In the field of cybersecurity, risk management, and compliance, there are a collection of acronyms that you’ll hear often enough. There’s ISO, the International Organization for Standardization; the AICPA (now AICPA-CIMA), the American Institute of CPAs and the Chartered Institute of Management Accountants; CISA, the Cybersecurity and Infrastructure Security Agency; and NIST, the National Institute of Standards and Technology. Each of these organizations plays a role in the shifting tectonics of security, compliance, and risk. This article will discuss NIST in detail, focusing on the NIST Cybersecurity Framework, or NIST CSF.
The NIST CSF has five central functions: Identify, Protect, Detect, Respond, and Recover. Each has a set of directives and guidance on how to achieve the goals of that function. When implemented effectively, the NIST CSF provides a well-constructed foundation and framework for a successful cybersecurity program, designed to meet modern threats.
The NIST CSF came into being as a result of an Executive Order by President Barack Obama in 2013. This order called for a fundamental framework created by the National Institute of Standards and Technology to address cyber risks to critical infrastructure. The Cybersecurity Framework was developed to incorporate industry best practices, along with methods, processes, and standards that would allow the framework to be implemented in any type of business or organization. The Executive Order mandating the creation of the CSF also required the creation of sector-specific guidance when necessary, leading to the vast repository of NIST guidance available today.
A note on the NIST CSF — the CSF itself is the framework, providing guidance on what to do to secure infrastructure, assets, etc. NIST’s 800-53 and 800-171 publications expound on that guidance and explain how to implement the specific controls that map back to the CSF.
In this article, we’ll give you an overview of cybersecurity risk and how it can threaten your organization, then do a thorough rundown of the NIST cybersecurity framework, how it can benefit your organization, and how you can implement the framework in your organization.
Overview of Cybersecurity Risk
Cybersecurity risk is all in the name, though who uses “cyber” as a term these days, anyway? Cybersecurity risks are those risks that come with information technology, from the loss of information to data breaches to intentional or unintentional fraud resulting from inaccurate calculations — essentially any risks that have to do with our society’s heavy reliance on technology, the internet, and telecommunications. Cybersecurity risks can impact the business as much as any other risk, with the potential to damage an organization’s reputation, finances, operations, and even regulatory standing.
With the growth of technology and its omnipresent role in our lives, the potential for technology to expose our security and privacy increases in proportion. The attack on the Colonial Pipeline forced east coast operations to shut down. Ransomware attacks cost companies millions, with some estimates predicting ransomware costs to meet or exceed $30 billion in 2023.
In an attempt to provide consolidated guidance for cybersecurity and increase the level of security across companies in the US, the National Institute of Standards and Technology developed and released a detailed and comprehensive Cybersecurity Framework that is industry-agnostic and can be applied to any type of organization.
Mitigating cybersecurity risks involves first identifying and prioritizing critical infrastructure and developing a risk management strategy for those assets (ideally based on the NIST CSF). Broadly, a cybersecurity risk management strategy should incorporate details about the organization’s controls and processes as they relate to matters of Identity and Access Management, Vulnerability Management, Incident Response Planning, and Continuity and Response Planning, among others.
The Importance of Managing Cybersecurity Risk in Your Business Environment
Headlines about ransomware and data breaches are so common now that one might skim right over them. HIPAA notices go out with alarming frequency. The omnipresence of news about cybersecurity threats may be creating a kind of jaded cynicism in the eyes of cybersecurity professionals — it’s not a matter of “if” you’ll be attacked or breached, it’s a matter of “when” (and how badly). Cyber threats are increasing from every potential vector, from phishing attacks to malware.
