How to Choose the Right Cybersecurity Framework

Cybersecurity frameworks can help reduce your risk of supply chain attacks and increase your competitive advantage.

Lewis Huynh, Chief Security Officer, NinjaRMM

March 15, 2021

5 Min Read

The dramatic rise in ransomware attacks and the SolarWinds Orion hack have thrust cybersecurity back into the spotlight. With everyone a target, it's time for organizations to implement cybersecurity frameworks like those provided by the National Institute of Standards and Technology (NIST), which can help you set a bar for measuring your cybersecurity effectiveness.

Taking Your First Steps
Start by setting goals for your cybersecurity program that align with the business's needs. Stakeholders from across the organization — from the C-suite and upper management to support teams and IT — should be involved in the initial risk-assessment process and setting a risk-tolerance level.

While deciding where to start your implementation can feel like trying to boil the ocean, one way to make it less intimidating is to run a pilot program focused on a single department. This can help uncover lessons about what does and doesn't work, what tools will help you succeed, and best practices for a wider rollout.

From there, identify the type of data the organization processes and map out its life cycle. A simple model will help lay a foundation for understanding the organization's cybersecurity risk and identify points along the supply chain to invest more time and resources. Business tools and software are often important sources and collectors of data, so ask vendors about their data privacy policies to ensure they reflect your goals.

With a basic understanding of the goals, project scope, and current data privacy and life-cycle processes, it will be much easier to select a cybersecurity framework.

Picking the Right Security Framework
A good cybersecurity framework will help you identify risks, protect company assets (including customer data), and put steps in place to detect, respond, and recover from a cybersecurity event. There are many frameworks, but the following three stand out as especially relevant to the types of attacks, like ransomware and supply chain attacks, that are accelerating in use.

NIST Cybersecurity Framework (CSF Rev 1.1)
The NIST Cybersecurity Framework (NIST CSF) was developed in 2014 for private sector critical infrastructure like utilities, water supply, telecommunications, financial services, and healthcare. As a voluntary set of guidelines that outlines a series of policies and controls, the framework guides cybersecurity activities through a lens of aligning risk management with business needs.

The NIST CSF consists of three parts: the Core, the Implementation Tiers, and the Framework Profiles, and it was designed so that any organization can apply the principles and best practices. The framework is widely recognized as a definitive set of security best practices.

The NIST CSF is not one-size-fits-all, and it offers versatility by dividing the Core into five functions: Identify, Protect, Detect, Respond, and Recover. With the NIST 800-171 framework as part of its structure, organizations can focus on implementing the NIST CSF controls that are critical to service delivery now and make plans for implementing other controls as requirements arise. Ultimately, even if an organization deploys a partial set of the NIST CSF's controls, it still reduces cybersecurity risk while increasing management efficacy.

NIST 800-53 (Rev. 5)
The NIST 800-53 framework originated in 2005 and applies to all federal information systems per the Federal Information Processing Standard 200 (FIPS 200) cybersecurity requirements. However, the framework does not apply to National Security Systems (NSS), which rely on an even higher standard for determining a high-water mark (HWM) on the potential impact of security incidents. Now in its fifth revision, the framework outlines a series of security and privacy controls that cover aspects of policy, oversight, manual processes, and automated mechanisms implemented by systems or individuals and applicable to both the federal and private sector.

The controls are organized into 20 families, with each family relating to a specific topic like awareness and training, identification and authentication, or supply chain risk management. As it was originally designed for federal information systems, NIST 800-53 offers an incredibly robust set of standard controls for the collection, processing, storage, transfer, and protection of sensitive information. From providing step-by-step guidelines for developing cybersecurity literacy and awareness training programs to combat phishing, to securing servers and Web services to prevent external hackers, NIST 800-53 offers many easy and effective ways to improve cybersecurity.

Cybersecurity Maturity Model Certification & NIST 800-171 (Rev. 2)
In December 2020, the Department of Defense (DoD) officially introduced a new cybersecurity certification requirement for its contractors and subcontractors. The new Cybersecurity Maturity Model Certification (CMMC) consists of five levels, with each providing specific controls and policies for the secure handling of federal data by private sector information systems. CMMC was purposefully designed to protect the DoD against supply chain attacks that could disrupt military and defense operations. By October 2025, all DoD contracts will require some level of CMMC accreditation.

As a guideline for private sector organizations handling federal information and data, the CMMC is a prescriptive cybersecurity framework with step-by-step instructions for implementation with the aim of increasing security, reducing risks, and furthering security management. Using this framework can also be a competitive advantage for businesses. Similar frameworks are likely to be implemented across other federal departments and raise new requirements for contractors and subcontractors. As enterprise customers increase their specific data protection and privacy requirements, a CMMC certification can open many new doors.

Cybersecurity Is a Business Decision
Whether a business is just starting on its security journey or looking to improve the policies and procedures it has in place, investing in security is a long-term business decision. With security becoming an ever-growing focus for consumers and end users, cybersecurity frameworks can help simplify the transformation and set the organization up for success.

About the Author(s)

Lewis Huynh

Chief Security Officer, NinjaRMM

Lewis Huynh is a seasoned cybersecurity professional and technologist with decades of hands-on experience. From hacking PCs and learning machine learning languages at a young age to pioneering DevOps and cloud networks, Huynh has extensive knowledge of some of the most complex IT and security topics, with a particularly deep understanding of cybersecurity frameworks and their implementation. As Chief Security Officer at NinjaRMM, Huynh has spearheaded a transformation of the company's security operations and led the company to achieve SOC-2 certification. Huynh brings a multidisciplinary perspective to cybersecurity and has held leadership positions with Oracle, as well as with various startups and as a consultant.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights