With the more recent threats and attacks we’ve seen in both the Colonial Pipeline and SolarWinds hacks, the question of infrastructure security is firmly in the collective consciousness. With President Biden’s Executive Order focusing executive resources to beef up cybersecurity, the efforts of the government are turning towards addressing some of the gaps that have been around for the past few years.
This reality calls for private contractors and any business with infrastructure-critical services in areas like energy, defense, financial services or other areas to take the right steps to address these issues. Fortunately, the NIST Framework for Improving Critical Infrastructure Cybersecurity provides a thorough risk assessment framework to help.
What is the Cybersecurity Framework and Why Was it Created?
The NIST Framework for Improving Critical Infrastructure Cybersecurity, also commonly known as the Cybersecurity Framework or CSF, is a framework that is by and large voluntary for a private organization but provides a clear and effective set of guidelines and rules to support better security and business operations. Created in February 2013 as part of Executive Order 13636 to address necessary security measures to protect the increasingly interconnected infrastructure systems in the public and private sectors. Additionally, the Cybersecurity Enhancement Act of 2014 empowered NIST to create frameworks to help organizations better manage risk against current and emerging threats.
At the center of the CSF is the idea of “critical infrastructure”, defined in the 2001 Patriot Act as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
As you might have guessed, that definition can cover a lot of organizations and operations, particularly those that have to do with social and economic logistics. Therefore, to help protect these assets, NIST divides CSF into three parts:
- The Framework Core defines common cybersecurity controls and practices that should be applicable across multiple industries. This, in turn, is broken down into five “Functions” which, when taken together, help provide a high-level risk assessment framework:
- Identify threats
- Protect against threats
- Detect threats as they happen
- Respond to emerging threats
- Recover from attacks
- The Framework Implementation Tiers use the context of an organization to highlight and define applicable risk management processes, management programs and the organization’s integration with their industry. These Tiers are numbers as follows:
- Tier 1 – Partial: At this level, your organization does not have formal risk management in place, and only has a limited understanding of required cybersecurity needs. Additionally, your organization Does not necessarily participate in the larger industry or work with other entities.
- Tier 2 – Risk-Informed: Risk management exists and is approved, if not implemented organization-wide. Cybersecurity controls are the same. Industry participation is minimal, as you are aware of your role and receive information from other companies.
- Tier 3 – Repeatable: Risk management and cybersecurity efforts are formally approved as policy organization-wide, and your organization is monitoring risk consistently. You also collaborate with vendors, contractors, and peers in your industry to address widespread security issues.
- Tier 4 – Adaptive: Your organization can take the previous risk and cybersecurity policy and events and adapt responsively, and you share information in real-time with peer organizations and contractors in your industry.
- A Framework Profile, which serves as a map of outcomes based on your organization’s security needs and business needs. This is generally an alignment of security, risk, business goals, standards and policies.
CSF is first and foremost a risk assessment and management framework, something that almost any data-driven business or agency should be used to manage security policy.
More importantly, it should force you to consider your business’s role in national infrastructure. The difference between national assets and private business is getting hazier every day. As the SolarWinds and Colonial Pipeline hacks show us, foreign cyber attackers are targeting more than just government and defense agencies: they are going after critical energy and security infrastructure, including cloud assets supporting companies across the country.
If you fall under the definition of critical infrastructure, then risk management is imperative. You must ensure that your organization has a clear understanding of risk and security based on your industry. More specifically, you should be able to understand your company’s role in your industry in supporting cybersecurity.
Even if you aren’t critical of infrastructure, you should consider practicing NIST CSF risk management processes. They are built from collaboration with academics, national security experts and industry leaders to help IT providers better manage their risk. NIST CSF doesn’t stand in for any specific compliance obligations you may have, but they do add additional layers of assessment and readiness to your organization, meaning a more secure infrastructure and a better position to help serve peers in your industry and your country.
Updates for NIST CSF 1.1
CSF was updated in 2018 to version 1.1, which added specific clarifications and changes to the framework to better suit modern threats:
- Clarified that “compliance” could be confusing and doesn’t describe how the framework can be used by organizations 9that is, it isn’t a checklist requirement but a tool for better security).
- Added a new section on self-assessment to help organizations use the framework without needing an outside assessor.
- Expanded the section on how to explain requirements to stakeholders to better support adoption and use.
- Clarified terms in the Authentication, Authorization and Identity section, renaming them to Identity Management and Access Control.
Let Continuum GRC help you on your journey to NIST Cybersecurity CSF
NIST CSF is an important risk framework for any company in almost any industry. Even if you aren’t manning critical infrastructure, chances are you are working with data and cloud technology of some sort. A framework like CSF is a great resource for your team to get on board with to protect that data.
If you are interested in NIST CSF and want the expert’s help on how to implement it, call Continuum GRC. Continuum GRC offers the IT Audit Machine, an advanced platform to automate audits and compliance.
Continuum GRC is a proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?