What is the NIST Cybersecurity Framework?

Every single business, regardless of size or sector, should be concerned about cybersecurity. Statistically, attacks are becoming more common with every passing year as an increasing amount of business is conducted online. This Touchstone guide will cover what you need to know about the NIST Cybersecurity Framework in 2020.

The NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, also more commonly known as the NIST Cybersecurity Framework (CSF) is by far the most widely used Cybersecurity Framework in the United States. NIST stands for the National Institute of Standards and Technology, which operates under the Department of Commerce. NIST manages, measures, and establishes scientific and technological standards for the U.S. private sector in fields like science, manufacturing, and technology.

The NIST Cybersecurity Framework is comprehensive, but also easy to understand with clear guidelines even for IT professionals who may not have extensive knowledge or experience in the realm of cybersecurity risk management. The NIST CSF was established by executive order to secure the “national and economic security of the United States,” by ensuring the reliable function of critical infrastructure. In 2013 NIST was directed to work with the private sector and government stakeholders to develop a voluntary cybersecurity framework for organizations – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure and implementing controls to reduce the risk of cyberattacks.

The cybersecurity framework core is broken down into three components: the Core, Implementation Tiers, and Profiles.

The Framework Core

The Framework Core is a set of cybersecurity activities and outcomes described in plain language that small businesses and executive stakeholders in the supply chain would find easy to implement and understand. The Framework Core aims to help private sector organizations understand, manage, and mitigate cybersecurity risks and data security risks without performing a complete overhaul of the existing business environment and risk management process.

Implementation Tiers

Implementation Tiers are based on a scale of 1-4 running from Partial (Tier 1) to Adaptive (Tier 4) and are what the NIST cybersecurity framework uses to describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. Businesses can use the implementation tiers as a way to discuss their cybersecurity risk tolerance and provide context on how an organization views cybersecurity risk management. In this stage, businesses can discuss how their information security goals may impact their business environment, budget, and begin the process to implement appropriate safeguards.

The Framework Profile

A Framework Profile is the individual combination of an organization’s requirements and objectives, risk appetite, and resources for the desired outcome of the Framework Core mentioned above. Businesses can use the Framework Profile to identify, prioritize, and implement cybersecurity improvements at an organizational level.

The Framework Profile main components are:






What is a cybersecurity framework?

A cybersecurity framework is a list of implementable controls (both technical and process), which in totality represent a cybersecurity program. Examples of controls include encrypting sensitive data, maintaining a policy to patch systems regularly, and inventorying IT assets. Controls vary based on the framework. These controls can be classified under specific subcategories like access controls. Some well-known cybersecurity frameworks are the NIST Cybersecurity Framework and ISO 27001. Cybersecurity controls help businesses manage cybersecurity risk and ensure businesses can recover after a cybersecurity event. Different sectors utilize frameworks to inform their security policies and security standards. The NIST cybersecurity framework is considered by most cybersecurity professionals to be the gold-standard for a cybersecurity program. According to Tenable, 70% of IT professionals said they adopted the NIST CSF framework because they consider it a best practice.

What organizations use the NIST cybersecurity framework?

According to NIST, the Cybersecurity Framework is used by about 30 percent of U.S. organizations, and that number is projected to be up to 50% by the end of 2020. The framework is considered a best practice because it integrates industry standards to help organizations manage their cybersecurity risks. Because the NIST CSF is so comprehensive, easy to understand, and meets many compliance requirements by default we recommend that businesses start their cybersecurity framework journey there unless their industry or regulatory body dictates they go elsewhere. For example, those in the healthcare industry must follow HIPAA controls and ensure compliance with these cybersecurity regulations. Contractors that work with the federal government must also comply with the NIST Cybersecurity Framework.

What are the 5 key functions of the NIST Cybersecurity Framework?

Identify: The identify function is concerned with the basis for building a comprehensive and effective cybersecurity program. The controls present in this group are centered around risk assessment, inventory of IT assets, and creating a comprehensive risk management strategy. To protect critical information and business data every organization must identify their specific risk factors and document where sensitive data is stored in their organization. By doing the appropriate activities like this you can ensure security controls are met and your critical infrastructure sectors are secured.

Protect: Organizations fulfill the protect function by implementing and creating detection processes for the adequate protection of data. These controls include practical functions like ensuring all employees receive adequate security awareness training, enforce access controls, IT asset management, and implement protective technologies in the form of anti-malware and anti-virus programs that are up to date and installed on all devices.

Detect: According to IBM, companies take about 197 days to detect and 69 days to contain a breach. This long detection and containment process costs businesses around the world millions of dollars every year. Unfortunately, many companies are not proactive in their cybersecurity risk management and only discover they have suffered a cyberattack when their business or customer data is found on the dark web or they become locked out of critical devices and infrastructure. The goal of the detect function is to encourage security continuous monitoring of your information systems and help detect a cybersecurity event before it spreads. Detection can range from simulated phishing exercises, to network monitoring.

Respond: A cybersecurity event can happen to any business at any time. Even with the most careful consideration, your business could be just a few clicks away from a cyber attack. However, how your business responds to a cyber event is just as important as preventing an attack. The most important factor the response function covers is ensuring that your organization has the capacity to rapidly and efficiently respond to a cybersecurity incident. Response planning before a cyberattack ensures all stakeholders and members of your business know what to do in the event of an incident. They must know who to call, what to do, and how to inform anyone impacted by the incident calmly and efficiently.

Recover: The occurrence of a cybersecurity event does not have to mean total ruin for your business. Recovery planning ensures that your business reviews lessons learned from the security incident, begins planning for recovery from the incident, and testing the recovery processes after the incident. In the recovery function of the NIST CSF you will find informative references for restoring functionality to IT assets, critical infrastructure services, and best processes to ensure that your business systems are clean. Recovery from a cyberattack can be tough, and the total mitigation of cyber incidents is impossible even with the best security standards, but if your business can bounce back with a plan in place you will be far better prepared than other organizations who have suffered your fate. Go to nist.gov for more resources and information on the NIST Cybersecurity Framework and how your business can begin to implement the cybersecurity framework into your business environment.

If you are still unsure about cybersecurity frameworks and risk management after reading, we recommend you take advantage of the Touchstone Security© Free 60 Minute CISO Consultation. One of our qualified CISOs can help you better understand which requirements may affect your business. Please note that this section serves as an overview of common cybersecurity frameworks and requirements. We recommend speaking to an attorney or experienced cybersecurity professional if you have specific requirements or cybersecurity framework needs to meet.

Get a free 60-minute compliance evaluation with a senior-level CISO

Contact Us