The Open Worldwide Application Security Project (OWASP) formed to augment software security through open-source project. The OWASP Top Ten summarizes critical security vulnerabilities in web applications, which companies should incorporate into their cybersecurity strategy:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
In addition to the Top Ten, other common vectors of attack include:
- Malware
- Phishing
- Man-in-the-middle (MITM)
- Distributed Denial-of-Service (DDoS)
- SQL Injection
- Zero-Day Exploits
- DNS Tunneling
- Business Email Compromise
- Cryptojacking
- Drive-by attacks
- Cross-site-scripting (XSS)
- Password cracking
- Social Engineering
- AI-Powered attacks
- IoT-based attacks
Ignoring cybersecurity risk certainly won’t mitigate it. Managing the risks of technology, security, and privacy (though privacy can be considered a category all its own) requires a thoughtful, layered approach. It’s impossible to protect against every potential cybersecurity threat, risk, or attacker. Thus, businesses must select the optimal approach for managing their risk, basing their priorities on common threats to the industry and applying security fundamentals and best practices to their organization. By continuously improving their cybersecurity risk management approach, companies can limit the consequences of cybersecurity threats, which range from data breaches, financial penalties, and legal liabilities to reputational damage and business disruptions. Without a clear strategy for mitigating cybersecurity risk, businesses leave themselves exposed to a dangerous vector of attack in today’s IT-driven world.
Organizations in IT, utilities, and healthcare have proven to be attractive targets for attackers due to the high impact that malicious actors can have. The more critical the product or service, the more likely a company is to pay a ransom.
Using the NIST Framework for Improving Critical Infrastructure Cybersecurity for Risk Mitigation
NIST encourages the identification of critical infrastructure, and indeed, categorizing systems and infrastructure based on their criticality to the organization. This approach allows businesses to develop and apply security plans and programs to each tier of infrastructure based on criticality. In other words, an organization would be able to spend more resources on securing highly critical infrastructure and systems while spending fewer resources on those non-critical systems.
In practice, different types of infrastructure and systems necessitate different approaches to cybersecurity, though the fundamentals, which are outlined in the NIST CSF, remain a common denominator. For example, both cloud-based and on-premise applications need to have administrative access restricted to appropriate personnel only; however the means for enforcing this control would be done through a cloud-based identity-management console in the former case, and perhaps a superuser manually adding a user to an application in the latter case.
The NIST CSF is designed to be flexible and adaptable for all sectors and all types of organizations, and provides a strong foundation for effective security controls when implemented properly. The full NIST CSF Framework Version 1.1 (the most recent, published version), is available at the NIST website.
However, there are other security frameworks, control sets, models, and methodologies that exist for managing cybersecurity risk — each one, valid and valuable for their specific context and audiences.
As an organization grows and matures, there may be a need to adopt additional standards to satisfy stakeholders, investors, and partners. Many companies find themselves needing to prepare for PCI DSS compliance and implement the NIST CSF simultaneously. Balancing an effective NIST program plus one or more other standards can be a major challenge without the right technology and subject matter expertise available to your organization.
The Five Functions of the NIST Cybersecurity Framework
Five cornerstones comprise the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. Each of these functions are further broken down into 23 Categories and 108 Subcategories that address different aspects of cybersecurity. The NIST CSF frames these five functions in the context of desired outcomes for an organization, rather than prescriptive instruction, providing companies with the flexibility to adopt the CSF for their needs. We will summarize the 23 NIST CSF categories below, and you can find all 108 subcategories in the Appendix of the NIST CSF guidance.
Though we present these five foundational functions of the NIST CSF in a particular order, these steps are cyclical and continuous in nature, and should be occurring in tandem to address cybersecurity risk.
Identify
Understanding and defining an organization’s environment and moving parts forms the basis for a well-informed and effective cybersecurity program and risk management approach. The “Identify” pillar of NIST involves developing a familiarity with an organization’s technology, people, operations, policies, risks, and controls. Taking an inventory of assets within the company is necessary for allocating risks and implementing mitigating controls.
The Identify function consists of six categories as follows:
- ID.AM: Asset Management – The business identifies assets, data, personnel, systems, and facilities used to achieve business purposes and defines a method of management consistent with overall goals and strategy.
- ID.BE: Business Environment – The business prioritizes objectives, stakeholders, and activities to inform cybersecurity and risk management decisions.
