Request A Consultation
NIST Frameworks

NIST Frameworks

Like the NIST CSF, the NIST Privacy Framework is inclusive, drawing from numerous privacy frameworks to help simplify compliance across multiple frameworks at once.

With current trends indicating a global movement toward increased privacy regulation, and as so many of the requirements across frameworks overlap one another, the National Institute of Standards and Technology (NIST) has worked to aggregate requirements for a single framework that supports compliance across multiple standards. The voluntary set of controls, published as the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework), was intended to support privacy for consumers and enterprise stakeholders alike:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole; (Source, nvlpubs.nist.gov)
  • Fulfilling current compliance obligations as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

Data Protection: The Intersection of Privacy and Cybersecurity  

Data privacy goes beyond just following applicable policies and procedures. Although implementing strong practices for handling personal information (as defined by privacy regulations that apply to your industry) is essential, securing that data is equally important. Imagine promising customers their information is safe, but then storing it in an insecure manner that leaves it vulnerable for cyber attackers to access, exfiltrate, and publish. 

The NIST Privacy Framework addresses this critical balance. It emphasizes not only creating sound policies for data collection, storage, and processing but also implementing robust data security measures. This framework incorporates existing and emerging privacy standards, so by adopting it, you’re well on your way to complying with multiple regulations. 

The NIST CSF offers voluntary guidance to help organizations improve  their cyber risk management program.

The 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure called on federal government agencies to follow NIST Cybersecurity Framework (CSF) guidance in managing cybersecurity risk. Other organizations in a range of industries and sectors as well as around the world have gone on to adopt this framework.

NIST CSF, also known as the Framework for Improving Critical Infrastructure Cybersecurity, leverages existing standards, guidelines, and best practices to help organizations better understand, manage, communicate about, and reduce their cybersecurity risk.

Organizations can customize CSF to meet their unique needs and risk profile, overlaying their current processes onto the Framework to determine gaps in their cybersecurity risk approach and develop a risk management tool they can use as a roadmap to improving their environment. For example, they can define activities that are most important to their delivery of critical services and prioritize their spending on security efforts to protect these services.

  • The Core provides a set of cybersecurity activities and outcomes using common, easily understood language. The Core guides organizations in managing and reducing their cybersecurity risks in a way that works with their existing cybersecurity and risk management processes. 
  • Implementation Tiers provide context to organizations on how they should view their cybersecurity risk management program. The Tiers guide organizations on ways to determine the appropriate level of effort they need to administer their cybersecurity program and are useful as prompts for discussing with stakeholders and management their risk appetite, mission priorities, and budget.
  • Profiles are organizations’ specific alignment of their requirements and objectives, risk appetite, and resources against the desired outcomes they determine in their Core component (described in the first bullet). They are useful for identifying and prioritizing organizational cybersecurity efforts.

CSF is organized by five functions that offer an overall view of the steps organizations should develop and implement to manage their cybersecurity over time. In Framework for Improving Critical Infrastructure, Appendix A, Tables 1 and 2 list specific categories of controls that correspond to these functions.

  • Identify: Manage cybersecurity risk to systems, assets, data, and capabilities
  • Protect: Establish appropriate safeguards to ensure delivery of services
  • Detect: Set up appropriate activities to identify a cybersecurity event
  • Respond: Follow appropriate activities when a cybersecurity event is detected
  • Recover: Maintain plans for resilience and to restore any impaired capabilities or service a cybersecurity event causes

NIST CSF offers a quick start guide to help organizations use the Framework. However, most organizations find it challenging to know how to begin. CISO Global’s security assessment experts can help, beginning with a gap analysis to determine an organization’s current security process and how it maps with CSF’s 100+ controls. For more information, contact us.

NIST 800-53 provides cybersecurity guidance for a wide range of businesses across an ever-changing threat landscape.

NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, was first published in 2013. Long considered NIST’s flagship security and privacy document, Revision 5 was published in September 2020. Federal agencies, their contractors, and the wide range of other organizations that have based their security guidance processes on Rev. 4 are adjusting to the new Rev. 5 requirements. 

SP 800-53 Rev. 5 is the result of NIST’s effort to develop the first comprehensive catalog of security and privacy controls that:

  • Organizations of any size and sector can use to manage risks
  • Are applicable to all types of systems—general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.  

