NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. It is unrecognized outside the USA. It "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. In 2017, a draft version of the framework, version 1.1, was circulated for public comment. Version 1.1 was announced and made publicly available on April 16, 2018. Version 1.1 is still compatible with version 1.0. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management and guidance on how to interact with supply chain stakeholders.
A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment.
In 2017, NIST published the NIST Baldrige Cyber Security Excellence Builder which leverages the 2014 framework. It includes a simpler self-assessment. The questions are divided into six areas and a results section:
- Measurement, Analysis and Knowledge Management
- Operations, and
The NIST Cybersecurity Framework is designed for individual businesses and other organizations to use to assess risks they face.
The framework is divided into three parts, "Core", "Profile" and "Tiers". The "Framework Core" contains an array of activities, outcomes and references about aspects and approaches to cybersecurity. The "Framework Implementation Tiers" are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach. A "Framework Profile" is a list of outcomes that an organization has chosen from the categories and subcategories, based on its needs and risk assessments.
An organization typically starts by using the framework to develop a "Current Profile" which describes its cybersecurity activities and what outcomes it is achieving. It can then develop a "Target Profile", or adopt a baseline profile tailored to its sector (e.g. infrastructure industry) or type of organization. It can then define steps switch from its current profile to its target profile.
Functions and categories of cybersecurity activities
The NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into a total of 22 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 98 subcategories in all.
For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security). Special Publications (SP) aside, most of the informative references require aS paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.
Here are the functions and categories, along with their unique identifiers and definitions, as stated in the category column of its spreadsheet view of the core of the standard.
"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."
- Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
- Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."
- Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
- Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
- Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."
- Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
- Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event."
- Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
- Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
- Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
- Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
- Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event."
- Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
- Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
- Cyber security standards
- Critical infrastructure protection
- ISO/IEC 27001:2013: an information security standard from the International Organization for Standardization
- COBIT: Control Objectives for Information and Related Technologies - a related framework from ISACA
- NIST Special Publication 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations."
- Cyber Risk Quantification
- "Workshop plots evolution of NIST Cybersecurity Framework". FedScoop. Retrieved 2016-08-02.
- HealthITSecurity. "NIST Cybersecurity Framework Updates, Clarification Underway". Retrieved 2016-08-02.
- PricewaterhouseCoopers. "Why you should adopt the NIST Cybersecurity Framework". Retrieved 2016-08-04.
- Keller, Nicole (2017-01-10). "Cybersecurity Framework Draft Version 1.1". NIST. Retrieved 2017-10-05.
- "NIST Releases Version 1.1 of its Popular Cybersecurity Framework". NIST. 2018-04-16. Retrieved 2018-04-27.
- "What's New in NIST Cybersecurity Framework v1.1". Expel. 2018-04-26. Retrieved 2018-05-26.
- "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Information Week Dark Reading. Retrieved 2016-08-02.
- HealthITSecurity. "HIMSS: NIST Cybersecurity Framework Positive, Can Improve". Retrieved 2016-08-02.
- "MAIN STREET Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.
- "NIST Small Business Cybersecurity Act of 2017". congress.gov. Retrieved October 5, 2017.
- "Cybersecurity Framework Core (Excel)". NIST. This article incorporates text from this source, which is in the public domain.