- ID.GV: Governance – The organization maintains policies and procedures that pertain to cybersecurity risk and communicate operational and strategic requirements.
- ID.RA: Risk Assessment – The business assesses and understands risk to operations, assets, and people.
- ID.RM: Risk Management Strategy – The business has a formal risk management strategy that informs decision-making.
- ID.SC: Supply Chain Risk Management – The organization assesses and develops processes to manage supply chain risk and support supply chain decisions.
Protect
The “Protect” pillar of the NIST CSF encompasses the desired outcomes and methods used to safeguard the organization from cyber threats. Protecting can also involve limiting the fallout of potential incidents. Protect controls are typically preventative, attempting to stop bad actors before they reach anything critical. However, protecting doesn’t mean securing the perimeter of your organization only. Standards like PCI DSS, HIPAA, and others call for segmentation of sensitive or protected information even within an ostensibly secure perimeter. Protecting assets and information can mean building isolated infrastructure and networks and restricting access to only a limited subset of personnel.
The Protect function consists of six categories as well:
- PR.AC: Identity Management, Authentication, and Access Control – The business controls physical and logical access to mitigate the risk of unauthorized or inappropriate access to assets and data.
- PR.AT: Awareness and Training – The organization has a cybersecurity training and awareness plan in place to foster a security-aware company culture.
- PR.DS: Data Security – The business has a formal data security strategy and approach based on risk tolerance, and designed to safeguard the confidentiality, integrity, and availability of information.
- PR.IP: Information Protection Processes and Procedures – The organization has information security policies and procedures approved and in place to manage the security of information systems and assets.
- PR.MA: Maintenance – The company takes steps to maintain systems, assets, facilities, and other components of the business according to policy and procedure requirements.
- PR.PT: Protective Technology – The business utilizes security solutions to protect the organization, with accompanying policies and procedures for how those cybersecurity solutions should be used.
Detect
Discovering and correctly identifying cybersecurity risks and threats can be some of the best tools an organization has. Growing numbers of malicious actors and hacking groups makes it nearly impossible for organizations to completely thwart cybersecurity threats. Even the most mature, sophisticated, and well-funded fortresses can be breached, making the “Detect” function of the NIST CSF a priority.
The Detect function involves monitoring systems for anomalies, finding and categorizing anomalies and events, and reporting findings for action.
The Detect function consists of three categories:
- DE.AE: Anomalies and Events – The business has methods in place to detect and identify anomalous events and activity.
- DE.CM: Security Continuous Monitoring – The business has implemented monitoring over cybersecurity incidents and events.
- DE.DP: Detection Processes – The business maintains formal policies and procedures for detection processes and activities.
Respond
Since cybersecurity breaches may be inevitable, an organization’s ability to Respond to incidents can make the difference between successful risk mitigation and costly mistakes. The NIST CSF prescribes a thorough approach to the Respond function, including Incident Response Planning and Root Cause Analysis.
The goal of the “Respond” pillar is to limit the exposure of the organization to any realized risks or threats through containment or correction. Beyond response is the need to continuously learn from cybersecurity attacks, so an important part of this function are the processes an organization uses to augment and fine-tune their overall cybersecurity program.
The Respond function consists of five categories:
- RS.RP: Response Planning – The company maintains formal cybersecurity incident/event response plans and acts on them in the event of an incident.
- RS.CO: Communications – The business has means in place to communicate with internal and external stakeholders as needed to respond to cybersecurity events.
- RS.AN: Analysis – The organization analyzes response efforts and recovery efforts to measure and improve these areas.
- RS.MI: Mitigation – The business responds to activities and events with the goal of mitigating risks and resolving the issue(s).
- RS.IM: Improvements – The organization continuously improves response processes and execution through lessons learned and analysis of previous events.
