Businesses, governments, educational institutions, and society all use computers, handheld devices, and electronic storage containers on a daily basis. Life and work depend on the secure and reliable functionality of these devices. However, with the widespread use of such technology, international cooperation and transnational business have also increased significantly. Consequently, it is now vital that all entities involved maintain an equal level of security. Such measures engender trust and also improve efficiency. To encourage better cyber security standards in the U.S., the National Institute of Standards and Technology (NIST) formulated a Cybersecurity Framework (CSF). Do you know what are the 5 functions of NIST CSF? Keep reading to learn more about NIST’s cybersecurity framework and what you can expect from a cyber security provider.
History of NIST Compliance
In 1901, the U.S. Congress founded NIST, after numerous academics voiced their concerns about the necessity for domestic and industrial measurement standards. It was understandably difficult to produce quality work, much less collaborate, when different versions of gallons and feet measurements were used. Consequently, the NIST council convened with the goal of enabling better cross industry and country cooperation. At first, the Institute sought to create a common language or list of standard weights and measurements. Additionally, NIST advocated a means to publicly distribute the new standards.
NIST Cybersecurity Development
As technology improved, new standards evolved and NISTs goal expanded its focus to protecting critical infrastructure. In 2013, the government began formulating ways to better integrate cyber standards into other sectors, realizing more than just critical infrastructure entities could be targeted. These standards were compiled into the CSF, which outlines best practices and recommendations. However, unlike other government offices, NIST does not require compliance; rather, it encourages use through resources like the National Voluntary Conformity Assessment Systems Evaluation (NVCASE). NIST also provides various other resources for implementation and evaluation.
The goal is not to be another burdensome regulatory agency, but rather a means to breaking down communication and trust barriers between businesses, universities, and governments. If every enterprise strives for the highest security standards, greater efficiency and, hopefully, international cooperation will be possible.
Whats Included in The CSF?
NIST divides the CSF into three sections: the core, implementation tiers, and profiles. The core outlines the general goals of the framework, suggested security infrastructure improvements, and the expected outcomes. The core is also designed to introduce a standard cybersecurity language. The tiers allow entities to identify their priorities and is based on the assumption that different entities face different cybersecurity risks. Enterprises can read through the tier qualifications (e.g., level of budget, size of company) and identify which tier, and subsequent guidelines, best fit their businesses. Lastly, the profile section guides entities through a self-assessment and helps them identify how to best allocate resources, identify priority threat vectors, and design a unique plan for strengthening their organization’s cybersecurity infrastructure.
The 5 Core Functions of NIST CSF
NIST security framework created the 5 functions to simplify and streamline the process of improving cybersecurity infrastructure. The functions serve as an abstract guideline, or stepping stone, on which to start building a well-rounded cybersecurity strategy.
NIST cybersecurity framework recommends starting with self-assessment. This encompasses every aspect of an enterprise, from people to assets to data to capabilities. For example, a company may first formulate an Asset Management program, designed to scrutinize physical and technical assets and the accompanying worth/threat level each offers. Next, entities must consider the roles they play in society (e.g., supply chain, government, business, research institution, critical infrastructure). Depending on the role, each entity will have different needs to address. Consequently, enterprises must then examine the existing internal regulations or programs already in place to protect data and verify they meet the legal standards required. After examining all these areas, entities should determine their cyber risk tolerance, such as the potential financial or productivity impact they could withstand in the event of a security breach. To help in this endeavor, NIST provides an additional Risk Management Framework.
The protect function focuses on maintaining the functionality of critical infrastructure in the event of a breach. Additionally, measures implemented in this category attempt to minimize the impact of cybersecurity attacks. If implemented correctly, access should remain uncompromised (i.e., at no point should an entity be completely locked out of a system), both on location and regarding remote access. Employees should be aware of the necessary channels and procedures used to alert management in the event of a detected threat.
Although entities hope they never become victims of cyber attacks, it’s highly likely every entity will experience a cyber attack, in some form, throughout its lifetime. Consequently, it is vital to constantly scan the infrastructure/system for any anomalies. Detecting a breach early may be the key between a damaging attack versus a detrimental attack. The best option is to have monitoring processes in place with backup systems. Thus, if one detection system fails, another system will detect any suspicious activity. Along with system monitoring, on-premise detection safeguards would also be beneficial, as physical threat surfaces may serve as a breach entry point.
The respond function covers exactly what one might think what steps to take when a breach occurs and how to contain the damage. Response planning often depends on the strategy and goals each enterprise prioritizes. Designating liaisons in a time of crisis will help streamline the incident response process. Who is in charge of contacting stakeholders and law enforcement? If an incident occurs, entities should analyze how the response plan held up in an actual scenario. What steps were taken and were they taken in order of priority (e.g., mitigation, alerts, analysis)? Lastly, what lessons can be learned from an incident and how can entities improve their incident response procedures?
After the initial breach is mitigated, entities must focus on how to recover normal operations. This function encompasses analyzing existing strategies, re-prioritizing when necessary, and improving recovery response plans. Coordination and communication channels are just two examples of areas to consider when editing or formulating a recovery plan.
