Skip to main content

NIST Cybersecurity Framework Explained

Published on:
.
10 min read
.
For German Version

The National Institute of Standards and Technology, or NIST, is a division of the U.S. Department of Commerce. The NIST Cybersecurity Framework assists companies of all sizes in comprehending, managing, and reducing their cybersecurity risk as well as safeguarding their networks and data.

The NIST Cybersecurity Framework is advice that organizations can follow if they want to. It is based on existing standards, guidelines, and best practices and is meant to help them better manage and lower cybersecurity risk. In addition to helping organizations manage and reduce risks, it was made to make it easier for both internal and external stakeholders to talk about risk and cybersecurity management.

The National Institute of Standards and Technology (NIST) made the Critical Security Framework (CSF) so that private organizations in the United States could make a plan for securing critical infrastructure. It has been translated into other languages and is used by the governments of Japan and Israel, among other places.

The NIST Cybersecurity Framework (NIST CSF) tells people how to manage and lower security risks in IT infrastructure. The CSF is made up of standards, guidelines, and best practices that can be used to prevent, detect, and respond to cyberattacks.

The CSF from NIST is most useful for small or less-regulated organizations, especially those trying to raise security awareness. Larger organizations that already have a focused IT security program may find the framework less useful.

The private industry and the government worked together to make the framework a voluntary measure. The framework was made by NIST to be flexible and cost-effective, with elements that can be put in order of importance.

In this article, you will find answers to some questions about the NIST framework.

  • What is NIST, and Why is it Important?

  • What are the Benefits of the NIST Cybersecurity Framework?

  • What is the Core NIST Cybersecurity Framework?

  • What are the NIST cybersecurity framework's 5 functions?

  • Do You Need a NIST Certification?

  • Who Uses the NIST Framework?

  • How Do You Implement the NIST Cybersecurity Framework?

  • What is the NIST Cybersecurity Framework History?

  • What are the Results of Non-Complying to NIST?

  • What are the Weakness of the NIST Cybersecurity Framework for Cloud Security?

What is NIST, and Why is NIST Important?

The NIST Cybersecurity Framework is a global standard for cybersecurity that is used as a foundation for many laws and other standards. NIST creates cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. businesses, federal agencies, and the general public. NIST does a wide range of things, from giving specific information that organizations can use right away to doing long-term research that looks ahead to changes in technology and new challenges.

Some of the jobs that NIST has to do with cybersecurity are set by federal laws, executive orders, and policies. For example, the Office of Management and Budget (OMB) requires all federal agencies to follow NIST's cybersecurity standards and advice for systems that aren't part of national security. The needs of U.S. businesses and the general public drive NIST's cybersecurity work. We work hard to involve stakeholders in setting priorities and making sure that our resources are used to address the most important problems they face. NIST works to better understand and handle privacy risks, some of which are directly related to cybersecurity.

NIST's top priorities are cryptography, education and workforce, emerging technologies, risk management, identity and access management, measurements, privacy, trustworthy networks, and trustworthy platforms. It plans to put more attention on these areas.

What are the Benefits of the NIST Cybersecurity Framework?

As the number of businesses and cybersecurity leaders who use the NIST Cybersecurity Framework (CSF) grows, here are some reasons why you should too:

  • Excellent and fair cybersecurity

  • Allow for long-term risk management and security

  • Supply chains and lists of vendors will be affected

  • Bridging the gap between technical and business-side stakeholders

  • Framework's ability to change and adapt

  • Built to meet future compliance and regulation needs

What is the Core NIST Cybersecurity Framework?

NIST Cybersecurity Framework (CSF) is made up of three main parts: the framework core, the profiles, and the implementation tiers. The purpose of these tiers is to give context to stakeholders so they can figure out how much their organizations show the traits of the framework. The three main parts of the NIST Cybersecurity Framework are as follows:

  1. Framework Core: The Framework Core is a list of desired cybersecurity activities and results written in clear, common language. It helps organizations manage and lower cybersecurity risk while adding to the ways they already do cybersecurity and risk management.

  2. Framework Profile: The Framework Profile is how an organization's needs and goals, willingness to take risks and resources match up with the desired outcomes of the Framework Core. Profiles are mostly used to find and rank opportunities to improve an organization's security standards and reduce risk.

