Few government-produced documents have had as much fanfare about them in recent years as a somewhat obscure-sounding white paper formally known as the “Framework for Improving Critical Infrastructure Cybersecurity.”
The document, produced by the National Institute of Standards and Technology, is better known as the NIST Cybersecurity Framework, and it has become the go-to guide for agencies looking to enhance their cybersecurity posture.
The framework provides agencies with a common cybersecurity lexicon to better understand and handle IT security risks. And, since President Donald Trump’s May 2017 cybersecurity executive order, the framework has been mandated as the document that agency heads should use to manage cybersecurity risk.
Despite that directive, Kevin Stine, the chief of the applied cybersecurity division at NIST, notes that following the framework is voluntary. The tool’s purpose, he says, is to help organizations “better understand, manage and communicate cybersecurity risk in the context of their missions and objectives.” The NIST Cybersecurity Framework provides a “common language and taxonomy to help align cybersecurity activities with business objectives,” Stine says.
What Is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework was born out of a different executive order, one which former President Barack Obama issued in February 2013, which directed NIST to “lead the development of a framework to reduce cyber risks to critical infrastructure” in an open, transparent and collaborative manner, Stine notes.
That first version, which was developed through “very aggressive stakeholder engagement,” was issued a year later, after being reviewed by agencies, industry, state and local governments, foreign governments and companies, and academics.
NIST revised the framework and issued Cybersecurity Framework Version 1.1 in April 2018. The framework “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes,” as the document notes.
The framework offers agencies and other organizations a “flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions.”
It can be applied to organizations whose cybersecurity is focused on IT, industrial control systems, cyber-physical systems or connected devices more generally, including the Internet of Things.
NIST says the Cybersecurity Framework “can assist organizations in addressing cybersecurity as it affects the privacy of customers, employees, and other parties” and that its “outcomes serve as targets for workforce development and evolution activities.”
What Are the 3 Parts of the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework has three distinct parts: the Framework Core, the Framework Implementation Tiers and the Framework Profiles. Each element “reinforces the connection between business/mission drivers and cybersecurity activities,” the document notes.
The Framework Core is a group of “cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.”
In this section, NIST offers industry standards, guidelines and practices to organizations so that they can communicate cybersecurity activities and outcomes across the organization, all the way from the top down to those implementing specific activities.
Critically, the Framework Core has five “concurrent and continuous” functions: identify, protect, detect, respond and recover.
Taken together, the document notes, these functions “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.” From there, the Framework Core identifies underlying key categories and subcategories — specific, discrete outcomes — for each function, and matches them with existing standards, guidelines, and practices for each subcategory.
The next part of the framework are the Implementation Tiers, which offer context for how an organization “views cybersecurity risk and the processes in place to manage that risk,” the document adds.
This portion describes how robust and adaptive cybersecurity risk management practices “reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.”
As agencies use the framework, they should “consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.”
Finally, the Framework Profile “represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories.”
A profile is essentially an “alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.” They can be used to identify opportunities for improving an agency’s cybersecurity posture by comparing where an agency is right now in terms of cybersecurity to where it wants to be.
To develop a profile, agencies can prioritize which categories and subcategories are most important to addressing its cybersecurity risks. Categories and subcategories can be added as needed to address the organization’s risks. Agencies can then measure their progress toward their target or desired end state.
What Are the 5 Functions of the NIST Cybersecurity Framework?
The five functions of the framework are the organizing constructs for cybersecurity activities, Stine says, and can be overlaid on a traditional lifecycle.
The functions “aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities,” the framework notes.
Additionally, they “align with existing methodologies for incident management and help show the impact of investments in cybersecurity.” For example, if an agency makes investments in planning and exercises, it can “support timely response and recovery actions, resulting in reduced impact to the delivery of services.”
The functions flow into and reinforce each other, and are thus continuous. At the start, agencies identify their threats, business priorities and risk tolerance. This involves going through their stakeholders, customers, partners, suppliers and legal and regulatory obligations, Stine says. Agencies need to identify cybersecurity’s role in their broader enterprise risk management framework, which includes risk types such as reputational, financial and privacy. “Cyber is another dimension of risk organizations need to manage,” Stine says.
The value of this function is that it helps create greater alignment for the others functions and helps elevate cybersecurity risk as a priority to address, according to Stine.
The framework’s protect function helps determine how agencies limit or contain the impact of a potential cybersecurity event. The detect function is primarily about determining when a cybersecurity event is happening.
The respond function allows agencies to develop and implement the “appropriate activities to take action regarding a detected cybersecurity incident.” And the recover function helps organizations “maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.”
Cybersecurity, Stine notes, is something is continuously managed. The five functions allow agencies to continuously improve and prioritize activities based on a very fluid threat landscape, and as mission and business objectives change.
How Are Federal Agencies Using the NIST Cybersecurity Framework?
NIST has continued to engage with federal agencies to amplify awareness of the Cybersecurity Framework and the value it can provide to improve cybersecurity risk management, Stine says.
One of the primary value propositions of the framework is as a communication tool, according to Stine, something NIST has seen in industry and increasingly in government.
“Within organizations, from bits and bytes folks in data centers and engineers to the business process owners and executive leadership, including secretaries and other agency leadership,” the framework “helps facilitate cybersecurity in a language that is understandable by folks at various levels of the organization,” he says.
The framework is “a very powerful tool” for helping to organize and simplify the messaging around cybersecurity activities for agencies, Stine says.
Above all, Stine says, the framework is designed to help agencies “identify and achieve outcomes.” It is not proscriptive. For example, it does not mandate that agencies use multifactor authentication. However, it advises agencies to identify the appropriate forms of authentication they should use given their risk tolerance.
As agencies are considering new technical cybersecurity approaches or architectures, such as zero-trust models, the framework helps agencies identify priorities and the outcomes they need to achieve, according to Stine. Those then help determine how to best adopt new technical approaches.