The last few years have transformed cybersecurity and data protection from niche concerns to major problems as both individuals and organizations suffered from an unprecedented wave of cyberattacks and data breaches. Governments around the world have stepped up and introduced legislation that makes data protection mandatory by law. Focusing on data subjects’ rights, regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) put companies under the legal obligation of ensuring that the personal data they process is secure.
With cybersecurity and data protection becoming common compliance requirements, many organizations are at a loss as to where to begin the integration into their processes. The Cybersecurity Framework, introduced by the National Institute of Standards and Technology (NIST) has emerged as an effective guide for cybersecurity best practices at the company level, not only in the US, but across the world. The NIST Cybersecurity Framework plays a crucial role in improving critical infrastructure cybersecurity. It encompasses various aspects of cybersecurity, including the secure handling of removable media as outlined in the NIST removable media policy.
Development and Adoption of the Cybersecurity Framework
The Cybersecurity Framework provides a structured approach to cybersecurity risk management, helping organizations understand and manage their cybersecurity risks. It was developed in response to an executive order issued in February 2013 by former US President, Barack Obama. The Cybersecurity Framework called for the development of a voluntary risk-based, cost-effective cybersecurity structure for the country’s critical infrastructure which included sectors such as transport, energy, and healthcare. While NIST led the efforts, over 3,000 industry professionals and cybersecurity experts from both small and large private sector organizations contributed to the development of the Cybersecurity Framework.
First published by NIST in February 2014 and later updated to incorporate industry, government, and academia feedback in April 2018, the Cybersecurity Framework has been widely accepted across all sectors as a comprehensive roadmap for the best cybersecurity standards, guidelines, and practices that need to be applied to manage and reduce cybersecurity risks.
While the Cybersecurity Framework was developed as a voluntary framework, in May 2017, former President Donald Trump issued an executive order in which he instructed all federal agencies to use the Cybersecurity Framework, effectively making it mandatory for them to implement it.
The Cybersecurity Framework serves as a foundation for any robust cybersecurity program, providing a comprehensive approach to managing cyber threats. Internationally, countries like Israel, Italy, Uruguay, and Japan have adopted it in its original form or adapted versions of it. Companies that have embraced the Cybersecurity Framework across the globe include Microsoft, Boeing, Intel, JP Morgan Chase, and many others.
The Core
The Cybersecurity Framework is divided into three main components: the Core, Implementation Tiers, and Profiles. The Framework Core is a set of cybersecurity activities, desired outcomes, and relevant references common across critical infrastructure sectors. It is is designed to enhance risk management processes within organizations and is further broken down into four major groups:
- Functions that offer a method of organizing cybersecurity policies at the most basic level and split into five groups: identify, protect, detect, respond, and recover. These functions include strategies for mitigation, aiming to reduce the impact of cybersecurity incidents. They also help outline how organizations should respond to threats and react in the aftermath of a cyberattack.
- Categories are contained within each function and are used to highlight specific tasks organizations need to carry out and the challenges they might face while doing so. Examples of categories include asset management, detection processes, and security continuous monitoring. There are 23 categories spread out across the five functions.
- Subcategories are subdivisions of categories that deal with specific objectives and are outcome-driven. There are in total 108 of them. A category like asset management, for example, has six subcategories which include inventories of physical devices and systems within an organization, inventories of software platforms and applications, and cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders.
- Informative references are an additional layer of information for each subcategory, setting out existing standards, guidelines, and best practices. It can include things like how to manually update certain software.
The Implementation Tiers
The second major component of the Cybersecurity Framework are the implementation tiers. These tiers help organizations gauge their cybersecurity posture and identify areas for improvement. Each tier represents a step in an organization’s risk management strategy and reflects a different level of risk tolerance. The goal is to achieve repeatable and effective cybersecurity processes and safeguards. They are broken down into four tiers:
- Tier 1 refers to companies that have partially implemented the Cybersecurity Framework, but that have a reduced awareness of organizational risks and an inconsistent implementation of cybersecurity plans.
- Tier 2 indicates organizations that are risk-informed and have put adequate cybersecurity measures in place, but still struggle with implementation.
- Tier 3 designates organizations that have adopted the Cybersecurity Framework standards company-wide and have applied them effectively, leading to an efficient and consistent response to crises and a risk-informed workforce.
- Tier 4 is the highest level of alignment and means total adoption of the Cybersecurity Framework. Called adaptive, organizations at this tier are not only prepared to respond to threats, but they take a proactive approach to threat detection and constantly evolve their practices and security controls based on the evolution of their IT architecture and current trends.
The Profiles
Profiles are a way for organizations to identify and prioritize opportunities for improving cybersecurity practices. This is done by comparing a company’s current profile against a target profile based on the Cybersecurity Framework.
To build a current profile, organizations can map their existing cybersecurity practices based on the Cybersecurity Framework subcategories. The target profile can be built using the Cybersecurity Framework subcategories and a company’s objectives, operational methodologies, and requirements. By comparing these two framework profiles, organizations can see the gaps – and possibly identify vulnerabilities – between their existing policies and their desired level of cybersecurity and formulate an implementation plan suitable for their specific circumstances and budget.
Broadening the Scope: Understanding NIST 800-171 Compliance
To deepen the understanding of NIST’s role in cybersecurity, it’s valuable to consider another important standard, NIST 800-171 Compliance. This standard is focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. NIST 800-171 also addresses supply chain risk management to secure the broader business ecosystem. Ensuring NIST 800-171 compliance means taking a proactive approach to data security, especially if you’re a contractor working with federal agencies in the US.
As part of this standard, NIST 800-171 encryption requirements must be implemented to protect the confidentiality of CUI in information technology systems. These specifications play a key role in preventing unauthorized individuals from gaining access to this sensitive information. NIST 800-171 compliance, therefore, should be of high priority for organizations dealing with CUI.
If your organization falls into this category, or if you’re simply interested in broadening your understanding of NIST’s cybersecurity standards, our NIST 800-171 compliance guide provides comprehensive insights. Remember, data security is not a one-size-fits-all strategy; understanding the various standards and how they apply to your operations is crucial in building an effective and robust cybersecurity plan.
In Conclusion
The NIST Cybersecurity Framework is a detailed guidance for cybersecurity best practices, built by professionals in the field. It has been widely embraced by both industry giants and governments across the world, showing that it provides an excellent starting point for compliance with data protection regulations and a solid cybersecurity plan to guard against threats and risks.
For those new to the Cybersecurity Framework, a quick start guide is available on nist.gov. If you are ready to start becoming NIST compliant, visit Endpoint Protector by CoSoSys to learn how we can help achieve compliance. Given its breadth, no one solution will fulfill all Cybersecurity Framework requirements. Instead, organizations should look to combine a multiple technologies, and processes, to meet their stated goals. Organizations should conduct a thorough evaluation of Endpoint Protector to ensure it meets your own unique compliance needs and organizations are solely responsible for determining the appropriateness of using Endpoint Protector to achieve their NIST compliance.
Download our free ebook on
GDPR compliance
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.