  3. Implementation Tiers: The Implementation Tiers of the Framework show how an organization thinks about cybersecurity risk management, help them figure out what level of rigor is right for them, and are often used as a way to talk about risk appetite, mission priority, and budget.

What are the NIST Cybersecurity Framework's 5 Functions?

The functions are the framework's most general level of abstraction. They are the backbone of the framework core, which is how all the other parts are put together. The NIST Cybersecurity Framework's five functions are listed below:

  1. Identify

  2. Protect

  3. Detect

  4. Respond

  5. Recover

INIST Framework Functions

Figure 1. NIST Framework Functions

These five functions were chosen by NIST because they are the five most important parts of a complete and successful cybersecurity program. They make it easy for organizations to talk about how they manage cybersecurity risk at a high level and make decisions about risk management.

  1. Identify: The Identify Function helps an organization understand how to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks allows an organization to focus and prioritize its efforts in line with its risk management strategy and business needs. Examples of outcome categories within this function are listed below:

    • Figuring out what the organization's physical and software assets are so that an Asset Management program can be built on them
    • Identifying the business environment that the organization works in, including its place in the supply chain and the critical infrastructure sector.
    • Figuring out what the organization's cybersecurity policies are and what they mean for the Governance program. figuring out what the legal and regulatory requirements are for the organization's cybersecurity capabilities.
    • Identifying asset weaknesses, threats to internal and external organizational resources, and risk response activities as a starting point for organizations. Risk Assessment
    • Choosing a Risk Management Strategy for the organization, including deciding how much risk the organization is willing to take,
    • Figuring out a strategy for managing supply chain risks, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions.

  2. Protect: The Protect Function explains how to make sure that critical infrastructure services are delivered. The Protect function helps make it possible to limit or stop the effects of a possible cybersecurity event. Some examples of categories of results for this function are given below:

    • Protections for the organization's Identity Management and Access Control, including both physical and remote access
    • Educating and training staff, including role-based and privileged user training, to help them do their jobs better
    • Setting up Data Security protection in line with the organization's risk strategy to protect the privacy, integrity, and availability of information
    • Putting in place Information Protection Processes and Procedures to keep information systems and assets safe and manage their protection
    • Maintenance activities, including remote maintenance, help protect an organization's resources
    • Managing Protective Technology to make sure that organizational policies, procedures, and agreements are in line with the security and resilience of systems and assets

  3. Detect: The Detect Function describes the right things to do to find out if a cybersecurity event has happened. The Detect Function lets cybersecurity events be found in a timely manner. In Detect Function, some examples of outcome categories are listed below:

    • Making sure that anomalies and events are found and that their possible effects are understood
    • Implementing Security Continuous Monitoring to keep an eye on cybersecurity events and check how well protective measures, like network and physical activities, are working
    • Keeping up with detection processes to be aware of strange events

  4. Respond: The Respond Function includes the right steps to take when a cybersecurity incident has been found. The Respond Function helps make it possible to limit the effects of a possible cybersecurity incident. In Respond Function, some examples of outcome categories are as follows:

    • Making sure people act during and after an incident, planning takes place.
    • Managing communications with stakeholders, law enforcement, and outside stakeholders during and after an event, as needed.
    • An analysis is done to make sure that responses are effective and to help with recovery activities, such as forensic analysis and figuring out the effects of incidents.
    • Activities called "mitigation" are done to stop an event from getting worse and to end it.
    • Improvements are made by using what the organization has learned from current and past detection and response activities.

  5. Recover: The Recover Function figures out what needs to be done to keep plans for resilience up to date and to fix any capabilities or services that were hurt by a cybersecurity incident. The Recover Function helps businesses get back to normal operations quickly after a cybersecurity incident. This lessens the damage caused by the incident. Some examples of results in Recover Function are listed below:

    • Ensuring that the organization uses Recovery Planning processes and procedures to fix systems and/or assets that have been damaged by cyber attacks.
    • Using what we've learned and what we've seen from reviews of existing strategies to make changes.
    • Coordinating the communications between the inside and outside during and after a cybersecurity incident.

Do You Need a NIST Certification?

