NIST Cybersecurity Framework

NIST Cybersecurity Framework: how to manage your cyber risks?

Is the NIST Cybersecurity Framework any good to analyse, prevent and recover from cyber risk? How can you use this method? Is it enough to protect your structure?

C-RiskC-Risk
Published on 31 January 2022 (Updated on 31 January 2022)

Resulting from the “Cybersecurity Enhancement Act” passed by the US Congress in 2014, the National Institute of Standards and Technology (NIST) Cybersecurity Framework initially aimed to guarantee the cybersecurity of critical infrastructures in the United States. Today, this methodology is an authority on self-assessment of cyber risks and implementation of preventive and protective action. In 2021 more than ever before, this framework is very often used as cybersecurity challenges for companies are getting more and more significant. How is this method structured? Is it easy to develop and implement? Is it sufficient to effectively identify and rectify cyber risks?

The NIST Cybersecurity Framework: what is it?

The NIST CyberSecurity Framework (CSF) is a methodological framework to help manage cybersecurity.

A definition

The NIST Cybersecurity Framework was created in the United States. NIST is the National Institute of Standards and Technology from the US Department of Commerce. Its “Cybersecurity Framework” is defined as a set of standards, guidelines and best practices to manage Information Technology risks.

It is a methodological framework that companies may decide to follow without legal obligation. It is used to anticipate security breaches, but also to manage and mitigate identified IT risks.

The NIST CSF is often compared to national and international regulation. This approach is similar to the requirements of the ISO 27001 certification, relative to the security of information systems (IS).

What is the NIST CSF for?

This framework should help public and private organisations to draw up a detailed list of their cybersecurity objectives and to develop certain procedures to accomplish them. This means monitoring the processes of risk identification, IS protection, cybersecurity breach detection and management, and recovery. The NIST CSF should also help prioritise ideas for improvement and assess the organisation's progress in cybersecurity.

In detail, the NIST CSF provides information on all of the following actions:

  • Building the foundation of a cybersecurity strategy by analysing cyber risks ;
  • assessing the effectiveness of existing IT security practices;
  • estimating the potential severity of the risks the organisation is exposed to;
  • improving the process of cybersecurity breach management;
  • raising employee awareness;
  • optimising communication on cybersecurity with stakeholders.
The NIST CSF to assess cyber risks

Who is this intended for?

When the National Institute of Standards and Technology initially designed this cybersecurity framework, it was to improve cyber risks management in the United States. It primarily targeted “critical infrastructures”, essential for the functioning of the American society and economy.

Now, structures from both public and private sectors are using it all over the world to develop their cybersecurity management. All sectors are concerned, as well as all kinds of economic players. It is also the cybersecurity method of choice of large banking and industrial groups.

How does the NIST CSF work?

The NIST framework revolves around three components, as illustrated in the diagram below: framework core, implementation tiers and framework profile. Each component needs to support the evaluation of the impact of cybersecurity risk management on the operational and financial performance of the structure.

Cybersecurity Framework

1 / Core

The core structures the risk management organisational strategy around five "functions": identify, protect, detect, respond and recover. These functions are themselves broken down into categories, subcategories and “informative references”, or “documentary resources”.

2 / Implementation Tiers

The implementation tiers enable the company to assess the cyber-risk management process that has already been set up. These tiers support the evaluation of the structure's maturity in this area. This should lead to a diagnosis organised around 4 maturity tiers: partial, risk-informed, repeatable or adaptive.

3 / Profile

The profile indicates how the structure cyber manages risks, with regard to its strategic objectives. The comparison between the “current profile” and the “target profile” should enable the company to identify the actions it should implement first.

What are the benefits of using the NIST Framework?

The NIST CSF is a detailed and comprehensive method which has become a reference in the field of cybersecurity. Like many theories surrounding cyber risk management, however, it still suffers from a few shortcomings, especially when it comes to identifying risks.

Benefits from the NIST Cybersecurity Framework

The NIST CSF has the merit of thoroughly supporting risk management. Many organisations have already reaped the benefits from properly applying the NIST CSF, as it helped them to raise awareness about their shortcomings in terms of cyber risk management. It is also an efficient means to get an idea of which protective measures should be implemented.

