Understanding the NIST Security Framework
The NIST cybersecurity framework is a risk-based, rather than compliance drive, cybersecurity document. This approach means organizations focus on real risks and prioritize from the highest impact and work their way down. Not all risks are the same or have the same impact and it is important to be able to distinguish this when taking action.
It was developed in an effort to keep the critical infrastructure we depend on each day safe and enduring. In 2013, it was becoming increasingly obvious that some of the most disruptive events on our day to day lives would be cyberattacks.
The framework was developed in collaboration by leading industry, government and academic professionals with the intent of building something that could be broadly leveraged and utilized across industries and anyone in the organization.
NIST Framework Components
The framework is made up three components: the core, implementation tiers and profiles. The core is comprised of 5 functions:
Within the functions are a couple dozen categories which define cybersecurity outcomes and controls. Read more about the components to the framework here.
NIST Adoption Trends
Since its release, adoption has been significant.
The 2018 HIMSS Cybersecurity survey highlighted that NIST had the highest adoption of 239 Health Information Security respondents at more than 55%, which was more than double other frameworks. This appears to be a glimpse into the future for all industries in the United States
In 2015 nearly 30% of all US organizations have adopted the NIST Cybersecurity Framework and the growth was projected to surpass 50% by 2020 according to gartner research.
With the rapid changes in technology and sophistication of attacks, the NIST Security Framework was developed to evolve over time to become more inclusive for organizations and cover more potential vulnerabilities.
It is also a sort of 'crowd-sourced' project by providing an opportunity for contributions and a look into different changes, workshops and responses that came up during the process. You can see some of those here.
How is NIST Different?
There are number of key differences with this framework when comparing to others you may be considering for adoption.
First, NIST is a completely optional framework. There is a good side and a bad side to this. The bad is obvious: organizations can just choose not to adopt something that would be helpful in shoring up their operations. The good side is being optional seems to suggest the right sort of intent. Here is what I mean.
When something is required, measurement formalizes. When that happens you can begin to sacrificing the integrity of the effort because organizations will be focused on meeting the requirement instead of properly addressing threats and vulnerabilities. That is a recipe for cut corners and a false sense of security.
Another difference is its approach. Rather than more compliance checklists, NIST provides standards and uses existing compliance tools as a point
Is NIST CSF right for you?
The NIST Cybersecurity Framework is a great way for companies to identify a baseline for their security operations, especially if they don't know where to start. Within the framework there are references to where the guideline originated, as well as 4 levels for each phase of an organizations security operations lifecycle. Keep in mind, though, that if you manage user credit card or medical information, there are going to be other required frameworks to operate as a business.