What is NIST?
NIST stands for the National Institute of Standards and Technology and is one of the nation’s oldest science laboratories that was created in 1901 and is now part of the U.S. Department of Commerce. NIST initially began to remove a major challenge to U.S. industrial competitiveness, and now provides guidance, research, and standards across the nation. The programs supported at NIST have expanded to cover advancing technologies including global communications networks, nanoscale science, information technology, and more. A lot of the technologies we rely on every day, such as the electric grid and computers all rely on the technology, measurements, and standards provided by NIST in some way.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework serves as a guide that all organizations across all sectors can use to manage the cybersecurity risks that they face. The framework was first released in 2014, and the effort to create a framework that all organizations can follow to address their cybersecurity risks went so well that Congress passed the Cybersecurity Enhancement Act of 2014 giving NIST the responsibility of the framework. NIST released version 1.1 of the framework in 2018, building on research and interactions across all sectors within the United States.
The framework consists of three parts, which are the Framework Core, Implementation Tiers, and Framework Profiles. It was developed to address cybersecurity risk in critical infrastructure, but has been adopted by organizations in all sectors as anyone can use the principles and best practices outlines within the document. Cybersecurity risk is so important to manage as cybersecurity risks continue to be huge threats for organizations, and not managing it properly can cause devastating effects such as data loss, increased costs, lost revenue, loss of reputation, and threats to National, public, and economic safety.
The framework offers organizations a flexible way to address cybersecurity as each organization will have different threats, vulnerabilities, and risk tolerance. It allows organizations to follow the base guidelines while customizing them to meet their different needs. It allows organizations to:
- Describe their current cybersecurity posture
- Describe their cybersecurity target state
- Identify and prioritize opportunities for cybersecurity improvement
- Assess progress toward their target state
- Communicate cybersecurity risk among stakeholders
Framework Core
The Framework Core provides guidance on activities that should be performed to achieve specific cybersecurity goals and ways to achieve those goals. It allows organizations to improve their cybersecurity in a way that aligns with their current security practices and business needs, rather than replace current security practices.
The Framework Core consists of five functions that should be performed at the same time and continuously to address dynamic risks. The five functions are Identify, Protect, Detect, Respond, and Recover.
Implementation Tiers
The Implementation Tiers allow an organization to balance their resources, risk appetites, and priorities by providing guidance on how risks and the processes in place are viewed. They help determine what needs to be addressed given the business needs and is integrated into the risk management process already in place.
The Tiers range from a scale from 1-4 and all look at the risk management process, integrated risk management program, and external participation. Tier 1 is Partial, Tier 2 is Risk Informed, Tier 3 is Repeatable, and Tier 4 is Adaptive.
Framework Profiles
The Framework Profiles allow organizations to find ways to improve their cybersecurity and provide guidance for prioritizing the improvements. This is where an organizations uniqueness comes into play as it focuses on what the organization wants and needs while taking into consideration what they have and what risks they face.
To read more on the Cybersecurity Framework, please see the NIST Framework for Improving Critical Infrastructure Cybersecurity.