The NIST Cybersecurity Framework also stands for one of the major worldwide references in IT risk management. It also has an influence on the newest regulations on cyber risks.

Limitations of the NIST cyber framework

The NIST framework revolves around different categories and subcategories of information some structures struggle to implement as it might seem daunting. Also, its proper application is not a given. Indeed, it depends on a self-assessment process, which is not validated by any external body. The smooth running of this method of risk analysis and anticipation of cybersecurity breaches therefore depends on the maturity of the organisation in this area.

The NIST framework is also commonly criticised for deviating too much from the standards of other risk management methods which make it harder to assimilate by the teams. Therefore it would require more time and resources to train everyone to this method.

The NIST Cybersecurity Framework also presents the same difficulties as other methods, such as ISO27001, when it comes to measuring or estimating cyber risks. Within the framework of NIST, this analysis is part of a qualitative risk assessment, based on an entirely subjective probability of occurrence. This sometimes results in unrealistic risk classifications.

The only solution to this type of problem is to move away from subjectivist risk analysis and resort to statistical methods. This is the main goal of FAIR Analysis, “Factor Analysis of Information Risk”. This standard is now the international reference in terms of quantifying cyber risks. It aims to mathematically measure these risks in order to translate them into financial data. It is by the way referenced by NIST in NISTIR 8286, a document published in 2020 as well as in a “success story” published in 2019. Quoting section 3.3.1 Risk analysis types: “While qualitative methods are commonplace, the practitioner may benefit from considering a quantitative methodology with a more scientific approach to estimating likelihood and the impact of consequences where the data is available for this type of analysis. This may help to better prioritize risks or prepare more accurate risk exposure forecasts.

How to use the NIST CSF properly?

The NIST Framework is a method broken down into many steps. The success of the cyber risk self-assessment depends on the company’s capacity to properly implement it. You can find the complete cyber framework detailed on the NIST website.

Explaining the 5 functions of the core

The first step of the NIST analysis consists in structuring the management of cyber risks around 5 functions:

1 / Identifying the critical assets of the company, in order to prioritise the actions. This identification must relate to the processes, systems, and valuable resources. NIST version 1.1 also implies sifting through the supply chain and stakeholders.

2 / Protecting the structure from cyber threats. This approach involves awareness-raising and training actions, but also implementing software and protective technology to mitigate or prevent any risk to systems containing sensitive data.

3 / Detecting suspicious activities before they have adverse implications. This function relies on the monitoring levers the company has set up.

4 / Responding to cybersecurity events using a guide designed upstream of the occurrence of risks. This strategy should permit the company to quell the threat before it emerges. This function includes planning, communication and mitigation measures.

5 / Recovering after a cyber attack: restoring the original state of the information systems and implementing measures to prevent the risk from recurring.

The NIST CSF to assess cyber risks

The NIST framework’s 4 tiers of maturity

Thanks to the tiers of implementation provided for by the NIST, you can assess how well your organisation manages its risks, but you can also use the method at your own pace, factoring in your possibilities and needs:

  • Tier 1: Partial

This tier concerns the structures that react to risks more than they take preventive action against them. The awareness-raising and internal communication processes on this topic are not finalised yet.

  • Tier 2: Risk-informed

Here, cyber risk management is more focused. Employees have the tools to implement cybersecurity processes, and begin to be aware of the risks. However, the company still lacks secure communication channels with external players.

  • Tier 3: Repeatable

The cyber risk management strategy is both formalised and prioritised. Employees are well aware of the risks, and have the tools for secure collaboration with external sources.

  • Tier 4: Adaptive

It is the highest tier of cybersecurity risk management. The company is able to guard against dangers and anticipate them. Employees have a high level of cybersecurity skills.

The NIST Cybersecurity Framework involves raising awareness among employees

Frequently Asked Questions about NIST Cybersecurity Framework

The NIST Cybersecurity Framework helps companies analyse, manage and reduce their cyber risks according to a ranking of priorities. This approach especially requires awareness and communication.

NIST CSF is not a certification. This is a method you choose to use or not, without any normative authority demanding you to comply.

No, the use of the NIST framework is completely up to you.