Since last year, the federal government of the U.S has been very active especially with regard to the Cybersecurity Executive Order (EO) and activities in line with its goals. Another industry framework and source that has received more attention is the NIST Cybersecurity Framework (CSF).
The CSF proposed another EO, 13636, beginning in 2013, and directed NIST to work with stakeholders to develop a voluntary risk mitigation framework for critical infrastructure. It arose through joint efforts with government and industry, both of which have widely embraced the framework.
The Cybersecurity Framework (CSF) is a set of best practices that organizations can use to protect their data. The framework is designed for national standards and technology centres to provide affordable security for both big and small organizations.
In 2013, the CSF came into force with an Executive Order on Cybersecurity (EO13636) by President Obama. Under the guidance of NIST, it worked with stakeholders to develop a voluntary risk mitigation framework for critical infrastructure. It does this by focusing on three key areas:
Now here's how the CSF is structured, how its capabilities can help achieve some of the latest cybersecurity EO goals, and how any organization can use it to better map risk threats.
The core of CSF consists of three components:
The key is a desirable set of cybersecurity activities and outcomes.
Hosting organizations use startup categories to provide context when it comes to how organizations view cybersecurity risk management.
Framework profiles help provide customized alignment with organizational needs and goals in achieving outcomes and reducing risk to the organization and the industry as a whole.
Within these three categories, there are additional areas that correspond to the effectiveness of the cybersecurity program, such as sections and subsections of activities. NIST has produced many examples of framework profiles, such as production, selection, and smart grid.
One of the most notable features of CSF is the ability to split functions: identity, protect, detect, recover, and respond. What makes these works so popular is their practicality and logic. They align with the activities and cycles of cybersecurity and risk management within an organization's security system. These capabilities also apply to organizations across all industries and job verticals, making CSF flexible and adaptable.
CSF is not explicitly mentioned in the latest cybersecurity EO, but NIST is referenced extensively. Since the CSF is its primary risk management framework, it will be linked to the many tasks and activities that NIST performs as part of the EO. All cybersecurity activities and tasks described in the EO can be mapped to all of the CSF operational categories discussed above.
To foster greater CSF adoption, NIST has published guidance, including NISTIR 8170 Federal Agencies' Approach to Using the Cybersecurity Framework and NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). Combining this guidance with EO-related activities will enable federal agencies to address their existing risks and security gaps.
Organizations, governments, and industries can all take additional steps to address CSF objectives and actual threats. Another good method is to use MITRE's ATT & CK assessment, which mimics conflict strategies and methods for the best cybersecurity products. This information can then be used by end-users in the industry to understand how products are manufactured and how they meet the organization's security objectives. Another excellent resource for MITRE comes from the Threat Informed Defense Center Map MITRE ATT & CK and NIST 800-53. By using this map layout, organizations can convert the map from the centre to a reference in CSF, which corresponds to specific functions and categories.
Regarding real threats, self-assessments and CSF ratings can be used to improve decision-making on investment priorities as well. Regardless of industry, all security leaders face limited resources and support. Identifying vulnerabilities in security systems and facilitating investment in high-risk areas can bring significant benefits. This is why security leaders must ensure that the implementation of security controls and operations is linked to organizational outcomes and business objectives. Doing so ensures compliance with business leadership, enhances the procurement of security systems and assists in the safe operation of the business.
NIST CSF is a flexible framework for managing the maturity of an organization's risk and security systems. Its operating conditions include managing online demands, reporting cybersecurity threats, and integrating and coordinating cyber processes and discoveries. All of these operating conditions apply to meeting the set of tasks and objectives that emerge from the 2021 Cybersecurity EO.
NIST's CSF can be an important tool for organizations developing the maturity of their security programs and seeking to reduce organizational risk and cover important security functions. There are many resources to get started with CSF, especially NIST itself. They offer online readings, presentations, and detailed documentation of the framework. There is also a book dedicated to NIST CSF. As organizations continue to develop their security systems, a dynamic and integrated framework that is mapped at existing levels is important, and this is where the NIST's CSF comes in.