Managing cybersecurity threats in today’s enterprise is a complex undertaking. Cyber threats are evolving at a rapid pace and they require a different approach than we have utilized in the past to neutralize traditional threats. Unfortunately, there is no “one size fits all” solution when it comes to cybersecurity. However, there are excellent frameworks that can be utilized to manage cybersecurity activities and reducing organizational risk. The NIST Cybersecurity Framework has become quite useful for many organizations as they look to mature their cybersecurity practice and combat the ever evolving threats that we face.
In 2014, NIST published the Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity Framework or just the Framework. The Framework consisted of standards, methodologies, best practices, policies, and procedures that align business goals, policy, and technological approaches improve cybersecurity capabilities within an organization.
The Framework is broken into three sections: the Core, the Implementation Tiers, and the Profiles. The core includes categories and subcategories that define controls and activities across five functional areas: Identify, Detect, Protect, Respond, and Recover. The Implementation Tiers helps the organization evaluate their cybersecurity practices against the characteristics listed in the core functions. Finally, the Profiles enables an organization to understand their current capabilities and define their optimal capability state based on their business goals and objectives.
In December of 2015, NIST received RFI responses from participants within the United States and abroad. The participating respondents represented a variety of industries covering both the public and private sectors. The RFI was followed up with a Working Group in April of 2016. Participants in the RFI and Working Group provided feedback on how they utilized the Framework and where they would like to see the Framework further developed. NIST also received praise for how it has collaborated with the private sector in the creation of the Framework and in the future evolution of the Framework.
As a Workshop participant myself, I was absolutely surprised by the variety of participants. I was expecting participants from the Federal government, but the level of engagement across so many different sectors of industry was a pleasant surprise. As a supporter of the Framework since its inception, I see it as a valuable tool for any organization.
At ISM, the Framework is foundational to our internal cybersecurity practice and has become a valuable tool that we utilize to support our customers. The Framework Core provides a set of cybersecurity activities, desired outcomes based on organizational goals and priorities and applicable references to other frameworks, guidelines, and standards that are commonly utilized across the public and private sectors. There is plenty of room for improvement, but I am confident that the partnership between NIST and the private and public sector will continue to produce a valuable tool that can be utilized to improve organizations with mature cybersecurity practices or as a foundation for organizations looking to build a mature cybersecurity practice.
If you would like to learn more about the NIST Cybersecurity Framework or the recent Workshop findings, please use the links below. Should you be interested in learning more about how ISM can help your organization, you can use the Contact Us link in the upper right hand corner of the page.
Workshop Findings: http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf
NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/