NIST Cybersecurity Framework for Cybersecurity Beginners

Part of our work as cybersecurity professionals involves adhering to set standards from the organizational level or other regulatory bodies to improve or maintain the security of crucial assets. We might also be required to work with tools and perform duties that allow companies to maintain their CIA triad for information.

One such tool is the NIST Cybersecurity Framework(NIST CSF). If you are like me, this is your first encounter with the framework.

Yet, the NIST CSF is one of many organizations' most important security tools. Depending on who you work with and your career trajectory, you may be required to learn and use this framework to varying degrees.

I took some time and extracted some key points from this important framework as a foundation to help you build your knowledge.

What is the NIST Cybersecurity Framework

The NIST CSF is a voluntary framework that provides a cybersecurity approach that organizations can use to identify, assess, and manage cyber risks.

The framework is designed to give organizations principles and best practices to improve resilience and security posture regardless of their size, degree of cybersecurity risk, or sophistication.

The Cybersecurity Framework covers several topics concerning the security posture of organizations.

These include:

• Cryptography
• Cybersecurity education and workforce development
• Cybersecurity measurement
• Identity & access management
• Privacy engineering
• Risk Management
• Securing emerging technologies
• Trustworthy networks
• Trustworthy platforms

While the cybersecurity framework is not a static document, it has a core structure designed to provide organizations with a proper system of addressing cybersecurity, including its effect on physical, cyber, and people.

This core comprises concepts such as the framework basics, how to use the framework, and self-assessing cybersecurity risk using the framework.

NIST CSF Basics

The NIST CSF is designed to fit the cybersecurity needs of different organizations with different needs. Security teams can use it to tailor its implementation to fit their specific needs in mitigating the adverse effects usually caused by cybersecurity incidents.

The framework’s basics are divided into four sections:

1. The Framework Core

The framework core is an activity-based guide that organizations can use to achieve a set of outcomes in relation to cybersecurity risk. For example, an organization might need to develop and implement safeguards to protect data in all states. They will use functions within the core to calibrate these safeguards to achieve this goal.

The core is divided into elements such as Functions, categories, subcategories, and informative references.

1. Functions- These include Identify, Detect, Protect, Respond, Recover, and Govern. They organize cybersecurity activities at their highest level.

1. Categories - These allow the breakdown of individual functions into groups of cybersecurity outcomes based on particular activities. For example, organizations looking to protect data in all states will set up protection processes such as “encryption of data-at-rest and in transit” to program the function for desirable outcomes.
2. Sub-categories - These represent outcomes of technical or management activities from the category. For example, organizations that have already set up data encryption at rest and in transit could have a result such as “Data was protected in these two states because we implemented encryption policies.”
3. Informative References - These are specific sections of standards, guidelines, and practices that provide organizations and security teams with methods of achieving outcomes associated with each subcategory. They help organizations understand each subcategory's requirements and identify the appropriate controls to implement.

---

Note: Originally, the NIST Cybersecurity Framework had five main functions. However, its last major update includes a new function - Govern, which shows organizations how to make solid decisions regarding their cybersecurity strategy. The function puts cybersecurity alongside other areas, such as legal and finance, as a major source of risk to any organization.

---

2. Implementation Tiers

Framework Implementation Tiers (FIT) is a way of measuring how an organization is implementing the NIST Cybersecurity Framework. You can think of tiers as levels in a game. Each game level signifies some improvement and the ability to move up.

The tiers range from Tier 1 (Partial) to Tier 4 (Adaptive), with Tier 1 being the lowest level of maturity and Tier 4 being the
highest.

• Tier 1 (Partial): If an organization is at Tier 1, they have just started implementing the NIST CSF. They may have identified some risks and implemented some controls but still need to integrate the CSF into their overall risk management processes fully.
• Tier 2 (Risk Informed): Once the organization has a better understanding of the NIST CSF and begins to integrate it into its overall risk management processes, it moves to Tier 2. At this point, they have identified and prioritized risks and implemented controls appropriate for the level of risk.
• Tier 3 (Repeatable): Organizations at Tier 3 have a repeatable process for implementing and managing cybersecurity controls. They have developed a risk management framework and have implemented controls that properly align with that framework.
• Tier 4 (Adaptive): Organizations at Tier 4 have an adaptive approach to cybersecurity. They constantly monitor and evaluate their risk posture and change their controls. They are also investing in research and development to stay ahead of emerging threats.

Understanding these tiers is essential because your organization could be on any of them and might need your help to move to the next level.

3. Framework Profile

A framework profile allows security teams to determine whether their implementation of the CSF is in tandem with their business requirements. You could compare the framework profile to your medical checkup results. Consider the results that they provide after screening, your health profile.

Organizations can also use the framework profile as a benchmark to see how far off or close they are to achieving their desired security state. This happens by matching two states: the Current State and the Target State.

The current state pertains to how the organization is. On the other hand, the Target State represents where it desires to be. Profiles allow proper communication among all security stakeholders to enable them to allocate the required resources to achieve a higher security state on all levels.

4. Coordination of framework implementations

This describes the communication between all organizational stakeholders toward achieving a desirable security state for assets. Implementing this framework will involve players from the organization's executive, business, and operations.

The executive, such as the CISO, CEO, or CFO, will relay mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level will then use the information and add it to the risk management process before sharing it with the operations team.

The operations or implementation team then creates a profile and passes the information to the business team. The business level then communicates the findings to the executive and any changes or implementations designed to improve the framework profile.

How to Use the Framework

Organizations are different; each has its structures for identifying, assessing, and managing cybersecurity risk.

Therefore, some organizations will implement the framework in its entirety, while others will use it to fill in the gaps in their cybersecurity risk approach and develop a roadmap to improvement.

Regardless, be prepared to use the Cybersecurity framework in the following ways:

• Doing a basic review of cybersecurity practices
• Establishing or Improving a cybersecurity program
• Communicating cybersecurity requirements with stakeholders Making buying decisions
• Identifying opportunities for new or revised informative references
• Creating methodology to protect privacy and civil liberties

Self-Assessing Cybersecurity Risk with the Framework

Organizations that use the NIST CSF can assess their risk and assign values based on the potential impact of the steps taken to reduce certain risks.

The better the organization can assess the risks, costs, and benefits of the cybersecurity strategies and steps they implement, the more effective they will be at mitigating risk and maintaining a solid security posture.

After all, the idea behind self-assessment is to improve decision-making among the stakeholders and properly prioritize the investments they make towards hardening their security.

Conclusion

It’s impossible to know the level of involvement we will have in an organization’s NIST CSF implementation. Since every company is different and has different cybersecurity needs, some of us might do more than others.

For example, some of us will work with large companies that have their cybersecurity game in order. Others will join startups or smaller companies that need help implementing the framework from scratch.

Regardless of what part you play, understanding how the NIST CSF framework operates is important because it allows you to perform your duties well and communicate effectively with your seniors. It also makes you an invaluable resource in your organization.