Designed by the National Institute of Standards and Technology (NIST), this framework addresses the lack of cybersecurity standards and provides consistent rules, guidelines, and standards for organizations across all industries. The NIST Cybersecurity Framework (NIST CSF) is widely regarded as the gold standard for building a cybersecurity program. Whether you`re just starting to implement a cybersecurity program or are already running a fairly mature program, the framework can add value by acting as a top-notch security management tool that helps assess cybersecurity risks across the enterprise. The depth and breadth of guidance contained in NIST framework documents is an excellent resource for federal agencies or organizations that work with at least the U.S. federal government. However, any organization outside the scope of FISMA compliance can also turn to NIST guidance to model its own compliance programs and security baselines. If your organization is looking for an in-depth investigation into how best practices can be applied through compliance and regulatory frameworks, you are well advised to review NIST framework documents. In addition to the informative references at the core of the framework, NIST also maintains an online database of informative references. [13] The informative references show the relationships between the framework`s characteristics, categories and subcategories, as well as specific sections of standards, guidelines and best practices common to framework stakeholders.
Informative references illustrate the means to achieve the results of the framework. Version 1.0 was released in 2014 by the U.S. National Institute of Standards and Technology and was originally aimed at critical infrastructure operators. In 2017, a draft version of the framework, version 1.1, was released for public comment. Version 1.1 was announced and made public on April 16, 2018. Version 1.1 is still compatible with version 1.0. When information security specialists refer colloquially to NIST frameworks, they are likely referring to three specific NIST documents on cybersecurity best practices: NIST 800-53, NIST 800-171, and the NIST Cybersecurity Framework. Two of these three documents specify the controls required for U.S.
federal agencies or organizations that work with U.S. federal government data, but all three documents contain best practices that are useful to any cybersecurity organization as a basis for its own security operations. The goal of the framework is to help you prioritize cybersecurity investments and decisions. The framework also helps you reflect on the maturity of your program and provides a framework for conversations with stakeholders, including your senior management and board of directors. The framework leads you to think about “maturity levels” for each of these functional areas. In NIST parlance, these layers are called “implementation layers” to avoid confusion with CMMI layers. We recommend that you start by aligning the framework of your cybersecurity program by focusing on Identify. The following figure illustrates the relationship between Identify and other cybersecurity features.
The following are the functions and categories as well as their unique identifiers and definitions, as outlined in the framework document. [12] Adapting to the framework means that you list all your activities and mark these items with one of these 5 function labels. For example, the “Identify” label is for tools that allow you to inventory your assets. Tools such as firewalls and Crowdstrike are built into Protect. However, depending on their capabilities, you will also include them in Detect with your IDS and SIEM. Your incident response tools and playbooks are available in Respond. Your backup and recovery tools are part of Recover. NIST`s framework for improving critical infrastructure cybersecurity takes a more general and holistic approach to security best practices than 800-53 and 800-171. This framework outlines key concepts and processes to consider when designing a robust security practice, regardless of the type of organization implementing the guidelines.