NIST Frameworks
Like the NIST CSF, the NIST Privacy Framework is inclusive, drawing from numerous privacy frameworks to help simplify compliance across multiple frameworks at once.
With current trends indicating a global movement toward increased privacy regulation, and as so many of the requirements across frameworks overlap one another, the National Institute of Standards and Technology (NIST) has worked to aggregate requirements for a single framework that supports compliance across multiple standards. The voluntary set of controls, published as the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework), was intended to support privacy for consumers and enterprise stakeholders alike:
- Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole; (Source, nvlpubs.nist.gov)
- Fulfilling current compliance obligations as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
- Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.
Data Protection: The Intersection of Privacy and Cybersecurity
Data privacy goes beyond just following applicable policies and procedures. Although implementing strong practices for handling personal information (as defined by privacy regulations that apply to your industry) is essential, securing that data is equally important. Imagine promising customers their information is safe, but then storing it in an insecure manner that leaves it vulnerable for cyber attackers to access, exfiltrate, and publish.
The NIST Privacy Framework addresses this critical balance. It emphasizes not only creating sound policies for data collection, storage, and processing but also implementing robust data security measures. This framework incorporates existing and emerging privacy standards, so by adopting it, you’re well on your way to complying with multiple regulations.
The NIST CSF offers voluntary guidance to help organizations improve their cyber risk management program.
The 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure called on federal government agencies to follow NIST Cybersecurity Framework (CSF) guidance in managing cybersecurity risk. Other organizations in a range of industries and sectors as well as around the world have gone on to adopt this framework.
NIST CSF, also known as the Framework for Improving Critical Infrastructure Cybersecurity, leverages existing standards, guidelines, and best practices to help organizations better understand, manage, communicate about, and reduce their cybersecurity risk.
Organizations can customize CSF to meet their unique needs and risk profile, overlaying their current processes onto the Framework to determine gaps in their cybersecurity risk approach and develop a risk management tool they can use as a roadmap to improving their environment. For example, they can define activities that are most important to their delivery of critical services and prioritize their spending on security efforts to protect these services.
CSF is organized by five functions that offer an overall view of the steps organizations should develop and implement to manage their cybersecurity over time. In Framework for Improving Critical Infrastructure, Appendix A, Tables 1 and 2 list specific categories of controls that correspond to these functions.
- Identify: Manage cybersecurity risk to systems, assets, data, and capabilities
- Protect: Establish appropriate safeguards to ensure delivery of services
- Detect: Set up appropriate activities to identify a cybersecurity event
- Respond: Follow appropriate activities when a cybersecurity event is detected
- Recover: Maintain plans for resilience and to restore any impaired capabilities or service a cybersecurity event causes
NIST CSF offers a quick start guide to help organizations use the Framework. However, most organizations find it challenging to know how to begin. CISO Global’s security assessment experts can help, beginning with a gap analysis to determine an organization’s current security process and how it maps with CSF’s 100+ controls. For more information, contact us.
NIST 800-53 provides cybersecurity guidance for a wide range of businesses across an ever-changing threat landscape.
NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, was first published in 2013. Long considered NIST’s flagship security and privacy document, Revision 5 was published in September 2020. Federal agencies, their contractors, and the wide range of other organizations that have based their security guidance processes on Rev. 4 are adjusting to the new Rev. 5 requirements.
SP 800-53 Rev. 5 is the result of NIST’s effort to develop the first comprehensive catalog of security and privacy controls that:
- Organizations of any size and sector can use to manage risks
- Are applicable to all types of systems—general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.
800-53 Rev. 5 offers guidance on customizing these controls to address the security requirements for protecting an organization’s specific missions, business operations, technologies, environments, and applications.
The primary objectives behind the changes from Rev. 4 to Rev. 5 are to make the information systems people depend on more penetration resistant, limit the damage from attacks when they occur, and ensure systems are resilient and recoverable. Rev. 5 also emphasizes the importance of protecting individuals’ privacy.