The National Institute of Standards and Technology, or NIST, is a non-regulatory federal agency with its headquarters in Gaithersburg, Maryland. It is part of the Department of Commerce. A NIST certification is important because it helps support and creates measurement standards for a service or product. It is in charge of making rules and standards for information security, such as minimum requirements for federal information systems. The Federal Information Security Management Act (FISMA) says that all federal agencies must create and use a security program for information that meets certain standards. If a product doesn't meet the minimum standards set by NIST, it can't be used. The Special Publication 800 (SP 800) certification has its own requirements for publications about IT security. SP 800 helps make sure that software companies meet the government's standards for information technology security. The accuracy of NIST-certified products is made sure by testing them. The certification standards are based on research, guidelines, and outreach in computer security done by the Information Technology Laboratory (ITL) in collaboration with the government, academic organizations, and their own industry.

Who Uses the NIST Framework?

NIST requires companies that sell goods and services to the federal government (either directly or through another company) to follow certain security rules. Companies that work in the federal supply chain need to follow both NIST Special Publication 800-53 and NIST Special Publication 800-171.

NIST 800-171 is the first time that many companies, especially small ones that don't do direct business with the government, have to follow federal compliance rules. On the other hand, prime contractors who work directly with the government have been following compliance rules like NIST SP 800-53 for a long time.

The NIST 800-53 document is a full guide to making sure that federal information systems are safe. In general, DoD (Department of Defense) prime contractors (but not subcontractors working for primes) must follow NIST 800-53 if they operate federal information systems on the government's behalf.

For contracts that require NIST 800-171 compliance, all subcontractors in the federal supply chain, whether they work for a prime contractor or for another subcontractor, must meet compliance.

How Do You Implement the NIST Cybersecurity Framework?

The gold standard for how to build a cybersecurity program is the NIST Framework. Now that you know what the NIST Framework is and how it works, you may be wondering how to best use it in your organization. Here are the five most important steps to a successful implementation of the NIST framework:

  1. Set up a list of goals: Your company wants to use the NIST Framework, which is great. The first step to achieving this is to make a list of data security goals so you can measure how well you're doing. Goals can be made based on the answers to the following questions: How risk-averse is your organization? Where should your organization put the most emphasis on safety? How much do you want to spend on keeping your information safe? By setting goals, you can make a plan of action, give your security efforts a scope, and make sure that everyone in your organization knows what needs to be done.

  2. Create a profile: Even though the NIST Framework is a set of voluntary rules, it can be used in many different industries. How it needs to be used for your business may be very different from how it needs to be used for a business in a different field. So, you need to make a profile that lists the specific needs of your business so that the framework is effectively adjusted to meet those needs. With the help of the implementation tiers, your organization's security can go from Tier 1, which is reactive to security events, to Tier 4, which is proactive.

  3. Figure out where you are now: Doing a detailed risk assessment is the next step in putting the NIST Framework into place in your organization. A detailed risk assessment can tell your company which of its current cybersecurity practices and efforts meet NIST standards and which ones need to be improved. You can score your security efforts on your own using open source or other software tools, or you can hire a cybersecurity expert to do a thorough assessment for your organization.

  4. Make a plan of action and do a gap analysis: When the risk assessment is done, the results need to be shared with key stakeholders. In the results, there should be a list of weaknesses and threats to the organization's operations, assets, and people. Now that you've found the holes in your cybersecurity needs, you can do an analysis to figure out how to fill them. Using the scores from the risk assessment, your organization can make a plan for what needs to be taken care of first and in what order.

  5. Implementation: With a clear picture of your organization's current cybersecurity efforts from the risk assessment and gap analysis and an idea of what you want to achieve from your goals and plan of action, it's time to implement the NIST Cybersecurity Framework. It's important to remember that your cybersecurity efforts shouldn't stop when you implement the NIST Framework. For the framework to work, it needs to be constantly monitored and improved so that it fits the needs of your business.

What is the NIST Cybersecurity Framework History?

The "Improving Critical Infrastructure Cybersecurity" Executive Order (EO) 13636 came out on February 12, 2013. This is when NIST started working with the private sector in the U.S. to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework". The NIST Cybersecurity Framework Version 1.0 is what came out of this work.

The Cybersecurity Enhancement Act (CEA) of 2014 made NIST's work on the Cybersecurity Framework more comprehensive. The NIST CSF is still one of the security frameworks that all U.S. industries use the most.

