Best Practices for the NIST Cybersecurity Framework

Network Security, user authentication, incident response, . . . Sometimes cybersecurity can seem like an endless stream of complex technical topics and an endless laundry list of things that need to get done. How can you keep track of all that? How can you communicate cybersecurity needs and successes to a non-technical leadership?

In our recent blog, we covered the core of the NIST Cybersecurity Framework, which was designed precisely to address these challenges. We covered the fundamentals of what the Framework is and how the concepts of Functions, Tiers, and Profiles operate as useful tools for an organization’s security posture. Check it out if you missed it.

But we didn’t go into much detail about how organizations can leverage the Framework in their day-to-day cybersecurity operations. We will cover that in more depth today.  

To be as useful as possible across a wide range of business sectors and organizations, the Framework does not include prescriptive or rigid processes and steps about how organizations should use it.

The Framework is not meant to be used strictly or rigidly. It is intended to be useful across various business sectors and organizations. It was developed with flexibility in mind. It can provide value in a series of use cases that organizations face regularly and show how a Framework-informed security program may look.

Use Cases

Security Maturity Spot Check

At its most basic level, the Framework serves as a yardstick for organizations to determine the maturity of their security posture. While the Framework doesn’t mandate a specific level of security, the higher tiers imply a more comprehensive and complete security maturity.

Identifying which of these measures an organization does or does not have in place enables them to review their current security practices quickly.

Communicating Cybersecurity Requirements with Stakeholders

Security teams and security leaders often struggle to communicate security needs and policies to other stakeholders throughout the company, including both board leadership and employees.

While the NIST Framework was developed to be used by technical cybersecurity experts and teams, it aims to be useful at a high level for a non-technical audience. By being easy to understand, it helps internal business communication and serves as a useful tool for business risk management teams that lack cybersecurity subject matter expertise.     

Buying Decisions and Supply Chain Management

The NIST Cybersecurity Framework is useful in an organization’s supply chain security and vendor risk management. The various functions and tiers work to create an inter-organizational standard for communicating various aspects of an organization’s security posture. 

It allows an organization’s leadership and risk management team to develop a desired target profile for possible suppliers to meet so that these requirements can be integrated into an organization’s procurement process.

Standard categories and tiers make it easier for potential buyers to determine if a certain tool or product is compatible with their risk tolerances and enable potential providers to better understand what security criteria they need to meet in their market.

Evaluating New Security Tech

           The Cybersecurity space is constantly evolving with new threats, new tools, new technologies, and new methodologies. Having been in place for almost a decade, the NIST Cybersecurity Framework has been around through several significant changes in the security landscape.

It is still relevant because it was designed to be flexible and responsive to these changes. While the Functions and categories are high-level concepts that are fixed, the sub-category and information references layers have been updated several times.

The Framework’s architecture helps identify the role of new tools or processes based on their core functions and abilities and facilitates the creation of new sub-categories and references as these develop and become more common in the industry. 

How to Use the Framework in a Comprehensive Cybersecurity Program

Beyond these use cases, the Cybersecurity Framework also suggests a standard model of a repeating cybersecurity program process that leverages the Framework for maximum effect over the course of its discrete steps.

Step 1: Prioritize 

In this initial phase, organizations identify what they care about, their business priorities, mission, and objectives. This strategic approach helps determine what systems, assets, and resources are critical to business operations and informs which Functions and Categories are high priorities for the organization.

Step 2: Orient

During the orientation phase, organizations lay out the key assets and systems in their infrastructure, any regulatory or compliance standards they must meet, and their overall risk management approach. Using the Cybersecurity Framework can help them understand what threats or vulnerabilities their systems may be prone to

Step 3: Create a Current Profile

Organizations leverage the Cybersecurity Framework’s concepts of Profiles to define their existing cybersecurity measures and outcomes. NIST encourages organizations to develop new Categories and sub-categories to augment the default ones if necessary to capture unique aspects of their security posture.  

This profile then serves as a baseline to understand the organization’s present cybersecurity posture and develops a foundation to build from.  

Step 4: Conduct a Risk Assessment

 In this step, organizations conduct a comprehensive risk assessment to quantify and understand the potential risks that could impact their business. By working through the relevant Framework sub-categories and making use of threat intelligence from internal and external sources, organizations develop a comprehensive understanding of their risk environment.

Step 5: Create a Target Profile

Informed by the Risk Assessment and their Risk Management priorities, Companies can create a Target Profile using the Cybersecurity Framework to determine what they need their cybersecurity posture to look like. The Framework helps security teams get the necessary granularity and specificity to identify what security systems, devices, and procedures they need to have in place and to organize and categorize them.

Step 6: Perform a Gap Analysis and Develop an Action Plan

Armed with their Target Profile and Current profile, organizations are able to compare these to run a Gap analysis by comparing where their Current profile matches or exceeds their Target and where it falls short. Based on the various tiers, organizations can identify how large the gaps in specific sub-categories are and can use this information to develop an action plan prioritizing the largest and most critical gaps in a strategic manner.

Step 7: Implement Action Plan

Finally, organizations need to roll out their action plan, implementing the necessary measures identified during the gap analysis to bridge the gaps between Current and Target profile status. Although the Framework describes this as a singular linear process, it is important to understand that organizations will get the best effects if they implement a security program like this in an ongoing, constantly rotating, iterative fashion that is sensitive to the latest threat intelligence and methods to combat them.

Conclusion

The NIST Cybersecurity Framework offers a versatile tool for organizations to enhance their cybersecurity posture. It guides teams in identifying vulnerabilities, setting achievable security goals, and crafting actionable plans to foster a resilient cybersecurity environment. As we have explored, its utility extends beyond mere compliance, serving as a versatile tool to facilitate informed business risk management and continuous improvement. By leveraging the Framework, organizations can develop a strategic roadmap to navigate their cybersecurity challenges.

           If you are looking to leverage the NIST Cybersecurity Framework at your organization but need some guidance on how to make the most use of it in your unique circumstances, get in touch with one of our seasoned cybersecurity experts to help you!