The National Institute of Standards and Technology (NIST) Cybersecurity Framework was born as a result of the “Cybersecurity Enhancement Act” – passed by the US Congress in 2014 – and was initially aimed at guaranteeing the cybersecurity of critical infrastructures in the United States. Today, this methodology has become an authority on cyber risk self-assessment and implementation of preventive and protective action. In 2022, more than ever before, this framework is frequently called upon as cybersecurity challenges for companies become increasingly significant. How is this method structured? Is it easy to develop and implement? Is it sufficient in effectively identifying and rectifying cyber risks?
The NIST CyberSecurity Framework (CSF) is a methodological framework to help manage cybersecurity.
The NIST Cybersecurity Framework was created in the United States. NIST is the National Institute of Standards and Technology from the US Department of Commerce. Its “Cybersecurity Framework” is defined as a set of standards, guidelines and best practices to manage Information Technology risks.
While companies may decide to follow this methodological framework, there is no legal obligation to do so. It is used to anticipate security breaches, but also to manage and mitigate identified IT risks.
The NIST CSF is often compared to national and international regulations, and the approach is similar to the requirements of the ISO 27001 certification, which deals with information system (IS) security.
This framework should help public and private organisations to draw up a detailed list of their cybersecurity objectives and to develop certain procedures to accomplish them. This means monitoring the processes of risk identification, IS protection, cybersecurity breach detection and management, and recovery. The NIST CSF should also help prioritise ideas for improvement and assess the organisation's progress in cybersecurity.
In detail, the NIST CSF provides information on all of the following actions:
When the National Institute of Standards and Technology initially designed this cybersecurity framework, it was to improve cyber risk management in the United States. It primarily targeted “critical infrastructures”, essential for the functioning of American society and economy.
Now, as economic players from all sectors are affected by cyber risk, structures from both the public and private sector are using it all over the world to develop their cybersecurity management strategy. It is also the cybersecurity method of choice of large banking and industrial groups.
The NIST framework revolves around three components, as illustrated in the diagram below: framework core, implementation tiers, and framework profile. Each component needs to support the evaluation of the impact of cybersecurity risk management on the operational and financial performance of the structure
1 / Core
The core component structures risk management organisational strategy around five "functions": identify, protect, detect, respond, and recover. These functions are themselves broken down into categories, subcategories, and “informative references”, or “documentary resources”.
2 / Implementation Tiers
The implementation tiers enable the company to assess the cyber-risk management process that has already been set up. These tiers support the evaluation of the structure's maturity in this area. This should lead to a diagnosis organised around four maturity tiers: partial, risk-informed, repeatable, or adaptive.
3 / Profile
The profile indicates how an organisation manages cyber risks, with regard to its strategic objectives. The comparison between the “current profile” and the “target profile” should enable the company to identify the actions it should implement first.
The NIST CSF is a detailed and comprehensive method which has become a reference in the field of cybersecurity. Like many theories surrounding cyber risk management, however, it still suffers from a few shortcomings, especially when it comes to identifying risks.
The NIST CSF has the merit of thoroughly supporting risk management. Many organisations have already reaped the benefits from properly applying the NIST CSF, as it helped them to raise awareness about their shortcomings in terms of cyber risk management. It is also an efficient way of evaluating which protective measures should be implemented.
The NIST Cybersecurity Framework also represents one of the major worldwide references in IT risk management, even have an influence on the newest cyber risk regulations.
The NIST framework revolves around different categories and subcategories of information that some structures struggle to implement due to its daunting nature. Also, its proper application is not a given. Indeed, application depends on a self-assessment process, which is not validated by any external body. The smooth running of this method of risk analysis and anticipation of cybersecurity breaches therefore depends on the organisation’s maturity in this area.
The NIST framework is also commonly criticised for deviating too much from the standards of other risk management methods, which makes it harder for teams to seamlessly integrate the approach. Training existing staff in this method therefore requires more time and resources.
The NIST Cybersecurity Framework also presents the same difficulties as other methods, such as ISO27001, when it comes to measuring or estimating cyber risks. Within the framework of NIST, this analysis is part of a qualitative risk assessment, based on an entirely subjective probability of occurrence. This sometimes results in unrealistic risk classifications.
The only solution to this type of problem is to move away from subjectivist risk analysis and take advantage of statistical methods, which is the main goal of FAIR™ Analysis (Factor Analysis of Information Risk). This standard is now the international reference in terms of quantifying cyber risks. It aims to mathematically measure these risks in order to translate them into financial data. What’s more, it is referenced by NIST in NISTIR 8286, a document published in 2020, and in a “success story” published in 2019. To quote section 3.3.1 Risk analysis types: “While qualitative methods are commonplace, the practitioner may benefit from considering a quantitative methodology with a more scientific approach to estimating likelihood and the impact of consequences where the data is available for this type of analysis. This may help to better prioritize risks or prepare more accurate risk exposure forecasts.”
The NIST Framework is a method broken down into many steps. The success of cyber risk self-assessment is contingent on the company’s ability to properly implement it. You can find the complete cyber framework detailed on the NIST website.
The first step of the NIST analysis consists of structuring the management of cyber risks around five functions:
1 / Identifying the critical assets of the company, in order to prioritise the actions. This identification must relate to processes, systems, and valuable resources. NIST version 1.1 also implies sifting through the supply chain and stakeholders.
2 / Protecting the structure from cyber threats. This approach involves raising awareness and leading training, but also implementing software and protective technology to mitigate or prevent any risk to systems containing sensitive data.
3 / Detecting suspicious activities before they have adverse implications. This function relies on the monitoring levers the company has set up.
4 / Responding to cybersecurity events using a guide designed upstream of the occurrence of risks. This strategy should permit the company to quell the threat before it emerges and includes planning, communication, and mitigation measures.
5 / Recovering after a cyberattack: restoring the original state of the information systems and implementing measures to prevent the risk from reoccurring.
Thanks to the tiers of implementation provided for by the NIST, you can assess how well your organisation manages its risks and use the method at your own pace, factoring in your individual requirements:
This tier concerns the structures that react to risks more than they take preventive action against them. High awareness and internal communication processes on this topic have not yet been achieved.
Here, cyber risk management is more focused. Employees have the tools to implement cybersecurity processes and begin to be aware of the risks. However, the company still lacks secure communication channels with external players.
The cyber risk management strategy is both formalised and prioritised. Employees are well aware of the risks, and have the tools for secure collaboration with external sources.
This is the highest tier of cybersecurity risk management. The company is able to guard against dangers and anticipate them. Employees have a high level of cybersecurity skills.
The NIST Cybersecurity Framework helps companies analyse, manage, and reduce their cyber risks according to a ranking of priorities. This approach notably requires awareness and communication.
NIST CSF is not a certification. This is a method you choose to use or not, without any normative authority demanding you to comply.
No, the use of the NIST framework is completely up to you.
related to cybersecurity and cyber risk quantification