The last few years have transformed cybersecurity and data protection from niche concerns to major problems as both individuals and organizations suffered from an unprecedented wave of cyberattacks and data theft. Governments around the world have stepped up and have begun introducing legislation that makes data protection mandatory by law. Focusing on data subjects’ rights, regulations such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act(CCPA) put companies under the legal obligation of ensuring that the personal data they process is secure.
With cybersecurity and data protection becoming common compliance requirements, many organizations are at a loss as to where to begin their integration into their processes. The US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework (CSF) has emerged as an effective guidance for cybersecurity best practices at company level, not only in the US where it was developed, but across the world.
NIST CSF’s Development and Adoption
The Cybersecurity Framework was developed in response to an executive order issued in February 2013 by then US president, Barack Obama, which called for the development of a voluntary risk-based cost-effective cybersecurity framework for the country’s critical infrastructure which included sectors such as transport, energy and healthcare. While NIST lead the efforts, over 3000 industry professionals and cybersecurity experts from both small and large private organizations contributed to the CSF’s development.
First published by NIST in February 2014 and later updated to incorporate industry, government and academia feedback in April 2018, the CSF has been widely accepted across all sectors as a comprehensive guidance for the best cybersecurity standards, guidelines and practices that need to be applied to manage and reduce cybersecurity risks.
While the CSF was developed as a voluntary framework, in May 2017, President Donald Trump issued an executive order in which he instructed all federal agencies to use the Cybersecurity Framework, effectively making it mandatory for them to implement it.
In 2015, Gartner reported that 30% of all US organizations used the CSF and estimated that the number would rise to 50% by 2020. Internationally, countries like Israel, Italy, Uruguay and Japan have adopted the NIST Cybersecurity Framework in its original form or adapted versions of it. Companies that have embraced the CSF across the globe include Microsoft, Boeing, Intel, JP Morgan Chase and many others.
The Cybersecurity Framework is divided into three main components: the Core, Implementation Tiers and Profiles. The Core is a set of cybersecurity activities, desired outcomes and relevant references common across critical infrastructure sectors. It is further broken down into four major groups:
Functions that offer a method of organizing cybersecurity policies at the most basic level and are split into five groups: identify, protect, detect, respond and recover. These functions cover not only a comprehensive strategy for securing systems, but also how organizations should respond to threats and react in the aftermath of a cyberattack.
Categories are contained within each function and are used to highlight specific tasks organizations need to carry out and the challenges they might face while doing so. Examples of categories include asset management, detection processes and security continuous monitoring. There are 23 categories spread out across the five functions.
Subcategories are subdivisions of categories which deal with specific objectives and are outcome-driven. There are in total 108 of them. A category like asset management for example has six subcategories which include inventories of physical devices and systems within an organization, inventories of software platforms and applications and cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders.
Informative references are an additional layer of information for each subcategory, setting out existing standards, guidelines and best practices. It can include things like how to manually update certain software.
The Implementation Tiers
The second major component of the NIST Cybersecurity Framework are the four key implementation tiers. The tiers refer to the level of alignment of a company’s cybersecurity practices to those set out in the CSF.
Tier 1 refers to companies that have partially implemented the CSF, but that have a reduced awareness of organizational risks and an inconsistent implementation of cybersecurity plans.
Tier 2 indicates organizations that are risk informed, have put adequate cybersecurity measures in place, but still struggle with implementation.
Tier 3 designates organizations that have adopted CSF standards company-wide and have applied them effectively, leading to an efficient and consistent response to crises and a risk-informed work force.
Tier 4 is the highest level of alignment and means total adoption of the CSF. Called adaptive, organizations at this tier are not only prepared to respond to threats, but they take a proactive approach to threat detection and constantly evolve their practices based on the evolution of their IT architecture and current trends.
Profiles are a way for organizations to identify and prioritize opportunities for improving cybersecurity practices. This is done by comparing a company’s current profile against a target profile based on the NIST Cybersecurity Framework.
To build a current profile, organizations can map their existing cybersecurity practices based on the CSF subcategories. The target profile can be built using the CSF subcategories and a company’s objectives, operational methodologies and requirements. By comparing these two profiles, organizations can see the gaps between their existing policies and their desired level of cybersecurity and formulate an implementation plan suitable for their specific circumstances and budget.
The NIST Cybersecurity Framework is a detailed guidance for cybersecurity best practices, built by professionals in the field. It has been widely embraced by both industry giants and governments across the world, showing that it provides an excellent starting point for compliance with data protection regulations and a solid cybersecurity plan to guard against threats and risks.