The NIST Cybersecurity Framework — or CSF — was a result of an Obama-era executive order (Biden released a similar executive order). Essentially, it’s the US Government's take on cybersecurity and data protection best practices pulled from other frameworks.
The NIST Cybersecurity Framework is governed by NIST, the National Institute of Standards and Technology, which is a government-funded agency under the Department of Commerce.
NIST is required of any organization that does business with the US government, as well as many state agencies.
NIST Special Publications
In addition to NIST-CSF, there are also NIST Special Publications, the most popular being NIST 800-53 and NIST 800-171. The Special Publication 800-series reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in information systems security and privacy and its collaborative activities with industry, government, and academic organizations.
The NIST Special Publication 800-53 is a catalog of security and privacy controls specifically designed to apply to US Federal Government agencies. It provides for all US federal information systems except those related to national security. At 453 pages, it’s over 10 times as long as NST-CSF (which rings in at 41 pages). NIST 800-53 is broken down into the following 16 control families:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Media protection
- Physical and environmental security
- Personnel security
- Risk assessment
- Systems and services acquisition
- Systems and communications protection
- Systems and information integrity
NIST SP 800-171
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information, or CUI. This is for government contractors and subcontractors, including defense contractors. If an organization or manufacturer is a part of a DoD, NASA, General Services Administration (GSA), or other federal or state agencies’ supply chain, it must implement the security requirements included in NIST SP 800-171.
NIST 800-171r2 — or Revision 2 — known as Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI.
The NIST framework’s five pillars
Now that you’re familiar with NST-CSF as well as two of its Special Publications — NIST 800-53 and NIST 800-171 — let’s take a look at the five pillars of the NIST framework. Each of these five individual functions represents a set of objectives and activities that need to be achieved in order to build a comprehensive cybersecurity strategy.
Identifying all types of threats the organization faces as well as all assets that need to be protected should be the first part of any cybersecurity process.
By identifying risks and documenting where sensitive data is stored, your organization can ensure controls are effectively implemented to protect the most valuable data and critical business processes. Controls in this pillar include:
- Inventorying IT assets
- Conducting a risk assessment
- Creating a comprehensive risk management strategy
Initiatives like workshops can help team members identify and define company assets that need to be protected.
Next, use cases and scenarios need to be determined for how to protect each critical asset. In other words, the protect pillar determines what tools, actions, or measures should be used to safeguard assets, ensure the adequate protection of data, and prevent potential cybersecurity threats and impacts. Controls in this pillar include:
- Employing protective technologies such as access and anti-virus controls
- Providing employees with security awareness training
The detect pillar is when mechanisms are defined and created in order to detect potential threats and cybersecurity events in a timely manner. Why is a timely response so important? Because the longer an attack goes on, the more likely data loss and other types of damage to an organization’s information, systems, and overall environment become.
For example, tools that predict and track user behavior or trends can flag when there is abnormal activity. This will notify your organization and help you stop a potential breach before it occurs.
Once an abnormality or threat has been detected, the response pillar calls for a defined response to said activity. This will ensure your organization has the capacity to efficiently and rapidly respond to a cybersecurity incident when it happens — because it will.
These procedures will vary depending on the behavior detected and the importance of the asset. In other words, each response strategy should be tailored to each asset, use case, and threat activity involved.
Last but not least, the recover pillar helps you determine how to fix any impacted infrastructure and maintain security at your organization after an incident has occurred.
Actions to help your business both recover from an incident and ensure a breach doesn’t happen again can include the following:
- Rectifying the incident’s impacts, including restoring functionality to IT assets and ensuring your systems are clean
- Evaluating the source of the incident for potential security weaknesses
- Implementing new security methods, policies, and/or infrastructure to improve your strategy
Planning for recovery and testing your business’s recovery processes before any incidents occur can make this pillar much more effective.