The cybersecurity world has been growing in an attempt to keep up with a threat landscape that is maturing quickly. Business operations now have a necessity to incorporate some sort of strategy for cybersecurity into their business practices to combat staggering statistics. In the past cybersecurity among corporations have suffered from a fractured approach, while simultaneously gaining importance. Policies were unclear and constantly changing, there was no cohesive language to communicate cybersecurity issues properly, and a general lack of clarity and understanding around effective solutions.
NIST steps in
In 2013, Executive Order 13636 was signed, titled Improving Critical Infrastructure Cybersecurity. The National Institute of Standards and Technology was tasked with creating the NIST Cybersecurity Framework (CSF) to designate a set of standards and best practices for managing cybersecurity risks. Since its introduction in 2014, a new executive order was signed on May 11, 2017, formalizing the CSF as the standard the federal government must implement. For private organizations, it is not required.
Bringing the cybersecurity world together
The goal with the optional framework was to help provide structure to the fractured approach to cybersecurity that many organizations were finding themselves utilizing, without a cohesive structure to guide their efforts. The NIST Framework helps organizations to better communicate the posture of their cybersecurity strategies and has been widely adopted. NIST is broadly applicable, spanning any industry including hospitals, educational institutions, defense agencies, commercial enterprises, and more. It has the ability to improve the security posture of an organization regardless of industry, data type, or threat factor.
The NIST CSF works to improve cybersecurity, unifying through a single document, created with the combined authority of hundreds of US government agencies and regulatory authorities. It allows organizations to have the most updated and in-depth risk-management approach to defense. The NIST framework provides a great starting point to establish a standard for internal cybersecurity which will only become more important as organizations move to the cloud. It offers IT teams a guide to help them secure critical systems and uphold industry standards in the cybersecurity realm.
NIST for all
There are a wide variety of services and programs NIST provides, that are meant to help US industry improve its international competitiveness, commercialize new technology, and achieve an advanced level of quality in business operations. The need for the precision and reliability of NIST measurement services span nearly all industrial sectors. The products and production processes that create the innovative products that are only getting more advanced and sophisticated need to be supported by a system that ensures a safe and effective environment. The materials, data, and calibrations provided by NIST help a wide array of industries maintain a high level of quality control during production.
Unlike other regulatory bodies that are specific to industry or function, and required by law, such as HIPAA for healthcare or PCI-DSS for any company that uses payment card information, NIST is a non-regulatory federal agency. In other words, an optional framework with standards and best practices to improve cybersecurity at the organizational level. NIST “acts as an unbiased source of scientific data and practices, including cybersecurity practices. NIST’s mission is to promote U.S. innovation and industrial competitiveness.”
A look at the framework
NIST breaks down the framework into four elements:
- Functions: the often repeated “identify, protect, detect, respond, and recover”—five cybersecurity efforts that form a high-level approach, providing the basics to securing your organization’s systems and threat response.
- Categories: Within each function are categories that identify, more specifically, tasks or challenges.
- Subcategories: These are designated within categories with specific objectives.
- Informative references: This category dictates documentation, standards, steps for execution, and additional guidelines.
Implementation tiers increase to include a more complete implementation:
Tier 1— partial implementation: organizations that have a reactive cybersecurity posture. They begin with very little understanding of cyber risk and have an inconsistent approach to implementing cybersecurity plans.
Tier 2 – risk informed: organizations with gradual implementation, but still approving cybersecurity measures. They have more understanding of cyber risks and have attempted to make a plan and identify resources to protect themselves. They wouldn’t be considered proactive in their efforts.
Tier 3—repeatable: an organization has made efforts to implement NIST CSF standards, including an ability to respond to crises in a repeatable process. Employees are appropriately informed of risks and the policies are applied persistently.
Tier 4— adaptive: an organization will have achieved total adoption of the NIST CSF standards. Their preparation has moved beyond response, proactively working to detect and predict issues that could arise from current trend knowledge and IT architecture insights.
NIST is now certifiable
Recently, NIST framework became certifiable through the third-party HITRUST CSF® Assurance Program with a comprehensive set of controls. On May 29, 2018, HITRUST® Alliance released news that an organization can gain NIST CSF certification with an assessment scorecard for the NIST framework. For those in IT, or any other industry for that matter, NIST provides support for exciting innovation in our digital landscape.
NIST’s mission to develop and promote measurement, standards, and technology to enhance productivity “in ways that enhance economic security and improve our quality of life” means that it is applicable to almost every industry. The news of certification now allows a way to show compliance through a certified HITRUST assessor and add valuable insight into cyber threats, provide an action plan, and ultimately allow organizations to continue to drive innovation into a bright and exciting future.
HITRUST compliance certification allows organizations to leverage a single process to achieve the highest and most comprehensive standard of security available. Recognized globally, HITRUST certification provides an approach to standardize cyber defense strategies and encompasses the NIST CSF certification process with a HITRUST CSF scorecard that includes compliance ratings, guidance for implementing the NIST CSF tiers, and consistent reporting across all critical infrastructure industries. Digital Forge is proud to be a part of the third-party HITRUST authorized CSF Assurance Program, committed to elevating your organization with a simplified approach to comprehensive compliance efforts. We understand that compliance implementation can be an overwhelming process—we aim to help you reduce the cost and complexity of the foremost security solutions available.
You Might Find These Articles Interesting: