. The Framework calls on organizations to continuously improve their cybersecurity practices by acting upon lessons learned through their experiences with threat events.

Core Function #5: Recover

The Framework’s final core function addresses the steps organizations should take to build their resilience and preparedness to restore any functionality, capabilities or services affected during security incidents. Areas of focus to pay attention to include:

  • Recovery planning. Organizations should carefully implement processes and procedures that promote rapid and complete recovery following cybersecurity events.
  • Communications. Organizations should closely coordinate recovery activities with internal stakeholders, affected parties, and external parties impacted by incidents.
  • Improvements. The Framework instructs organizations to improve their recovery planning and processes based on new knowledge gained while recovering from threat events.

Leveraging the Cybersecurity Framework to Protect Your Organization

While many of the best practices of the NIST Cybersecurity Framework are still optional for most private organizations (they’re mandatory for many with government contracts), they offer excellent guidance for developing robust cybersecurity responses. By adopting policies and solutions to address each of the Framework categories described above, organizations will be well on their way to achieving better and more effective security practices.

What’s Hot on Infosecurity Magazine?