800-53 Rev. 5 offers guidance on customizing these controls to address the security requirements for protecting an organization’s specific missions, business operations, technologies, environments, and applications.

The primary objectives behind the changes from Rev. 4 to Rev. 5 are to make the information systems people depend on more penetration resistant, limit the damage from attacks when they occur, and ensure systems are resilient and recoverable. Rev. 5 also emphasizes the importance of protecting individuals’ privacy.

The Major Changes from Rev. 4 to Rev. 5 Include:

  • Changing the structure of the security and privacy controls to be more outcome-based
  • Creating a unified and consolidated set of controls by fully integrating the privacy controls into the security control catalog and providing summary and mapping tables
  • Separating the control selection process from the actual controls, enabling the controls to be used by different communities of interest
  • Promoting integration with different risk management and cybersecurity approaches, including the NIST Cybersecurity Framework
  • Clarifying the relationship between security and privacy to improve the selection of controls required to address the full scope of security and privacy risks
  • Incorporating new controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability

NIST SP 800-61, Rev. 2: Computer Security Incident Handling Guide

NIST SP 800-61 is designed to help organizations plan effective and efficient incident responses.

NIST SP 800-61 has step-by-step instructions organizations should follow to rapidly detect incidents, minimize loss, mitigate weaknesses, and restore IT services.  

In SP 800-61, NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” NIST calls NIST 800-61 a recommendations document to emphasize how important it is for organizations to have a well-established incident response plan and well-trained teams to carry out the plan. It also includes guidelines for analyzing incident-related data, determining the best response to each incident, and continually monitoring for attacks. These guidelines are applicable to all hardware platforms, operation systems, protocols, and applications. 

The major phases of the incident response process are: preparation, detection/analysis, containment, eradication and recovery, and post-incident activity. 

  • Developing an incident response policy and plan 
  • Designing procedures for incident handling and reporting 
  • Establishing guidelines for communicating with outside parties 
  • Choosing a team structure and staffing model 
  • Setting up relationships and lines of communication between the incident response team and internal (e.g., legal department) and external (e.g., law enforcement agencies) groups
  • Deciding the services the incident response team should provide 
  • Staffing and training the incident response team
  • IR-1 Policy and Procedures
  • IR-2 Incident Response Training
  • IR-3 Incident Response Testing
  • IR-4 Incident Handling
  • IR-5 Incident Monitoring
  • IR-6 Incident Reporting
  • IR-7 Incident Response Assistance
  • IR-8 Incident Response Plan
  • IR-9 Information Spillage Response

Currently in draft form, NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security offers best practices on how to improve OT security systems. OT comprises programmable systems or devices that interact with or manage the physical environment.

  • Industrial control systems (ICS) (the focus of Rev 2)
  • Building information systems
  • Transportation systems
  • Physical access control systems (buildings with servers that store user data, access privileges, and audit logs)
  • Physical environment monitoring and measurement systems that
    • protect public water supplies and manage hazardous waste sites 
    • identify and analyze water, air, and soil pollution sources

The NIST SP 800-82 Rev. 3 draft cites these security objectives for OT:

  • Restrict logical access to the OT network, network activity, and systems.
  • Restrict physical access to the OT network and devices.
  • Protect individual OT components from exploitation.
  • Restrict unauthorized modification of data.
  • Detect security events and incidents.
  • Maintain functionality during adverse conditions.
  • Restore the system after an incident.

OT is a key aspect of critical infrastructures that are becoming increasingly integrated, mutually dependent, and connected via wireless networking. This interconnectedness puts OT implementations at greater risk for threats from hostile governments, terrorist groups, and other types of malicious actors as well as system failures caused by accidents and natural disasters. Because of their role in critical infrastructures such as power grids, region-wide transit operations, and hydroelectric dam systems, OT requires security solutions tailored to their environments over and above those used in traditional information technology systems.

NIST SP 800-82 applies many of the security controls outlined in NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations as is, though 800-82 provides additional information or interpretation to make some controls OT-specific. NIST Cybersecurity Framework (CSF) is also applicable; 800-82 includes some Categories with OT-specific areas that are not part of a non-OT CSF application.