What are the Results of Non-Complying to NIST?

Both in terms of lost productivity and damage to a company's reputation, data breaches can have serious effects. Some of the most common results of not following NIST standards are:

  • Loss of Business: If your data is stolen, you could lose your job as a government contractor. Your business could lose a lot of customers and miss out on income in the future.

  • Negative Effect on Reputation: Clients don't want to give their private information to a company that has a bad name for not taking data security seriously. If you don't follow NIST standards, it could hurt your company's reputation a lot.

  • Charges of a Crime or a Lawsuit: If it turns out that a cybersecurity breach was caused by carelessness or that you put data at risk on purpose, you could be charged with a crime. Your business could have to pay fines or even be sued for breaking a contract.

  • Impact on Productivity: A major data breach could have a big effect on how productive your company is. As soon as you know about a problem, you must fix it and tell someone about it. This takes resources away from other important tasks so they can be used to deal with the breach, which is the emergency at hand.

What are the Weakness of the NIST Cybersecurity Framework for Cloud Security?

The Cybersecurity Framework from the National Institute of Standards and Technology (NIST) is a useful tool that works to improve IT measurements and standards, such as how to protect data well. As organizations use more complex multi-cloud and hybrid cloud environments to support long-term strategies for working from home, the NIST Cybersecurity Framework misses the following important cloud security issues:

  • Audit Files and Reports: Many organizations would be surprised to learn that there is no NIST standard that says log files should be kept for more than 30 days. When you think about how much information is in logs, this is a very short amount of time. This lack of retention makes it hard for organizations, especially large enterprises, to make reports. Since it takes more than four months on average to find a data breach, the current limit of 30 days just isn't enough. By keeping audit logs for a longer time, IT teams can be sure they have the forensic data they need to look into the possible causes of security incidents. This ability is also an important part of staying in line with data privacy laws like GDPR.

  • Shared Responsibility: Many people don't know who is in charge of security in the cloud, especially in businesses that use multi-cloud or hybrid cloud environments. High-level cloud platforms like SaaS have a lot of security tasks that are driven by IT. Identity and access management are shared responsibilities in PaaS and SaaS solutions. An effective implementation plan is needed to set up an identity provider, configure administrative services, set up and configure user identities, and set up service access controls.

    More organizations are moving their business applications to cloud-hosted environments as part of digital transformation projects and working for the greater good (WFH) progress. Even though the "shared responsibility" model makes it clear what a cloud provider and its users have to do to keep their data safe, there are still problems with visibility and security monitoring applications that need to be fixed. As more companies move to the cloud to save money and improve how their businesses work, it is more important than ever that these gaps are closed to reach the highest level of security.

  • Tenant Delegation: Least privilege access is implied by NIST, but it doesn't say anything about tenant delegation or "virtual tenants". Virtual tenants keep admins from messing with parts of the environment where they don't belong. They let admins control their "virtual" areas, which helps protect M365 data and resources. When it comes to PII and intellectual property, it makes sense that a lack of tenant delegation creates major security problems. As a result, organizations, especially large ones with a lot of locations, should think about using tools that help separate access to different business units to improve overall security.

  • Rules and Roles for Admin: About 75 things can be said about Microsoft Application Administrator, but neither the people at Microsoft nor the people in enterprise IT know what they mean. If a user is given the role of Application Administrator, it's almost impossible to know exactly what kind of access that user has. This makes security risks that aren't necessary. IT workers have to do things like create new user accounts and change passwords as part of their jobs, but these tasks don't easily fit into a single role; they're more fluid. Because of this, traditional security methods, like role-based access control (RBAC), don't work as well.

  • Functional Access Control (FAC): Functional Access Control (FAC) is a way to get least privilege access. RBAC is a way to think about it. The FAC approach, which is supported by NIST, is a more detailed way to decide what an IT administrator can do. This allows organizations to give the right amount of access to the right users, which improves security.

    Research shows that security is the biggest issue for almost two-thirds of organizations when it comes to adopting the cloud. This makes the NIST Cybersecurity Framework a useful tool for IT leaders who want to keep data safe.

    The Framework is a good thing to remember, as long as organizations know that following recommended standards does not protect them from all possible security problems.

Last updated on by Zenarmor