Benefits of CSF
The CSF allows all levels of an entity to communicate clearly. With standard semantics, employees at any level — strategic, operational, and tactical — can better understand each others needs and provide better solutions. Improved internal communication will also benefit external transactions, including with suppliers and clients. Utilizing the three sections of CSF — the core, implementation tiers, and profiles — entities can make better informed decisions. Rather than only looking at immediate threats or attempting to implement a damage control strategy, CSF takes a holistic approach to decision making, examining priorities, resources, current/future risks, and assets.
CSF is not exclusive to any one industry; rather it can be adapted for any sector. The CSF focuses on outcomes, understanding that there is no one size fits all cybersecurity strategy. The more sectors that adopt the lexicon and process CSF outlines, the easier communication and collaboration will become. Consequently, universities have begun utilizing CSF terminology as well.
NIST Roadmap for CSF
NIST’s Roadmap serves as a companion resource to the CSF. It outlines 14 high-priority areas to consider when implementing CSF. The list below can be used as an initial checklist when setting up security protocols or examining existing ones.
- Confidence Mechanisms
- Cyber-Attack Lifecycle
- Cybersecurity Workforce
- Cyber Supply Chain Risk Management
- Federal Agency Cybersecurity Alignment
- Governance and Enterprise Risk Management
- Identity Management
- International Aspects, Impacts, and Alignment
- Measuring Cybersecurity
- Privacy Engineering
- Referencing Techniques
- Small Business Awareness and Resources
- Internet of Things (IoT)
- Secure Software Development
For a more extensive and pro-active cybersecurity review, NIST also provides 9 other broad categories to consider:
- Authentication As NIST notes, many different authentication practices exist (2FA, biometric identification, etc.). However, most of the practices in place focus on human identification and not automated device authentication. As machine learning and Artificial Intelligence (AI) become more incorporated in all sectors, it is important to reassess accessibility safeguards for all entities handling data.
- Automated Indicator Sharing Identify who should be alerted immediately if a breach occurs and set up an automated system to disseminate information on how to proceed. Such systems can be operated internally or externally (i.e., between entities). This will improve reaction time and, hopefully, mitigate the damage of a security breach. The U.S. Computer Emergency Readiness Team (US-CERT) operates a free Automated Indicator Sharing (AIS) service designed to promote communication between federal agencies and private sector entities when cyber attacks occur.
- Conformity Assessment It is important to make sure all products, services, and systems are properly implemented and consistently perform their designated operations. This risk assessment stage is designed to improve understanding and provide insight on areas that need to be strengthened. It also tends to overlap with the profile aspect of the CSF’s 5 functions.
- Cybersecurity Workforce Employing cybersecurity experts is key to combatting cyber threats. Employees must be knowledgeable about critical infrastructure and understand the most current threats facing enterprises. Investing in training programs and partnering with educational institutions will help fill the growing demand of cybersecurity positions and ensure a knowledgeable, practical work force enters the market. Consequently, the NIST framework encourages universities to incorporate the CSF terminology into curriculum.
- Data Analytics Collecting data alone is not enough. The real benefit comes from analysis specifically utilizing analytic tools and methods. Only then can correlations or causation be identified and remedied. Recent analytic tools have been migrating toward integrating machine learning. Such analytic tools can be purchased on a monthly basis (i.e., includes software, hardware, and reports) or managed internally.
- Federal Agency Cybersecurity Alignment For entities in the federal sector, the CSF and related guides are designed to incorporate and enhance existing cybersecurity measures. They are not designed to overhaul or be an additional regulatory burden.
- International Impact and Alignment – Countries are developing policies and strategies around critical digital infrastructure, understanding that it serves as the base for technological innovation. In order to remain competitive, U.S. entities must follow suit. Global interconnection further requires that companies remain continually up-to-date and assess their priorities and systems on a regular basis.
- Supply Chain In the process of strengthening internal security, supply chain logistics can sometimes be overlooked. However, design, production, collaboration, and distribution must also be analyzed for weaknesses. An exhaustive cybersecurity strategy will help increase trust when sharing information.
- Technical Privacy Standards Few guidelines actually specify the scope of privacy infringement; each entity has different priorities and, consequently, a subjective version of adequate privacy measures. Additionally, mitigating business risk sometimes dominates policies over concerns regarding customer or societal privacy. NIST believes more standards must take into consideration how to best balance protecting business assets and maintaining customer privacy.
Due to the opened-ended nature and flexibility of NIST’s CSF, it may seem confusing where to begin. Both federal agencies and businesses are still figuring out how exactly to incorporate the new guidelines into existing procedures. The NIST framework provides several different implementation scenarios, which are helpful for gaining a better understanding of the many different implementation options. Other sources suggest taking one broad concept and then building off of it. For example, first assess how security breaches are reported. Examining communication channels will naturally branch into different endpoints, which will then fall under a new category of scrutiny, such as personnel conduct, system safeguards, or physical security. Once an entity finds a starting place, it can then follow a natural flow through the 5 functions and Risk Management guidelines.
The adaptability aspect of NIST’s CSF means each entity will have a different implementation flow, depending on what best fits its priorities and resources. Additionally, NIST continues to highlight success stories. The University of Chicago implemented the CSF across its biological departments, noting that new scientific technology is vulnerable to cyber attacks. The university documented its process, highlighting not only the challenges it faced, but also the beneficial outcomes.
As CSF becomes broadly implemented across all sectors, more stories will emerge and provide greater insight into CSF implementation. For help creating a personalized CSF action plan or to simply gain a better understanding of CSF recommendations, contact RSI Security today.