800-82 Rev. 3 advises that an effective cybersecurity program for OT systems is the “defense-in-depth” strategy that layers security mechanisms to minimize the impact if any one fails. This strategy includes the following:

  • Developing OT-specific security policies, procedures, and training
  • Addressing security throughout the OT system life cycle
  • Logically separating the corporate and OT networks
  • Establishing redundant critical components that are on redundant networks
  • Designing critical systems in such a way to prevent catastrophic cascading events
  • Disabling unused ports and services
  • Following the principle of least privilege and restricting user privileges to only those users required to perform that specific function
  • Installing intrusion-detection, antivirus, and file-integrity–checking software
  • Deploying software and firmware security patches and updates

NIST Special Publication (SP) 800-37 Risk Management Framework (RMF) Rev. 2, released in 2018

The NIST SP 800-37 RMF Rev. 2, released in 2018, updated the previous RMF by more fully integrating privacy into the RMF process. It also prioritizes security and privacy strategies/activities to focus on protecting an organization’s most critical assets and systems.

The update addresses how organizations can assess and manage risks to their data and systems by focusing on protecting the individual’s personal information, ties the risk framework more closely to NIST Cybersecurity Framework (CSF), incorporates supply chain risk management, and supports NIST 800-53 Rev. 5’s security and safety safeguards. These objectives tie C-level execs more closely to operations and reduce an organization’s IT footprint and attack surface.

Addition of an Important Step to 
Risk Management: Prepare

The Prepare step addresses key organizational and system-level activities that can lead to efficient and cost-effective risk management processes. 

  • Assigning key roles and identifying key stakeholders 
  • Establishing a risk management strategy 
  • Understanding threats to information systems and organizations
  • Determining the types of information the system processes, stores, and transmits 
  • Conducting a system risk assessment 
  • Identifying security and privacy requirements applicable to the system and its environment

The primary objectives of organization-level and system-level preparation are to:

  • Align organizational priorities with resource allocation and prioritization at the system level
  • Determine acceptable limits for selecting and implementing controls within the organization’s risk tolerance
  • Promote organization-wide identification of common controls and development of tailored control baselines to address specific needs and reduce costs of system development and protection
  • Reduce the complexity of the IT infrastructure by consolidating, standardizing, and optimizing systems, applications, and services 

CISO Global’s NIST SP 800-171 gap analysis is an in-depth review of your organization’s cybersecurity landscape that can help determine if you are ready to obtain CMMC. All DoD contractors will be required to do so by 2026.

Using NIST SP 800-171 to Prepare for CMMC 2.0

Level 1 includes 17 basic security requirements for a minimum level of data protection of FCI. Although only a self-assessment is necessary, CISO Global can assist you with evaluating Level 1 compliance via a gap analysis and provide a roadmap to address any needed remediation.

Level 2 of the CMMC 2.0 includes all the 110 requirements from NIST 800-171, verbatim. So a gap analysis is a great starting point to determine if your organization meets these 110 required practices.

  • Get used to the process of undergoing an independent assessment and understanding requirements, assisting with future CMMC assessments
  • Obtain an objective assessment to determine whether your organization has addressed the requirements necessary to obtain CMMC and understands any gaps 
  • Gain assurance at both a system and enterprise level that you are exercising due diligence to protect sensitive data
  • Develop a roadmap to make sure you are appropriately documenting and following all CMMC level requirements, policies, and procedures
  • Collect, review, and analyze your existing documentation to ensure it meets 800-171 requirements
  • Use the Examine, Interview, and Test assessment procedures documented in NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information 
  • Provide a gap analysis report that describes how we evaluated each requirement, provides our determination of implementation status, details any deficiencies we found, and recommends remediations 
  • Conduct a post gap analysis wrap-up to present our findings and ensure your organization understands them and agrees on our recommended remediations
  • Assist with developing a Plan of Actions and Milestones (POA&M), including achievable goals and milestones toward 800-171 compliance and preparing for CMMC certification
  • Provide hands-on remediation as needed

Speak With a CISO Global Security Specialist Today

Our experts maintain the most respected credentials in the industry across cybersecurity, risk and compliance, forensics, incident response, ethical hacking, security engineering, and more.