The NIST CSF offers voluntary guidance to help organizations improve their cyber risk management program.
The 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure called on federal government agencies to follow NIST Cybersecurity Framework (CSF) guidance in managing cybersecurity risk. Other organizations in a range of industries and sectors as well as around the world have gone on to adopt this framework.
NIST CSF, also known as the Framework for Improving Critical Infrastructure Cybersecurity, leverages existing standards, guidelines, and best practices to help organizations better understand, manage, communicate about, and reduce their cybersecurity risk.
Organizations can customize CSF to meet their unique needs and risk profile, overlaying their current processes onto the Framework to determine gaps in their cybersecurity risk approach and develop a risk management tool they can use as a roadmap to improving their environment. For example, they can define activities that are most important to their delivery of critical services and prioritize their spending on security efforts to protect these services.
CSF consists of three main components: the Core, Implementation Tiers, and Profiles.
- The Core provides a set of cybersecurity activities and outcomes using common, easily understood language. The Core guides organizations in managing and reducing their cybersecurity risks in a way that works with their existing cybersecurity and risk management processes.
- Implementation Tiers provide context to organizations on how they should view their cybersecurity risk management program. The Tiers guide organizations on ways to determine the appropriate level of effort they need to administer their cybersecurity program and are useful as prompts for discussing with stakeholders and management their risk appetite, mission priorities, and budget.
- Profiles are organizations’ specific alignment of their requirements and objectives, risk appetite, and resources against the desired outcomes they determine in their Core component (described in the first bullet). They are useful for identifying and prioritizing organizational cybersecurity efforts.
CSF is organized by five functions that offer an overall view of the steps organizations should develop and implement to manage their cybersecurity over time. In Framework for Improving Critical Infrastructure, Appendix A, Tables 1 and 2 list specific categories of controls that correspond to these functions.
- Identify: Manage cybersecurity risk to systems, assets, data, and capabilities
- Protect: Establish appropriate safeguards to ensure delivery of services
- Detect: Set up appropriate activities to identify a cybersecurity event
- Respond: Follow appropriate activities when a cybersecurity event is detected
- Recover: Maintain plans for resilience and to restore any impaired capabilities or service a cybersecurity event causes
NIST CSF offers a quick start guide to help organizations use the Framework. However, most organizations find it challenging to know how to begin. CISO Global’s security assessment experts can help, beginning with a gap analysis to determine an organization’s current security process and how it maps with CSF’s 100+ controls. For more information, contact us.
We want to hear from you!
To start a conversation with one of our experts, give us a call or Request a Consultation.
We look forward to speaking with you about your goals and unique needs.