NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) developed a framework for improving critical infrastructure cybersecurity known as the NIST Cybersecurity Framework. It is a model used by organizations to assess and improve their capability to prevent, detect, and respond to cyber threats and incidents [1]. The framework is designed for businesses and IT professionals to accurately identify, adequately protect and detect, and efficiently and effectively respond and recover from cyber threats and incidents. It is a guide from which businesses can learn the inner workings of their infrastructure, find weaknesses, and deploy solutions that harden those weaknesses.

What follows is a brief overview of the five core components of the NIST Cybersecurity Framework. Each function is individually defined and a real-world example of each is provided. Armed with an understanding of each of these core functions of the NIST framework, organizations and IT professionals can achieve a greater understanding of their infrastructure and achieve greater security through risk reduction and mitigation.

Identify

Asset management is a key component of the Identify function of the NIST Cybersecurity Framework. Asset management is not concerned with just hardware or software on a network. Rather, asset management includes data, stored onsite or in a remote location, systems and their functionality, capabilities of the infrastructure, and the roles and responsibilities of the employees who will interact with the infrastructure and data daily [1]. In practical terms, asset management covers all aspects of an organization – hardware, software, data, personnel, and more.

In addition to asset management, the Identify function is concerned with risk assessment, risk management strategies, business environment, and business governance. Each component of the Identify function is integral to developing a plan for protecting and defending an organization from cyber threats and incidents. Through the identification of assets, policies, and threats, organization’s can address threats and improve infrastructure and employee awareness.

Protect

The Protect function of the NIST Cybersecurity Framework is concerned with identifying protections already in place for critical infrastructure components. Several areas of focus within the Protect function include access control, awareness and training, data security, maintenance, and protective technology [2]. Once these safeguards have been identified, it is then necessary to determine what safeguards are missing, improperly configured, or available but not implemented. Controlling access to data and systems is an important aspect, as is user awareness and training. These two components make up nearly a third of potential avenues of attack, whether they be accidental or malicious in nature.

To meet the goals of the Protect function, organizations must implement strict access controls, ensure appropriate processes and policies are in place to protect data, and maintain a baseline of networks and systems [1]. Each component bolsters all other components, providing organizations with the ability to limit or control the impact of cybersecurity incidents [3]. A weakness in one area could potentially create weaknesses in all other areas; therefore, it is important to apply policies and procedures effectively in all areas of the Protect function.

Detect

Knowing an organization’s infrastructure, processes, and assets as well as understanding what safeguards to deploy is just the start of having a secure posture. However, detecting cybersecurity incidents is equally important as it enables organization to discover incidents in progress and respond to them much more quickly. The Detect function of the NIST Cybersecurity Framework defines the techniques used to identify incidents, after they occur and during the occurrence [3]. Continuous monitoring of applications, systems, network traffic, and user activity is important to detecting security incidents long before their impact becomes critical.

Additionally, hardware and software monitoring tools will aid the organization in identifying events and anomalies as they occur in real time. This data will aid the organization in increasing its security posture, including taking steps to rectify problematic processes and systems that have or create vulnerabilities. Continuously monitoring systems and all critical components of an organization’s infrastructure are very effective in reducing or eliminating cybersecurity risk [1]. Furthermore, detecting cybersecurity events improves the security posture of an organization and aids the information technology team to better align their tasks with those of the business.

Respond

Putting in place adequate protection safeguards and effective detection systems will reduce the impact of cybersecurity events. However, cybersecurity events can and will happen as it is virtually impossible to avoid them. With regard to events that will occur, an organization must have a plan to respond to these events. The Respond function of the NIST Cybersecurity Framework is tasked with just that: the development of incident response plans, communication methods, incident analysis, and mitigation improvements [2]. An incident response plan is the first step in attending to and resolving cybersecurity incidents. Within the incident response plan, communication requirements are provided, specifically who needs to be alerted to the incident, what department they are in, and what role they may have in the incident response plan.

The incident response plan should have a prioritized list of action items with details of who is to perform said actions, where to place the results of said action (if it is a deliverable action item), and how to collect, store, and analyze results of an action item [1]. The analysis will aid an organization in improving mitigation strategies as well as other improvements, for example, updating or removing software and hardware, reconfiguring systems, or changing user access control policies. The Respond function is very important to business continuity as it governs the actions an organization takes to respond to a cybersecurity incident and begin the recovery process, discussed below.

Recover

The Recover function of the NIST Cybersecurity Framework is the fifth and final core function. If an organization has identified what assets and processes need protection, have put into place detection systems, and has a response plan for when a cybersecurity incident occurs, they are in great shape. However, organizations must develop a recovery plan so the business can return normal operations in timely and efficient manner [3]. Even a minor incident can impair critical business functions and unless a recovery plan is in place, those business functions may remain out of order for an indeterminate amount of time.

The purpose of a recovery plan is to return the business to normal operating conditions as quickly and effectively as possible. The plan details the roles and responsibilities of the recovery team, complete with a detailed and prioritized plan for recovering critical systems first. It is not possible to prioritize recovery without a comprehensive plan, which requires proper identification of the processes and assets that needed protection, as defined in the Identify function of the NIST Cybersecurity Framework [1]. With recovery plan in hand, organizations can swiftly and efficiently restore business continuity.

Conclusion

Although the NIST Cybersecurity Framework is deemed non-linear, it is important to consider that proper identification of processes and assets that need protection should be performed first. Without proper identification, it is not possible to determine safeguards, detection methods, response processes, and recovery procedures. In fact, once identification has completed, different teams can work independently on the other four core functions of the NIST Cybersecurity Framework, which will allow an organization to more quickly focus on cybersecurity efforts, protecting all critical assets necessary for business continuity.

Originally written June 2018 for Bryan’s Master of Cybersecurity degree through Purdue University

References

[1] Anderson, E. (2017). How to comply with the 5 functions of the NIST Cybersecurity Framework. Retrieved April 20, 2018 from https://www.secmatters.com/blog/how-to-comply-with-the-5-functions-of-the-nist-cybersecurity-framework

[2] NIST. (2018). Cybersecurity framework. Retrieved April 20, 2018 from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

[3] US-CERT. (n.d.). Cybersecurity framework. Retrieved April 20, 2018 from https://www.us-cert.gov/ccubedvp/cybersecurity-framework