Updated On 9 February, 2023

NIST Cybersecurity Framework Compliance

The first version of the NIST Cybersecurity Framework was published in 2014, and it was updated for the first time in April 2018. Although there have not been any substantial changes, however, there are a few new additions and clarifications. Appendix A of this framework is often called the Framework Core, and it is a twenty-page document that lists five functions – Identify, Protect, Detect, Respond, and Recover.  They consist of various categories and sub-categories. Here, it must be noted that Appendix A is a knight in shining armor if utilized correctly while implementing this framework.

As per NIST, this framework guides the decision-makers to take the lead on cybersecurity activities and consider cybersecurity risks as a part of their organization’s overall risk management process. It is clear that NIST does not expect all the organizations to comply with all the contents of the framework. Instead, it expects that organizations will consider their business requirements and material risks before taking a well-informed and reasonable decision.

One of the most significant additions in version 1.1 of the NIST Cybersecurity Framework is a section titled “Self-assessing Cybersecurity Risk with the Framework.” Under this section, the organizations are encouraged to perform either internal or external risk assessments using the framework. To lead this exercise, the individuals responsible must possess sufficient expertise so that they can inform the decision-makers of the organization’s existing risk profile, initiate vital discussions, and agree on a targeted risk profile. These activities must drive an organization’s adoption, implementation, and execution of a remediation plan for addressing the gaps between what an organization has and what it needs to improve its security posture.

Cybersecurity Process

The process diagram given below illustrates how the NIST Cybersecurity Framework is implemented as a cybersecurity process.

 

Figure 1: Process diagram for the implementation of the NIST Cybersecurity Framework (Source: NIST)

Core Controls

Apart from the five functions of this framework stated previously, the controls given in this framework are classified into the following categories – 

Category	Explanation
Asset Management (ID.AM)	Inventory of devices, systems, software, applications, and external information systems  Mapping data flows and communications within the organization  Resource prioritization  Defining cybersecurity roles and responsibilities
Business Environment (ID.BE)	Role in critical infrastructure and supply chain management  Defining mission priorities and resilience requirements  Dependencies on other services  Understanding and managing legal and regulatory requirements  Implementing processes for governance and risk management
Risk Assessment (ID.RA)	Identifying vulnerabilities and threats  Documenting, communicating, and evaluating the impact and likelihood of vulnerabilities  Identifying and prioritizing responses
Risk Management Strategy (ID.RM)	Identifying processes and their risk tolerance  Considering critical infrastructure
Access Control (PR.AC)	Managing identities and credentials for authorized devices and users  Controlling physical access  Managing remote access  Managing permissions and exceptions  Protecting network integrity
Awareness and Training (PR.AT)	Awareness and training  Privileged user awareness  Third-party awareness  Executive awareness  Physical and information security roles training and awareness
Data Security (PR.DS)	Protecting data-at-rest  Protecting data-in-transit  Formal asset management and disposal  Capacity and availability management  Protection against data leaks  Integrity checking  Separating development and testing from production
Information Protection Processes and Procedures (PR.IP)	Complying with policy and regulations  Data destruction  Continuous improvement  Information sharing  Resource planning  Response and recovery testing  HR processes including deprovisioning and personnel screening  Vulnerability management
Maintenance (PR.MA)	Timely maintenance  Control and monitor remote maintenance activities
Protective Technology (PR.PT)	Log collection and analytics  Remove media usage and controls  Controlled access to systems and assets  Protecting communications and control networks
Anomalies and Events (DE.AE)	Establishing baselines  Analyzing detected events  Aggregating and correlating data from multiple sources  Impact determination  Defining incident alert thresholds
Security Continuous Monitoring (DE.CM)	Roles and responsibilities  Activities, testing, dissemination, and continuous improvement
Resource Planning (RS.RP)	Response plan maintenance and execution
Communications (RS.CO)	Personnel roles  Event reporting  Information sharing  Coordinating with stakeholders  Voluntary information sharing for situational awareness
Analysis (RS.AN)	Investigation of notifications  Impact analysis  Forensics investigations  Incident categorization
Mitigation (RS.MI)	Containment, mitigation, and documentation of acceptable risks
Improvements (RS.IM)	Incorporating lessons learned into response strategy  Updating response strategies
Recovery Planning (RC.RP)	Execution of the recovery plan
Improvements (RC.IM)	Incorporating lessons learned into recovery plans and recovery strategies
Communications (RC.CO)	Public relations management  Reputation repair  Communication of recovery activities to internal stakeholders, executives, and management teams

Why should an organization adopt the NIST Cybersecurity Framework?

The first version of the NIST Cybersecurity Framework was published in 2014, and it was updated for the first time in April 2018. Although there have not been any substantial changes, however, there are a few new additions and clarifications. Appendix A of this framework is often called the Framework Core, and it is a twenty-page document that lists five functions – Identify, Protect, Detect, Respond, and Recover.  They consist of various categories and sub-categories. Here, it must be noted that Appendix A is a knight in shining armor if utilized correctly while implementing this framework.

As per NIST, this framework guides the decision-makers to take the lead on cybersecurity activities and consider cybersecurity risks as a part of their organization’s overall risk management process. It is clear that NIST does not expect all the organizations to comply with all the contents of the framework. Instead, it expects that organizations will consider their business requirements and material risks before taking a well-informed and reasonable decision.

One of the most significant additions in version 1.1 of the NIST Cybersecurity Framework is a section titled “Self-assessing Cybersecurity Risk with the Framework.” Under this section, the organizations are encouraged to perform either internal or external risk assessments using the framework. To lead this exercise, the individuals responsible must possess sufficient expertise so that they can inform the decision-makers of the organization’s existing risk profile, initiate vital discussions, and agree on a targeted risk profile. These activities must drive an organization’s adoption, implementation, and execution of a remediation plan for addressing the gaps between what an organization has and what it needs to improve its security posture.

Cybersecurity Process

The process diagram given below illustrates how the NIST Cybersecurity Framework is implemented as a cybersecurity process.