Every organization benefits from eliminating cyber security risks, and the NIST Cybersecurity Framework (CSF) is an excellent starting place even if you already have other compliance requirements to consider.
Cyber security assessments, risk management, and compliance can be difficult without an automated system in place, which helps you understand the full scope of requirements. Manual processes only cause unnecessary burdens and increase the likelihood of failures.
The NIST CSF for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity CSF (CSF), provides private sector organizations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents. Version 1.1 was published by the US National Institute of Standards and Technology (NIST) in April 2018 and has seen fast adoption across various industries.
The CSF uses business drivers to guide cybersecurity activities and considers cybersecurity as part of an organization’s risk management processes. Many organizations are embracing the CSF to help manage their cybersecurity risks.
What is the CSF, and what is it designed to accomplish?
The CSF is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and mitigate risks, it was designed to foster risk and cybersecurity management communications among internal and external organizational stakeholders.
Why should an organization use the CSF?
The CSF will help an organization to understand better, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. Providing a common language to address cybersecurity risk management is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, operating units, and senior executives of organizations. Organizations also can readily use the CSF to communicate the current or desired cybersecurity posture between a buyer or supplier.
When and how was the CSF developed?
Version 1.0 of the CSF was prepared by the National Institute of Standards and Technology (NIST) with extensive private sector input and issued in February 2014. The CSF was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, published in 2013. Among other things, the EO directed NIST to work with industry leaders to develop the CSF. The CSF was developed in a year-long, collaborative process in which NIST served as a convener for industry, academia, and government stakeholders. That took place via workshops, extensive outreach and consultation, and a public comment process. NIST’s future CSF role is reinforced by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. This collaboration continues as NIST works with stakeholders from across the country and worldwide to raise awareness and encourage the use of the CSF. The most recent version, CSF V1.1, was released on April 16, 2018, following a 45-day public comment period on the second draft of CSF V1.1.
What’s new in CSF V1.1?
The most recent version, CSF V1.1, was released on April 16, 2018. The changes made for CSF V1.1 include:
- Declares applicability of the CSF for “technology,” which is minimally composed of information technology, operational technology, cyber-physical systems, and Internet of Things,
- Enhances guidance for applying the CSF to supply chain risk management,
- Summarizes the relevance and utility of CSF measurement for organizational self-assessment,
- Better accounts for authorization, authentication, and identity proofing, and
- Administratively updates the Informative References.
The 3 Parts of the CSF
- CSF Core – The CSF core is a set of cybersecurity activities, desired outcomes, and applicable references common across critical infrastructure sectors. It consists of five concurrent and continuous Functions: Identify, Protect, Detect, Respond, and Recover.
- Implementation Tiers – Implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the CSF over a range from Partial (Tier 1) to Adaptive (Tier 4).
- CSF Profile – A CSF profile represents the Core Functions’ Categories and Subcategories prioritized by an organization based on business needs and can measure the organization’s progress toward the Target Profile.
The 5 Core Functions
When considered together, the 5 Core Functions provide a strategic view of an organization’s cybersecurity risk management’s lifecycle and should be treated as a critical reference point. Here are the 5 Functions and how to comply with them:
- Identify – Organizations must develop an understanding of their environment to manage cybersecurity risk to systems, assets, data, and capabilities. To comply with this Function, it is essential to have full visibility into your digital and physical assets, their interconnections, and defined roles and responsibilities and understand your current risks and exposure and put policies and procedures into place to manage those risks.
- Protect – Organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. To comply, your organization must control access to digital and physical assets, provide awareness education and training, put processes into place to secure data, maintain baselines of network configuration and operations to repair system components promptly, and deploy protective technology to ensure cyber resilience.
- Detect – Organizations must implement the appropriate measures to identify cybersecurity events quickly. The adoption of continuous monitoring solutions that detect anomalous activity and other operational continuity threats is required to comply with this Function. Your organization must have visibility into its networks to anticipate a cyber incident and have all information at hand to respond to one. Continuous monitoring and threat hunting are very effective ways to analyze and prevent cyber incidents in ICS networks.
- Respond – Should a cyber incident occur, organizations must have the ability to contain the impact. To comply, your organization must craft a response plan, define communication lines among the appropriate parties, collect and analyze information about the event, perform all required activities to eradicate the incident, and incorporate lessons learned into revised response strategies.
- Recover – Organizations must develop and implement effective activities to restore any impaired capabilities or services due to a cybersecurity event. Your organization must have a recovery plan in place, be able to coordinate restoration activities with external parties, and incorporate lessons learned into your updated recovery strategy. Defining a prioritized list of action points that can be used to undertake recovery activity is critical for a timely recovery.
Let Continuum GRC help you on your journey to NIST Cyber Security CSF
All businesses within the public-private sectors concerned about security will find the NIST CSF indispensable for national and economic security. Even if you are not seeking FISMA attestation or certifications, the NIST CSF is the best place to start securing your organization.
Continuum GRC offers you the Continuum GRC IT Audit Machine, an advanced automated software tool to streamline your CSF assessment program. Additionally, because the CSF aligns with many other compliance CSFs, you can automatically map to other requirements.
The Continuum GRC IT Audit Machine smart digital hub leads you and your team through from start to finish systematically and rapidly saving time, trouble, and money.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?