NIST Cybersecurity Framework – What to Know

Image result for NIST Cybersecurity Framework – What to Know

Cybersecurity has been an issue in our nation for quite some time. Businesses of all kinds rely on a cybersecurity infrastructure for a multitude of reasons. From privacy to protection, cybersecurity is extremely useful and necessary. That’s why the NIST created a Cybersecurity Framework.

What is the NIST Cybersecurity Framework? The NIST Cybersecurity Framework provides public and private sector companies with a framework of computer security guidance, which allows them to assess their ability to protect their networks from cyber hacking.

The NIST, or National Institute of Standards and Technology, is a government-funded program. They developed their Cybersecurity Framework in 2014 because of the Presidential Executive Order, “Improving Critical Infrastructure Cybersecurity.” The Presidential Order called for a standardization of security framework in the U.S. infrastructure. The Cybersecurity Framework was made to be paired with systems like COBIT 5.

A lot of public and private businesses use the NIST Cybersecurity Framework as a resource for their own security systems since it is publicly available to the masses. However, due to a lack of government funding, the official NIST website and other affiliated sites are unavailable for the time being, so if a company does not already have the program, getting it now may be difficult.

The core of the program is in Excel format so it can easily be added to any cybersecurity toolkits.

The NIST Cybersecurity Framework is divided into 5 different things called Functions: Identify, Protect, Detect, Respond, and Recover. A post on blog.cipher.com describes them as follows:

Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.

Respond: Develop and implement the appropriate activities when facing a detected security event.

Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.”

There are 21 categories and over a hundred subcategories that fall under the above Functions.  There are 4 tiers that are used to measure security risks: Partial, Risk-Informed, Repeatable, and Adaptable.

Partial: Limited knowledge of cybersecurity risk management.

Risk-Informed: Risk management is based on risks as they happen.

Repeatable: Risk management is followed by a defined security policy.

Adaptable: This tier allows organizations to continuously learn about their cybersecurity, and adjust their system based on events that happen in their organization.

After deciding what parts of the NIST Cybersecurity System an organization wants to use, they have to create a Profile. The profile can be used to determine other aspects of the infrastructure, such as prioritization and budget.

Using the NIST Cybersecurity System is not only good for big businesses or small companies; it is good for the security of the nation.