Recover
The “Recover” function of the NIST CSF has always been my personal favorite to talk about. In this pillar, the NIST CSF addresses how to come back from incidents of many sizes, from minor events to catastrophic disasters. Here, organizations are encouraged to plan for contingencies and resiliency, considering the worst-case scenarios in the event of a major cybersecurity attack.
There are a few fundamental practices that hold up the Recover function, like backing up data and documenting infrastructure configuration standards. Cloud-based technologies have made it even easier to recover from cybersecurity events, even offering built-in data center redundancy.
The Recover function consists of three categories:
- RC.RP: Recovery Planning – The organization maintains formal recovery planning documentation and executes the recovery plan when needed.
- RC.IM: Improvements – The business improves recovery processes and activities by analyzing previous recovery exercises and lessons learned.
- RC.CO: Communications – The organization coordinates recovery activities with clear communications to internal and external parties.
Implementing the NIST Framework Core
The NIST Framework Core is a common grouping of cybersecurity activities, objectives, and resources and consists of the five NIST CSF functions (Identify, Protect, Detect, Respond, Recover). NIST goes further and defines “Framework Implementation Tiers” — which give a description of an organization’s level of rigor in cybersecurity risk management practices.
There are four tiers of implementation:
- Tier 1: Partial – The organization’s risk management processes are not formalized and there is little to no attention paid to cybersecurity risk at a systemic level. The organization does not collaborate or share information with other entities.
- Tier 2: Risk Informed – The organization’s risk management processes have been reviewed by management but may not be applied uniformly across the organization; there is no consistent approach to cybersecurity risk. The organization is somewhat aware of its role in the wider market.
- Tier 3: Repeatable – The organization’s risk management processes are documented formally and there is a structured and consistent approach to cybersecurity risk. The organization is aware of its role in the wider ecosystem and collaborates with other parties to share information.
- Tier 4: Adaptive – The organization continually develops its risk management processes and cybersecurity risk management strategies. Cybersecurity awareness is part of company culture. The organization is aware of its role in the wider market, shares information with other entities, and may even be a leader in the sector.
In order to implement the NIST CSF, and indeed, a cybersecurity program in general, seven steps are outlined as part of the framework and described below.
Step 1: Prioritize and Scope
In this step, the organization should define desired outcomes and priorities for its cybersecurity program. As part of this phase, the business identifies in-scope systems, assets, processes, business lines, and personnel who support these goals. Inventorying and scoping the components of the organization that could be affected by cybersecurity risk allows companies to get their arms around their cybersecurity risk exposure and begin to understand major gaps.
If possible, during this scoping phase, project teams can categorize assets and systems based on criticality to the organization. This can help the business prioritize those assets that need to be secured and controlled most importantly.
Step 2: Orient
After defining the scope of the cybersecurity program or initiative(s), the project team should orient themselves in the context of the project and the arena of cybersecurity risk. At this stage, companies can select their desired reporting or assessment framework(s), account for regulatory requirements and obligations, and confirm risk methodology.
Here, the project team can start to strategize about where to begin with the cybersecurity program and the best approach for implementing the NIST CSF in their particular organization. Teams may want to consider identifying sponsors, key stakeholders, and other subject matter experts to deepen their understanding of the environment and get a different take on the vulnerabilities that may exist in the organization’s technology stack.
Step 3: Create a Current Profile (Current State Assessment
Based on the NIST CSF categories and subcategories, and the guidance from NIST’s supplemental publications, the business should compile a current state assessment or current profile detailing the organization’s state of implementation compared to the cybersecurity framework.
If this is the first time your organization is working with the NIST CSF, I recommend going through all 108 subcategories and noting the current state of the business for each. Where there are gaps between the organization’s processes and NIST recommendations, the project team should flag that subcategory as an area for improvement. This effort can give the company a quick overall view of its cybersecurity posture in relation to the NIST CSF recommendations, and provide a baseline for future risk and profile assessments. Getting a head start on understanding the weaknesses of your cybersecurity program doesn’t hurt either!
