If you get anxious the second someone mentions cybersecurity, you’re not alone. It can feel overwhelming to look at recent statistics, and many leaders of small to midsize businesses and nonprofits have felt like they can’t possibly fight increasingly sophisticated cybercriminals around the world all by themselves.
There’s good news: no organization has to do battle alone, and without additional resources. Back in 2014, the United States government directed the National Institute of Standards and Technology (NIST) by executive order to work with industry leaders to develop a cybersecurity framework (CSF).
WHY WAS THE NIST INVOLVED?
The NIST is a federal agency within the United States Department of Commerce. It was formed in 1901 “to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.” NIST houses one of the oldest physical science laboratories in the US, and is tasked with creating computer and IT-related standards for the federal government.
WHAT IS THE NIST CSF?
The NIST CSF is a set of cybersecurity best practices and recommendations, and is the result of a long collaboration between the public and private sectors, as well as academia. The first version of the NIST CSF was released in 2014. Since then, many private sector organizations continue to use the NIST CSF as a guide to inform their own security tools and protocols. The newest version was released in April of 2018, which offers a more comprehensive treatment of identity management as well as more information on how to manage cybersecurity throughout your supply chain.
There are three main components of the NIST CSF: Framework Core, Implementation Tiers, and Profiles. Let’s explore each of these in further detail.
1. Framework Core
The Framework Core is a set of desired cybersecurity outcomes, and includes five basic functions of a cybersecurity program – Identify, Protect, Detect, Respond, and Recover. Under each function, the Framework Core lists 3 – 6 tools or practices that are required.
2. Implementation Tiers
Implementation Tiers include Partial, Risk-Informed, Repeatable and Adaptive. These tiers provide a qualitative measure of the cybersecurity risk management practice within an organization. An organization can select the tier that is the right fit, and adopt practices accordingly.
Profiles are an organization’s alignment of its needs and goals, risk appetite and resources. These profiles can help an organization identify opportunities for improving their cybersecurity posture.
IS THE NIST CSF MANDATORY?
Executive Order 13800 made the CSF a requirement for federal agencies in the United States. However, complying with the NIST CSF is voluntary for private businesses, although many private sector organizations choose to use these standards, which are updated frequently to counter evolving cybersecurity threats. The recent passage of the Cyber Incident Reporting for Critical Infrastructure Act certainly provides additional motivation to comply for any organizations and businesses that are related to critical infrastructure.
WHAT DOES IMPLEMENTING THE CSF DO FOR YOUR BUSINESS?
Though the NIST CSF is voluntary for private organizations, large and small, it’s a great way to make sure your sensitive data and infrastructure is secure. Adopting the NIST CSF allows your organization to do the following:
- Identify all assets and environments
- Have confidence that robust security policies and standards are in place
- Identify and achieve cybersecurity goals
- Develop a roadmap for continuous improvement
- Prioritize strategies to counter threats
- Clarifies communication on cybersecurity
HOW TO IMPLEMENT THE NIST CSF IN YOUR ORGANIZATION
Marco’s designed an easier way for you to implement the NIST CSF. Our free security checklist is based on the NIST CSF, and you can use it online or download it as a PDF. This assessment does an excellent job of showing you what you’re already doing well, and where there might be areas for improvement.
Marco’s IT experts also assist organizations large and small with implementing the NIST CSF. And if you already have an internal IT department, we can partner with them to get your organization in excellent cybersecurity shape.