Welcome, Today is April 22, 2024

NIST

About the NIST Cybersecurity Framework

The National Institute of Standards and Technology, or NIST, provides uniform frameworks and security standards for any organization wishing to enhance their cybersecurity practices. Becoming compliant with the NIST Cybersecurity Framework not only ensures that your company is taking action to mitigate cybersecurity risks, but it also serves as a foundation for other, more industry-specific regulations.

What is the NIST Cybersecurity Framework?

Originally published in February of 2014, the NIST Cybersecurity Framework was created in response to Executive Order 13636, which aimed to improve the cybersecurity practices and resiliency of the United States’ critical infrastructure. The NIST Cybersecurity Framework operates on six core functions that serve as the basis for all recommended mitigation measures. These primary functions include Govern, Identify, Protect, Detect, Respond, and Recover.

Tiers of NIST Implementation

There are four different defined tiers of implementation for the NIST Cybersecurity Framework within individual organizations. These tiers help define how familiar an organization may be of cybersecurity risks and if there have been steps take to implement repeatable cybersecurity practices. The tiers of implementation are as follows:

  • Tier 1 - Partial

Tier 1 organizations display familiarity with the NIST Cybersecurity Framework, however limited awareness of cyber risk. Implementation of cybersecurity activities done in a reactive manner, rather than being planned.

  • Tier 2 - Risk Informed

Tier 2 organizations demonstrate more awareness of cybersecurity risks, however throughout, there is a lack of planned and proactive mitigation processes.

  • Tier 3 - Repeatable

Tier 3 organizations have widespread knowledge of cybersecurity risks and have implemented repeatable risk management practices. These organizations maintain plans to monitor and respond to cyber-attacks.

  • Tier 4 - Adaptive

Tier 4 organizations demonstrate cyber resiliency and works to continuously improve cybersecurity practices and technologies. Cybersecurity risk management is organization-wide and is incorporated into the company culture.

What are the Core NIST Functions?

The core NIST functions, also called pillars of the NIST Cybersecurity Framework, represent a high-level overview of what actions that organizations can take to improve their cybersecurity strategy. Within these functions are categories and subcategories that help provide objectives for organizations to work towards without mandating specifically how this must be done. This allows for organizations to adopt their own unique approach towards cybersecurity resiliency that is unique to their business.

Govern

As the newest addition of the NIST Cybersecurity Framework, the Govern function serves to help businesses understand their organizational mission and stakeholders, while forming the foundation for building a risk management strategy. This pillar contains the following categories:

  • Organizational Context (GV.OC)
  • Risk Management Strategy (GV.RM)
  • Roles, Responsibilities, and Authorities (GV.RR)
  • Policy (GV.PO)
  • Oversight (GV.OV)
  • Cybersecurity Supply Chain Risk Management (GV.SC)

Identify

The goal of Identify is to help organizations develop a wide understanding of their own people, assets, systems, resources, and risks. By recognizing these entities, an organization will be capable of maintaining a clear understanding of their critical assets and potential vulnerabilities. The categories within Identify are as follows:

  • Asset Management (ID.AM)
  • Risk Assessment (ID.RA)
  • Improvement (ID.IM)

Protect

Protect outlines measures to be taken in order to mitigate and minimize the effect of potential cybersecurity risks and events. The categories within Protect are as follows:

  • Identity Management, Authentication, and Access Control (PR.AA)
  • Awareness and Training (PR.AT)
  • Data Security (PR.PS)
  • Technology Infrastructure Resilience (PR.IR)

Detect

Detect defines methods to assist in quickly identifying cybersecurity events. Through activities continuous monitoring, incident detection, and response planning, organizations can ensure that incidents are detected in a timely manner. The categories within Detect are as follows:

  • Continuous Monitoring (DE.CM)
  • Adverse Event Analysis (DE.AE)

Respond

The Respond function is responsible for detailing recommended activities to be taken in response to detected cybersecurity events. By being able to quickly and effectively respond to incidents, organizations will be able to lessen the impact of incidents. The categories within Respond are as follows:

  • Incident Management (RS.MA)
  • Incident Analysis (RS.AN)
  • Incident Response Reporting and Communication (RS.CO))
  • Incident Mitigation (RS.MI)

Recover

The purpose of Recover is to ensure that organizations are capable of quickly and efficiently restore business functionalities that may have been impacted by a cybersecurity incident. The categories within Recover are as follows:

  • Incident Recovery Plan Execution (RC.RP)
  • Incident Recover Communication (RC.CO)

NIST Publications

The National Institute of Standards and Technology have released several different publications of standards with varying scopes, contexts, and target audiences. By having a number of diverse publications, organizations can find one that aligns with their industry needs for a more tailored guidance. Egis can assist organizations understand which publications and standards are necessary for them, along with provide a comprehensive approach to meeting these standards.

NIST SP 800-53, entitled Security and Privacy Controls for Information Systems and Organizations, provides general controls for organizations to utilize that will assist in protecting their information systems, operations, assets, individuals, along with other organizations. This publication covers controls that help mitigate a wide variety of potential security events.

NIST SP 800-171, also known as Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, covers recommended security implementations that focus on securing controlled unclassified information (CUI). CUI is a category of unclassified information that still requires a certain level of safeguarding. SP 800-171 defines requirements that protect CUI whether it is being processed, in transit, or at rest.

The Guide for Conducting Risk Assessments, or NIST SP 800-30, provides comprehensive guidance for organizations to conduct risk assessments. This publication provides a framework to assist organizations in identifying, assessing, and mitigating cybersecurity risks along with outlining a structured process for risk assessments.

The Computer Security Incident Handling Guide, also known as NIST SP 800-61, outlines guidelines to help organizations manage security incidents. This publication provides best practices for establishing, implementing, and maintaining an incident response strategy.

The Federal Information Processing Standard (FIPS 140-2) specifies requirements for cryptographic modules that are used to protect sensitive data. By ensuring that cryptographic modules meet a certain standard, organizations can be sure that there is adequate protection against cryptographic attacks. There are multiple levels to this standard, with each level corresponding to progressively more stringent requirements.

Achieving NIST with Egis

Egis IT Security serves organizations within the Indianapolis metropolitan area and across the United States to help them stay up to date on NIST regulations. Egis is dedicated to helping others understand and implement the necessary security controls for their business. With our extensive expertise and years of experience, Egis can offer tailored solutions to help your organization align with industry standards, allowing you to focus on your business. In order to achieve this goal and help one become NIST-compliant, we can:

  • Improve upon current IT policies and procedures
  • Meet with your auditors
  • Perform vulnerability assessments
  • Continuously monitor your websites, networks, and servers
  • Recommend, sell, and deploy a variety of products as needed
  • Perform security awareness training
  • Consultations