The NIST Cybersecurity Framework consists of standards, guidelines and best practices to manage cybersecurity-related risk. The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. We spoke with Amy Mahn, an international policy specialist in the NIST Applied Cybersecurity Division, about the Framework, who can use it and how it's evolving.
AVM: The Framework for Improving Critical Infrastructure Cybersecurity, or the Cybersecurity Framework as many of us refer to it, is voluntary guidance for organizations to better manage and reduce their cybersecurity risk. NIST developed the Framework at the direction of the White House with the active participation of industry, academia and multiple levels of government. It’s designed to be a “common language” that spans the entirety of cybersecurity risk management and that can be easily understood by people with all levels of cybersecurity expertise. Five functions comprise the core of the Framework: Identify, Protect, Detect, Respond and Recover. Under these overarching functions, the Framework provides a catalog of cybersecurity outcomes based on existing standards, guidelines and practices that organizations can customize to better manage and reduce their cybersecurity risk.
Although we designed the Framework specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors are using and gaining value from the approach. A 2017 Executive Order requires federal agencies to use it, but the Cybersecurity Framework remains voluntary for industry. Twenty-one states are using it, and we have also seen an increase in the use and adaptation of the Framework internationally.
AVM: NIST encourages all organizations—for-profit businesses, not-for-profit organizations and government agencies—to review and consider using the Framework to understand and manage their cybersecurity risk. Because NIST and our collaborators designed the Framework to be flexible enough to be adopted by 16 disparate U.S. critical infrastructure sectors, e.g. utilities, financial services, agriculture, health care, etc., we ended up creating something that is applicable to all types of businesses, including smaller organizations with fewer IT resources, regardless of the state of their current cybersecurity practices. It offers a common and understandable language that all can use to communicate their cybersecurity risks and expectations to suppliers and customers alike. The Framework is risk-based, so it allows organizations to determine the appropriate level of cybersecurity for their individual risk environment, requirements and business objectives. The Cybersecurity Framework is easily paired with the many excellent standards and practices that already exist, allowing users to take advantage of what’s working now and what will emerge over time. It’s also valuable as a living document because this voluntary risk management tool can evolve faster than regulation and legislation in the face of quickly changing technology and threats. NIST updates the Framework based on regular input from stakeholders as we learn from their customized implementations.
I’d like to emphasize that every organization faces its own set of cybersecurity challenges, and it’s not an issue that just larger companies need to address. There is a great risk to small- and medium-sized businesses as well as the larger supply chain upon which the U.S. relies for its economy and national security. We encourage all businesses to consider using the Framework and adapt it in ways that support their cybersecurity and maximize their business value.
AVM: The Framework is guidance that is meant to be adapted to varying sectors, organizations, requirements and technologies. It should be customized by different sectors and individual organizations to best suit their risks, situations and needs. Organizations will continue to have unique risks—different threats, different vulnerabilities, different risk tolerances — and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all solution.
AVM: We recognize that smaller businesses, especially those with few IT resources, can have special challenges assessing cybersecurity risks and implementing risk management measures.
The tiered structure of the Cybersecurity Framework holds the key to applying it in a small business setting. Often the extended Cybersecurity Framework catalog of outcomes is too detailed for the initial efforts of small businesses. If so, businesses will find value in reflecting on the five functions and their corresponding outcomes. The functions—Identify, Protect, Detect, Respond, and Recover—remind us of how important it is to balance proactive safeguards while preparing for worst-case scenarios. This balance is especially important in small business settings where a worst-case incident could drastically affect the solvency of a business.
Generally, NIST has always placed emphasis on meeting the cybersecurity needs of small businesses by providing guidance through various publications, meetings and events. Materials and an associated program description are available at the Computer Security Resource Center
One particularly useful resource for better understanding cybersecurity activities from a small business perspective is Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1). We recommend this guide, which is organized according to the five Framework functions, as a starter kit for small businesses.
We anticipate developing even more resources to help small- and medium-sized businesses within the coming year. The president signed the NIST Small Business Cybersecurity Act in early August 2018, which requires the director of NIST, within one year, to issue guidance and a consistent set of resources to help small- and medium-sized businesses identify, assess and reduce their cybersecurity risks. NIST will be producing more accessible information and resources, and amplify awareness of helpful resources produced by others that will be handy for these smaller organizations as they address cybersecurity risks and explore implementing the Framework.
AVM: We just released our first update, Framework version 1.1, in April of this year. This version includes language and features that stakeholders identified as important, including supply chain risk management, coordinated vulnerability disclosure, and authentication and identity proofing. There’s a new section on the relevance and utility of the Framework for organizational self-assessment, and we’re also updating the Framework’s Informative References to reflect the advancement of standards and guidelines by private and public-sector organizations. That said, Framework v1.1 is still fully compatible with the first version. When considering using the Framework, NIST recommends that organizations incorporate the additional content and functionality of v1.1 based on the needs of the individual organization.
We will continue to refine and improve the Framework over time to keep pace with the evolution of technology and threats, integrate lessons learned, and establish best practices as common practices. As part of that process, we will ask our stakeholders every three years whether it’s time to consider an update and what they would like to see in that update. But because we recognize that cybersecurity threats and the general risk landscape changes quickly, our decisions about the timing of updates will also be based on user experiences, technological advances and standards innovations.
AVM: We always appreciate a chance to highlight the increased work we have been doing at NIST on seeking greater international alignment of the Framework and where we’re headed in this area.
And if we can ask you for a bonus question … another favorite one that we often hear is “Where can I go for more information on the Framework?” To learn more about the updates in Framework v1.1, our recent international efforts, and everything else related to the Framework, please visit our website. You can also find links to the international translations and adaptations mentioned earlier as well as others on our international resources page.
We also encourage collaboration at the NIST Cybersecurity Risk Management Conference (#NISTCRM2018) taking place in Baltimore, Maryland, on Nov. 7-9, 2018. This newly expanded conference is a continuation of the annual Cybersecurity Framework workshops from past years, with the addition of topics associated with NIST projects such as the Risk Management Framework, Supply Chain Risk Management, and Privacy. More information, including the latest version of the agenda and instructions for registration can be found here.
We hope to see you there!
Somewhere, I saw a graph which mirrored the NIST framework in conjunction with a fighter pilot's response during an attack. I believed it to be on NIST, OWASP, or the CyberDefenseMatrix. I believed it to be Identify, protect, detect, respond and recover and I can't find it anywhere. Would you know what I'm referring to and could help me to find that again?
Thank You! Sheila Berndt
Are you referring to the OODA Loop? The OODA loop is the cycle Observe–Orient–Decide–Act, which was developed and taught by United States Air Force Colonel John Boyd.