The NIST Cybersecurity Framework seeks to better align business risk management with the rising demands of information security. To that end, it serves as the foundation for any robust cybersecurity strategy, and it is the basis of many industry-specific compliance regimes, such as HIPAA and CMMC.
The first step towards achieving NIST CSF compliance is to determine where your strengths and weaknesses lie before establishing a roadmap for reducing risk. Your current risk profile indicates which desired outcomes are currently being addressed, while your target profile lists the outcomes you want to achieve.
These desired outcomes are listed under the NIST core competencies. The NIST framework core functions span the entire incident lifecycle, from identifying potential threats and assets to disaster response planning. To become fully compliant with the framework, you will need to achieve all desired outcomes across all five of the NIST CSF core functions.
Introducing the NIST 5 core functions
The framework organizes its material around five core functions, which are in turn divided into 23 categories and 108 subcategories. These subcategories refer to either desired outcomes or specific security controls, such as security awareness training and managed detection and response.
The NIST framework is highly versatile. It does not prescribe any specific products or services, which also means it is vendor-agnostic. As such, organizations can implement the framework in any way they want. That being said, the framework also provides informative resources that reference various other security standards and NIST special publications.
Here is an overview of the NIST CSF core functions:
#1. Identify
The first step towards implementing a comprehensive cybersecurity strategy is to identify the assets you want to protect and document the risks facing them. Asset Management is the very first part of the process, followed by Business Environment analysis. This core function then addresses Governance, Risk Management, and Risk Management Strategy. Finally, the latest iteration of the framework has greatly expanded upon the Supply Chain Risk Management category to help counter growing threats to today’s supply chains.
#2. Protect
The second function area concerns the protection of the digital assets identified in the previous one. The goal is to ensure all possible measures are in place to protect against threats either old or new and to ensure the continuing delivery of business-critical services. The categories include Access Control, Awareness and Training, Data Security, Maintenance, and Proactive Technology. There is a major emphasis on the importance of proactive cybersecurity, rather than just relying on conventional reactive measures like antivirus scanners.
#3. Detect
Protecting against threats also requires the ability to detect them in the first place. This is most important in the case of new and emerging threats that are not likely to be prevented by usual antivirus or firewall solutions. This function area has three categories – Anomalies and Events, Security Continuous Monitoring, and Detection Processes. This is where technical solutions like security incident and event management (SIEM) and managed detection and response (MDR) come in.
#4. Respond
The NIST CSF revolves around the whole concept that incidents will occur, regardless of how robust your protective measures are. This is why the fourth function area addresses incident response, with the goal being to mitigate risks and prevent incidents from resulting in serious damage. The five categories in this area are Response Planning, Communications, Analysis, Mitigation, and Improvements. This function focuses heavily on continuous improvement by leveraging the power of analytics to boost resilience to future incidents.
#5. Recover
The fifth and final function area concerns the worst-case scenario, which every organization absolutely must be prepared for. Examples include a successful data breach or ransomware attack. The goal is to prevent the incident from getting any worse and to minimize long-term damage to the business. The three categories are Recovery Planning, Improvements, and Communications. Disaster recovery measures should be properly coordinated and based on the organization’s ability to tolerate a certain degree of risk.
Other NIST resources
NIST maintains a database of resources pertaining to specific industries, security measures, and technology environments. While the NIST Cybersecurity Framework can and should be applied in any context, there is a practically limitless number of different ways you can do that. This is why it is essential to have the right compliance and security partner to help you choose the solutions that align best with your unique business needs.
Charles IT is your dependable technology and compliance provider. We offer a guiding hand to help you implement the NIST framework core functions to secure your organization and win more business. Call us today to learn more!
