A Quick Summary of the NIST Cybersecurity Framework
The National Institute for Standards and Technology (NIST) Framework for Critical Infrastructure Cybersecurity (also referred to as the NIST Cybersecurity Framework or “NIST CSF”) describes the standing of an organization’s information security program using a Framework Core, Implementation Tiers, and Framework Profiles. The NIST CSF’s Framework is flexible enough to be applied in various other contexts and across a wide array of industries.
The intent of the NIST CSF Framework is to provide “a common taxonomy and mechanism for organizations” to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
- Assess progress toward the target state
- Communicate among internal and external stakeholders about cybersecurity risk (emphasis added)
NIST CSF Functions
The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cybersecurity risk. Definitions for each Function are as follows:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.
- Respond: Develop and implement the appropriate activities when facing a detected security event.
- Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
NIST CSF Tiers
The NIST CSF Tiers represent how well an organization views cybersecurity risk and the processes in place to mitigate risks. This helps provide organizations a benchmark on how their current operations.
- Tier 1 – Partial: Organizational cybersecurity risk is not formalized and managed in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.
- Tier 2 – Risk-Informed: There may not be an organizational-wide policy for security risk management. Management handles cybersecurity risk management based on risks as they happen.
- Tier 3 – Repeatable: A formal organizational risk management process is then followed by a defined security policy.
- Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.
You can use the NIST CSF to benchmark your current risk posture. Going through each category and subcategories in the core function can help you determine where you stand on the NIST CSF Tier scale.
Let Red Lion Assist in your NIST CSF Compliance
Do you still have questions regarding NIST CSF? Our compliance professionals can help you to understand and comply with the NIST Cyber Security Framework, regardless of complexity.
Contact Us Today