SBN

What Is the NIST Cybersecurity Framework (CSF)?

What Is the NIST Cybersecurity Framework (CSF)

What is NIST CSF? The NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework) consists of standards, guidelines, and best practices that organizations can use to manage cybersecurity risk. NIST is part of the U.S. Department of Commerce and has the charter to help organizations reduce their cybersecurity risk.

What Is the National Institute of Standards and Technology (NIST)?

The National Institute of Standards and Technology, or NIST, is the federal government’s central technology and security standards authority. It was founded in 1901 as the Bureau of Standards, a national agency for weights, measures, and scientific standards. In 1988, the agency adopted the NIST name to reflect its evolving mission as an agency geared toward technological and scientific advancement.

In modern government operations, the NIST mission mandates that it covers a few critical areas around technology. These areas include standards and requirements that federal agencies and contractors must meet, as outlined in “Special Publication,” freely available through the NIST website. 

Some important areas that NIST covers include: 

  • Federal Cybersecurity: As federal agencies adopt new technologies, the demand to protect sensitive information is paramount. Additionally, the Federal Information Security Modernization Act of 2014 outlines strict technical and risk-based security requirements that agencies and their partners must meet.

    These requirements are researched, created, maintained, and updated or retired by the NIST as part of its Special Publication series, specifically, the NIST 800 series and the Federal Information Processing Standards (FIPS) documentation. Executive Order 14028 and subsequent memorandums spell out zero trust as a mandate across federal agencies.

  • Federal Cloud Service Provision: Alongside the day-to-day technologies that most agencies use, more agencies and contractors use cloud or managed services to handle data processing. To support such partnerships, NIST has also developed particular standards to regulate the use of cloud computing in federal contexts.

  • Maturity: Some areas, like cloud management and technology deployment in the defense sector, have been arranged into maturity levels where different organizations can meet different maturity levels depending on their requirements, stakeholders, and constituents.

  • Cryptography: Cryptography is a central part of most security standards, and through FIPS publications, NIST sets the minimum requirements for encryption.

  • Identity and Access Management: As part of the NIST 800 series, the organization sets standards for the proper use of authentication technologies (Authentication Assurance Levels) and identity verification (Identity Assurance Levels)otherwise known as identity and access management.

  • Risk: With the increasing complexity and sophistication of modern cybersecurity threats, NIST is working hard to push compliance standards toward a risk-informed model where knowledge of vulnerabilities and systems supplants checklist approaches to security. This results in an integrated risk management approach.

As such, NIST standards inform some effective national regulations, including:

  • FISMA: Any and every federal agency must meet FISMA standards for security, and this includes implementing digital security and security policies and procedures. These standards derive explicitly from NIST standards like NIST Special Publication 800-53, NIST SP 800-18, FIPS 200, and FIPS 140 (among many others).

  • FedRAMP: Any cloud service provider answering an RFP from a federal agency must meet minimum requirements under FedRAMP, which is organized in a maturity level defined by FIPS 199 and NIST SP 800-60. FedRAMP draws its security controls from NIST SP 800-53 and NIST SP 800-53B.

  • CMMC: The Cybersecurity Maturity Model Certification (CMMC) is a maturity-based model for handling Controlled Unclassified Information (CUI) in the defense sector. This standard aligns with NIST SP 800-171 and NIST SP 800-172.

  • HIPAA: HIPAA (Health Insurance Portability and Accountability Act) isn’t technically a federal security standard in the same way as FISMA or FedRAMP. It governs healthcare providers and partners, but it’s managed and run by the Department of Health and Human Services (HHS).

    The standard is open-ended to promote flexibility, and concrete suggestions for implementing guidelines under the HIPAA Security Rule are found in NIST SP 800-66.

  • Risk Management: Risk isn’t a catch-all requirement for agencies, but assessing risk is a smaller part of almost any regulation, and its importance is only increasing. The NIST Risk Management Framework (RMF) guides security risk management and compliance as detailed in several publications, namely SP 800-37 and SP 800-39.

Kiteworks 2022 Sensitive Content Communications Report

 

What Is the NIST Cybersecurity Framework?

Outside of federal and defense work, NIST regulations aren’t required. Furthermore, having a library of publications doesn’t help organizations better understand the ins and outs of their cybersecurity posture. 

Thus, the Cybersecurity Framework (CSF) is a bigger-picture approach to cybersecurity that helps organizations inside and outside the government take control of their security more comprehensively. This means understanding potential risks, integrating risk assessment as an organization-wide procedure, and reducing threats to their infrastructure. 

How to Protect FCI and CUI to Facilitate the Journey to CMMC 2.0

The NIST CSF Core

At the heart of the CSF is the “core,” or a set of five priorities around which all concerns revolve. These include:

  • Identify: An organization should be able to identify, inventory, and categorize all its relevant content assets as well as systems. This includes software, hardware, networks, data, users, and any unique systems or third-party services.

