What is NIST CSF?

by

Understanding the NIST Security Framework

The NIST cybersecurity framework is a risk-based, rather than compliance drive, cybersecurity document. This approach means organizations focus on real risks and prioritize from the highest impact and work their way down. Not all risks are the same or have the same impact and it is important to be able to distinguish this when taking action.

It was developed in an effort to keep the critical infrastructure we depend on each day safe and enduring. In 2013, it was becoming increasingly obvious that some of the most disruptive events on our day to day lives would be cyberattacks.

The framework was developed in collaboration by leading industry, government and academic professionals with the intent of building something that could be broadly leveraged and utilized across industries and anyone in the organization.

NIST Framework Components

The framework is made up three components: the core, implementation tiers and profiles. The core is comprised of 5 functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recove

Within the functions are a couple dozen categories which define cybersecurity outcomes and controls. Read more about the components to the framework here.

NIST Adoption Trends

Since its release, adoption has been significant.

The 2018 HIMSS Cybersecurity survey highlighted that NIST had the highest adoption of 239 Health Information Security respondents at more than 55%, which was more than double other frameworks. This appears to be a glimpse into the future for all industries in the United States

In 2015 nearly 30% of all US organizations have adopted the NIST Cybersecurity Framework and the growth was projected to surpass 50% by 2020 according to gartner research.

NIST Adoption

NIST Evolution

With the rapid changes in technology and sophistication of attacks, the NIST Security Framework was developed to evolve over time to become more inclusive for organizations and cover more potential vulnerabilities.

It is also a sort of  'crowd-sourced' project by providing an opportunity for contributions and a look into different changes, workshops and responses that came up during the process. You can see some of those here.

How is NIST Different?

There are number of key differences with this framework when comparing to others you may be considering for adoption.

First, NIST is a completely optional framework. There is a good side and a bad side to this. The bad is obvious: organizations can just choose not to adopt something that would be helpful in shoring up their operations. The good side is being optional seems to suggest the right sort of intent. Here is what I mean.

When something is required, measurement formalizes. When that happens you can begin to sacrificing the integrity of the effort because organizations will be focused on meeting the requirement instead of properly addressing threats and vulnerabilities. That is a recipe for cut corners and a false sense of security.

Another difference is its approach. Rather than more compliance checklists, NIST provides standards and uses existing compliance tools as a point

Is NIST CSF right for you?

The NIST Cybersecurity Framework is a great way for companies to identify a baseline for their security operations, especially if they don't know where to start. Within the framework there are references to where the guideline originated, as well as 4 levels for each phase of an organizations security operations lifecycle. Keep in mind, though, that if you manage user credit card or medical information, there are going to be other required frameworks to operate as a business.

JupiterOne Team
JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

Keep Reading

Now Available: JupiterOne’s Public Postman Workspace | JupiterOne
October 31, 2024
Blog
Now Available: JupiterOne’s Public Postman Workspace

Explore JupiterOne’s Public Postman Workspace to streamline your workflows and enhance your security operations.

Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets | JupiterOne
October 16, 2024
Blog
Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets

Vulnerability scanners flood teams with alerts, but CTEM helps prioritize based on exploitability and business impact, ensuring focus on the most critical threats.

How CTEM Prioritizes Critical Threats and Safeguards Your Most Valuable Assets | JupiterOne
October 9, 2024
Blog
How CTEM Prioritizes Critical Threats and Safeguards Your Most Valuable Assets

Learn how CTEM helps organizations reduce their attack surface, protect valuable assets, and stay ahead of attackers. Download our white paper to get started with CTE

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.