Just before lockdown it was reported that 46% of UK businesses had suffered cyber attacks in 2019, up 9% from 2018. Although businesses had plenty more to worry about in the intervening months with the COVID-19 pandemic, cybersecurity is still uppermost in the minds of many CEOs. One of the main ways in which businesses measure their preparedness in managing cyber-related security risks is to benchmark themselves against the Cybersecurity Framework developed by the NIST (National Institute of Standards and Technology, U.S. Department of Commerce). With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy – the NIST Framework can help businesses do so.
What Is NIST?
Founded in 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory US government agency responsible for driving innovation and competitiveness through technology and metrics.
NIST measurements support a range of technologies, "from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair, up to earthquake-resistant skyscrapers and global communication networks."
NIST also helps federal agencies meet the requirements of FISMA – The Federal Information Security Management Act, which relates to the protection of government information and operation assets against natural or man-made threats.
With industry stakeholders, NIST has also created the Cybersecurity Framework (sometimes referred to as the NIST Framework) to help businesses manage cybersecurity and reduce their cyber risk. The stakeholders are described as "U.S. private-sector owners and operators of critical infrastructure," while its user base includes "communities and organizations across the globe."
The Cybersecurity Framework
Created and ratified by the US Congress in 2014, the Cybersecurity Framework is used by over 30% of US organisations and was projected to reach 50% this year. Among those organisations are JP Morgan Chase, Microsoft, Boeing and Intel. Meanwhile, overseas organisations using the framework include the Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board.
The aim of the framework is to:
- integrate industry standards and best practices to help organisations and businesses manage their cybersecurity risks;
- provide a common language that allows staff to develop a shared understanding of their cybersecurity risks;
- give guidance on how to reduce these risks;
- give advice on how to respond and recover from cybersecurity attacks and learn from those incidents.
Although voluntary and not intended to be an exhaustive checklist, the framework covers five critical areas of cybersecurity:
- Identify: looking at current data use and then evaluating and identifying risk;
- Protect: the elements that help protect a business;
- Detect: being aware of problems as they happen;
- Respond: the bases needing to be covered to make an adequate response to a problem;
- Recover: the steps needed to make an effective recovery of lost data.
All of these elements make up the "Core" element of the framework, represented in a simplified form (without subcategories) here:
The Core's role is to highlight desired cybersecurity outcomes and show how to manage risks in a way that complements existing processes.
The framework then directs the user to Implementation Tiers – these help organisations decide on the rigour of their cybersecurity measures. It's very much up to the individual organisation to decide what is appropriate, within existing guidelines of course, such as GDPR in Europe.
NIST outlines the Tiers as follows:
- Tier 1: Partial – cybersecurity practices are adequate for the cybersecurity risks experienced.
- Tier 2: Risk-Informed – the company/organisation is aware of some risks and is planning how to respond to them.
- Tier 3: Repeatable – the company/organisation has clearly defined and regularly repeatable cybersecurity processes.
- Tier 4: Adaptive – the company/organisation is proactively instigating cybersecurity measures.
Finally, NIST’s CFS results in Framework Profiles, used to prioritise what actions are taken.
The NIST website describes the profile as "an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core."
NIST advises contrasting a "current" and a "target" profile to identify ways of improving cybersecurity. Though emphasising the voluntary status of the framework, and that there is "no 'right' or 'wrong' way to do it," it is suggested to use the subcategories of the Core to arrive at these profiles.
Here's an example, from NIST's website, of some of the subcategories that jump off from the Core:
The 2018 Cybersecurity Framework Update
Four years after it was created, NIST's Cybersecurity Framework was updated in 2018, based on feedback from the public.
Version 1.1 included updates on:
- authentication and identity;
- self-assessing cybersecurity risk;
- managing cybersecurity within the supply chain;
- vulnerability disclosure.
Commenting on the changes, the CSF's Program Manager, Matt Barrett, said: "This update refines, clarifies and enhances Version 1.0. It is still flexible to meet an individual organization's business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things."
If you want to see what kinds of issues might shape future versions of the framework, you can visit CSF's "Roadmap" page.
Meanwhile, you can also view an up-to-date timeline of CSF news.
UK Equivalents of the Cybersecurity Framework
While other countries have directly incorporated the CSF into their legislation, the UK has not officially done so. Instead, there are a number of pieces of legislation that replicate the aims of the CSF. Although these are not directly aimed at, for example, SMEs and startups, they contain examples of best practice similar to the NIST guidelines that are universally useful in building a risk management strategy.
The existing legislation includes:
- The Minimum Cyber Security Standard (MCSS). Published in June 2018 and applicable to UK government departments, the MCSS is very close to the CSF.
- Health and safety executive (HSE) operational guidance on Industrial Automation and Control Systems (IACS). Published in 2017 and aimed at preventing accidents resulting from cybersecurity breaches, this legislation primarily impacts electricity providers and distributors and businesses involved in the manufacture, use or storage of hazardous and explosive chemicals and microbiological substances.
- Networks and Information Systems (NIS) directive. Introduced by the EU in July of 2016 for countries to benchmark against, the NIS Directive is aimed at critical infrastructure such as businesses within the sectors of oil, gas, energy, transportation, banking, water, food and telecommunications, and also companies providing an online service or platform, such as cloud computing or search facilities.
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.
Julian Hall is a freelance journalist and copywriter, Textual Healing.