    Additionally, an organization must identify key roles and responsibilities related to cybersecurity and how they play a role in policies, procedures, and decision-making.

  • Protect: Organizations should implement security safeguards around inventoried (identified) content assets and systems. This includes implementing identity and access management (IAM), establishing protection around data to ensure integrity and confidentiality (like encryption), establishing access controls to the folder and file level and reflective of individual user roles and privileges, and developing policies around training, equipment upgrading and patching, and governance.

  • Detect: Protection is critical, but detection is just as important. Secure systems should implement automated auditing and logging measures, continuous monitoring technologies (including scans of all physical and digital networks), and ongoing detection of security anomalies.

  • Respond: Once an issue is discovered, the system and responsible parties need to snap into action to respond to it. This includes that, once anomalies are detected, mitigation efforts are underway. These can consist of deploying countermeasures and closing off vulnerabilities, conducting assessments of issues, and making changes to the system based on those assessments.

  • Recover: Any organization must be able to recover from a security anomaly rapidly and securely. “Recovery” means restoring any systems that were taken offline, guaranteeing the security of affected systems, implementing post-incident improvements, and communicating issues and recovery requirements to relevant stakeholders inside and outside the organization.

Learn What You Need to Do to Comply with Executive Order 14028

How Does My Organization Implement the Cybersecurity Framework

The advantage of the NIST CSF is that it gives you a way to take control of your security posture. In that way, implementing it isn’t an incredibly technical endeavor. Rather, it’s about taking stock of where your organization is and where it needs to be. 

With that in mind, some steps you can take include:

  • Understand NIST Requirements: You don’t need an encyclopedic knowledge of NIST standardsthat’s what security experts are for. Instead, you need to have a basic idea of modern security, from IAM to encryption and risk assessment.

  • Audit Company Resources: Get comfortable inventorying your systems and people. Have clearly defined and updated org charts, data flowcharts, and catalogs of hardware used in the organization, from servers and workstations to tablets and routers.

  • Implement Secure File Management and Communication Standards: Use content management and secure file sharing platforms that can meet your security needs. You don’t need to reinvent the wheel in terms of implementing technology. Simply work with a provider that can meet your operational and regulatory compliance.

  • Shift to a Risk-based Compliance Profile: Forget the idea that you can work from a checklist to implement reasonable security. By developing risk assessment and management practices, many CSF expectations (identifying assets, monitoring, etc.) follow naturally.

  • Maintain Regular Audits: You should always have auditing and continuous monitoring to cover user, system, and file access events. These are crucial for data compliance in any industry and are essential to protecting IT systems, responding to anomalies, and recovering from attacks.

Kiteworks Private Content Network and NIST CSF

The heart of the CSF is a base level of data security for stored information and data in transit. This requires a cybersecurity risk management approach focused on ensuring that sensitive information is managed by administrative, technical, and physical safeguards to maintain its integrity and confidentiality. Many IT, security, and compliance leaders today plan their risk management roadmaps and communicate to their boards through the lens of NIST CSF. 

The Kiteworks Private Content Network enables organizations to apply NIST CSF principles to the containers of content, such as folders, files, and email. This includes setting global policies such as disabling the transfer of sensitive content to and from certain domains and countries (geofencing). The email policy engine in Kiteworks takes Microsoft MIP sensitivity levels like “public,” “confidential,” or “secret” into account. 

Leveraging the above access controls, Kiteworks empowers organizations to enforce data protection policies on groups of content to individual files in the Kiteworks platform. This plays an important role in their broader cybersecurity risk management strategy, including the ability to manage third-party risk (TPRM). Kiteworks risk management governance also extends to regulatory compliance requirements such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and Payment Card Industry Data Security Standard (PCI DSS), among others.  

For more on the Kiteworks Private Content Network and NIST CSF, book a custom demo today.

Additional Resources

*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard Archives - Kiteworks authored by Bob Ertl. Read the original post at: https://www.kiteworks.com/regulatory-compliance/nist-cybersecurity-framework/

Avatar photo

Bob Ertl

Bob Ertl is Senior Director of Industry Solutions at Accellion. He is responsible for product marketing at Accellion. With over 20 years of product management / product marketing experience, he specializes in delivering software innovations that transform the effectiveness of business teams. Prior to Accellion, he concentrated on business intelligence and data warehousing at Oracle, Hyperion, Brio and several start-ups, as both a consultant and product vendor, across a variety of vertical industries. Bob holds a Bachelor’s degree in Electrical and Computer Engineering from the University of Wisconsin-Madison.

bob-ertl has 33 posts and counting.See all posts by bob-ertl