Step 4: Conduct a Risk Assessment
A risk assessment can be a formal or informal exercise. More importantly, when conducting a risk assessment, the organization should ensure that they’re covering topics that are relevant and pose a true risk to the company. Assessing hypothetical or theoretical risks that don’t apply to your organization does not help facilitate better risk management or mitigation.
A risk assessment should leverage the organization’s risk appetite, methodology, and scoring system, employing a risk assessment matrix to score the likelihood and impact of each risk identified in the assessment. The risk assessment should also be informed by external sources, staying conscious of modern threats and trends.
It can be helpful to have a third-party firm perform a NIST CSF risk assessment for your organization.
Step 5: Create a Target Profile
Once an organization has completed a current state analysis and conducted a risk assessment, it should then define a target profile or target future state for its cybersecurity program. The NIST CSF recommends doing this at the subcategory level by sifting through those 108 items, considering the risks identified in the assessment, and prioritizing those that pose the greatest risk to the organization.
Step 6: Determine, Analyze, and Prioritize Gaps
Comparing the Current Profile or Current State Assessment to the Target Profile or Target Future State will bubble up gap areas and vulnerabilities. Taking these into account, the business should analyze each potential gap, associated risks, and compensating controls (if any), and assign that initiative a priority in the context of the overall cybersecurity program.
Step 7: Implement Action Plan
Upon completing all previous steps, the organization can begin to implement an action plan for addressing cybersecurity risks and improving its cybersecurity program. Prioritized gaps generally come first, since they tend to have the biggest potential impact on the business. Remediating or mitigating risks may involve gathering buy-in from various stakeholders and business units — which is why it’s important to have clear communications and sponsorship for cybersecurity efforts and initiatives. While implementing or improving a cybersecurity program in accordance with NIST can seem complicated and challenging, each completed action plan and each treated risk reduces an organization’s potential exposure, making each a step forward.
Because of the changing nature of information technology and the emergence of new, potentially disruptive technologies introducing new risks to the IT landscape (like generative AI and IoT devices), it’s critical to stay on top of your cybersecurity program, revisiting it at least annually if not more often than that. Falling behind on threat trends can be a costly misstep for businesses’ security and risk teams.
NIST CSF Version 2.0
On the subject of change, NIST has been on the journey to NIST CSF 2.0 since early 2022, with the intention of launching the finalized version in 2024 (though this may be delayed). Like all versions of the NIST CSF, it’s an important directive for the organization to seek comments from industry professionals and experts.
Some of the major changes and themes proposed by NIST, among others, are:
- Optimize the CSF scope to make sure it is flexible and compatible with organizations of all sizes from all sectors.
- Prioritize and facilitate international collaboration on NIST CSF Version 2.0.
- Change the CSF’s name officially to the commonly used “Cybersecurity Framework” instead of the “Framework for Improving Critical Infrastructure Cybersecurity.”
- Provide additional guidance and Informative References for implementing the CSF.
- Recognize changes to the technological landscape and cybersecurity practices.
- Emphasize the value of strong cybersecurity governance and supply chain risk management.
This is an exciting new frontier for the cybersecurity community, and I for one can’t wait to see how the new CSF framework changes cybersecurity risk management strategy.
Build and Scale an Effective NIST Program With AuditBoard
With all the ins and outs of the NIST CSF, from categories to implementation tiers, it can be extremely challenging to successfully implement the framework to build a strong cybersecurity program. Still, the widespread adoption of NIST and the upcoming 2.0 update indicates that NIST remains at the forefront of cybersecurity risk management standards. Effectively operationalizing NIST’s CSF in your organization can make all the difference for your cybersecurity and risk management posture. Learn how implementing an integrated risk management solution can strongly position your organization to tackle the NIST CSF and other cybersecurity challenges.
Justin Toro, CISA, is a Commercial Account Executive at AuditBoard. Prior to joining AuditBoard, Justin spent 6 years with KPMG in Atlanta specializing in information technology audits, SOX/ICFR, and SOC Reporting across a variety of industries. Connect with Justin on LinkedIn.