The Major Changes from Rev. 4 to Rev. 5 Include:
- Changing the structure of the security and privacy controls to be more outcome-based
- Creating a unified and consolidated set of controls by fully integrating the privacy controls into the security control catalog and providing summary and mapping tables
- Separating the control selection process from the actual controls, enabling the controls to be used by different communities of interest
- Promoting integration with different risk management and cybersecurity approaches, including the NIST Cybersecurity Framework
- Clarifying the relationship between security and privacy to improve the selection of controls required to address the full scope of security and privacy risks
- Incorporating new controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability
NIST SP 800-61, Rev. 2: Computer Security Incident Handling Guide
NIST SP 800-61 is designed to help organizations plan effective and efficient incident responses.
NIST SP 800-61 has step-by-step instructions organizations should follow to rapidly detect incidents, minimize loss, mitigate weaknesses, and restore IT services.
In SP 800-61, NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” NIST calls NIST 800-61 a recommendations document to emphasize how important it is for organizations to have a well-established incident response plan and well-trained teams to carry out the plan. It also includes guidelines for analyzing incident-related data, determining the best response to each incident, and continually monitoring for attacks. These guidelines are applicable to all hardware platforms, operation systems, protocols, and applications.
The major phases of the incident response process are: preparation, detection/analysis, containment, eradication and recovery, and post-incident activity.
Currently in draft form, NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security offers best practices on how to improve OT security systems. OT comprises programmable systems or devices that interact with or manage the physical environment.
OT is a key aspect of critical infrastructures that are becoming increasingly integrated, mutually dependent, and connected via wireless networking. This interconnectedness puts OT implementations at greater risk for threats from hostile governments, terrorist groups, and other types of malicious actors as well as system failures caused by accidents and natural disasters. Because of their role in critical infrastructures such as power grids, region-wide transit operations, and hydroelectric dam systems, OT requires security solutions tailored to their environments over and above those used in traditional information technology systems.
NIST SP 800-82 applies many of the security controls outlined in NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations as is, though 800-82 provides additional information or interpretation to make some controls OT-specific. NIST Cybersecurity Framework (CSF) is also applicable; 800-82 includes some Categories with OT-specific areas that are not part of a non-OT CSF application.
800-82 Rev. 3 advises that an effective cybersecurity program for OT systems is the “defense-in-depth” strategy that layers security mechanisms to minimize the impact if any one fails. This strategy includes the following:
- Developing OT-specific security policies, procedures, and training
- Addressing security throughout the OT system life cycle
- Logically separating the corporate and OT networks
- Establishing redundant critical components that are on redundant networks
- Designing critical systems in such a way to prevent catastrophic cascading events
- Disabling unused ports and services
- Following the principle of least privilege and restricting user privileges to only those users required to perform that specific function
- Installing intrusion-detection, antivirus, and file-integrity–checking software
- Deploying software and firmware security patches and updates
NIST Special Publication (SP) 800-37 Risk Management Framework (RMF) Rev. 2, released in 2018
The NIST SP 800-37 RMF Rev. 2, released in 2018, updated the previous RMF by more fully integrating privacy into the RMF process. It also prioritizes security and privacy strategies/activities to focus on protecting an organization’s most critical assets and systems.
The update addresses how organizations can assess and manage risks to their data and systems by focusing on protecting the individual’s personal information, ties the risk framework more closely to NIST Cybersecurity Framework (CSF), incorporates supply chain risk management, and supports NIST 800-53 Rev. 5’s security and safety safeguards. These objectives tie C-level execs more closely to operations and reduce an organization’s IT footprint and attack surface.
Addition of an Important Step to
Risk Management: Prepare
The Prepare step addresses key organizational and system-level activities that can lead to efficient and cost-effective risk management processes.
CISO Global’s NIST SP 800-171 gap analysis is an in-depth review of your organization’s cybersecurity landscape that can help determine if you are ready to obtain CMMC. All DoD contractors will be required to do so by 2026.
Using NIST SP 800-171 to Prepare for CMMC 2.0
Level 1 includes 17 basic security requirements for a minimum level of data protection of FCI. Although only a self-assessment is necessary, CISO Global can assist you with evaluating Level 1 compliance via a gap analysis and provide a roadmap to address any needed remediation.
Level 2 of the CMMC 2.0 includes all the 110 requirements from NIST 800-171, verbatim. So a gap analysis is a great starting point to determine if your organization meets these 110 required practices.
Speak With a CISO Global Security Specialist Today
Our experts maintain the most respected credentials in the industry across cybersecurity, risk and compliance, forensics, incident response, ethical hacking, security engineering, and more.