Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

04:05 PM
By Julian Hall, Freelance Journalist and Copywriter, Textual Healing
By Julian Hall, Freelance Journalist and Copywriter, Textual Healing

A Guide to the NIST Cybersecurity Framework

With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy, and NIST's framework can help.

Just before lockdown it was reported that 46% of UK businesses had suffered cyber attacks in 2019, up 9% from 2018. Although businesses had plenty more to worry about in the intervening months with the COVID-19 pandemic, cybersecurity is still uppermost in the minds of many CEOs. One of the main ways in which businesses measure their preparedness in managing cyber-related security risks is to benchmark themselves against the Cybersecurity Framework developed by the NIST (National Institute of Standards and Technology, U.S. Department of Commerce). With cybersecurity threats growing exponentially, it has never been more important to put together an efficient cyber-risk management policy – the NIST Framework can help businesses do so.

Related Content:

How Does Your Cyber Resilience Measure Up?

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

What Is NIST?
Founded in 1901, the National Institute of Standards and Technology (NIST) is a non-regulatory US government agency responsible for driving innovation and competitiveness through technology and metrics.

NIST measurements support a range of technologies, "from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair, up to earthquake-resistant skyscrapers and global communication networks."

NIST also helps federal agencies meet the requirements of FISMA – The Federal Information Security Management Act, which relates to the protection of government information and operation assets against natural or man-made threats.

With industry stakeholders, NIST has also created the Cybersecurity Framework (sometimes referred to as the NIST Framework) to help businesses manage cybersecurity and reduce their cyber risk. The stakeholders are described as "U.S. private-sector owners and operators of critical infrastructure," while its user base includes "communities and organizations across the globe."

The Cybersecurity Framework
Created and ratified by the US Congress in 2014, the Cybersecurity Framework is used by over 30% of US organisations and was projected to reach 50% this year. Among those organisations are JP Morgan Chase, Microsoft, Boeing and Intel. Meanwhile, overseas organisations using the framework include the Bank of England, Nippon Telegraph and Telephone Corporation, and the Ontario Energy Board.

The aim of the framework is to:

  • integrate industry standards and best practices to help organisations and businesses manage their cybersecurity risks;
  • provide a common language that allows staff to develop a shared understanding of their cybersecurity risks;
  • give guidance on how to reduce these risks;
  • give advice on how to respond and recover from cybersecurity attacks and learn from those incidents.

Although voluntary and not intended to be an exhaustive checklist, the framework covers five critical areas of cybersecurity:

  • Identify: looking at current data use and then evaluating and identifying risk;
  • Protect: the elements that help protect a business;
  • Detect: being aware of problems as they happen;
  • Respond: the bases needing to be covered to make an adequate response to a problem;
  • Recover: the steps needed to make an effective recovery of lost data.

All of these elements make up the "Core" element of the framework, represented in a simplified form (without subcategories) here:

The Core's role is to highlight desired cybersecurity outcomes and show how to manage risks in a way that complements existing processes.

The framework then directs the user to Implementation Tiers – these help organisations decide on the rigour of their cybersecurity measures. It's very much up to the individual organisation to decide what is appropriate, within existing guidelines of course, such as GDPR in Europe.

NIST outlines the Tiers as follows:

  • Tier 1: Partial – cybersecurity practices are adequate for the cybersecurity risks experienced.
  • Tier 2: Risk-Informed – the company/organisation is aware of some risks and is planning how to respond to them.
  • Tier 3: Repeatable – the company/organisation has clearly defined and regularly repeatable cybersecurity processes.
  • Tier 4: Adaptive – the company/organisation is proactively instigating cybersecurity measures.

Finally, NIST’s CFS results in Framework Profiles, used to prioritise what actions are taken.

The NIST website describes the profile as "an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core."

NIST advises contrasting a "current" and a "target" profile to identify ways of improving cybersecurity. Though emphasising the voluntary status of the framework, and that there is "no 'right' or 'wrong' way to do it," it is suggested to use the subcategories of the Core to arrive at these profiles.

Here's an example, from NIST's website, of some of the subcategories that jump off from the Core:

A case study of CSF implementation can be found here, as well as a list on the CSF's own site, here.

The 2018 Cybersecurity Framework Update
Four years after it was created, NIST's Cybersecurity Framework was updated in 2018, based on feedback from the public.

Version 1.1 included updates on:

  • authentication and identity;
  • self-assessing cybersecurity risk;
  • managing cybersecurity within the supply chain;
  • vulnerability disclosure.

Commenting on the changes, the CSF's Program Manager, Matt Barrett, said: "This update refines, clarifies and enhances Version 1.0. It is still flexible to meet an individual organization's business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things."

If you want to see what kinds of issues might shape future versions of the framework, you can visit CSF's "Roadmap" page.

Meanwhile, you can also view an up-to-date timeline of CSF news.

UK Equivalents of the Cybersecurity Framework
While other countries have directly incorporated the CSF into their legislation, the UK has not officially done so. Instead, there are a number of pieces of legislation that replicate the aims of the CSF. Although these are not directly aimed at, for example, SMEs and startups, they contain examples of best practice similar to the NIST guidelines that are universally useful in building a risk management strategy.

The existing legislation includes:

  • The Minimum Cyber Security Standard (MCSS). Published in June 2018 and applicable to UK government departments, the MCSS is very close to the CSF.
  • Health and safety executive (HSE) operational guidance on Industrial Automation and Control Systems (IACS). Published in 2017 and aimed at preventing accidents resulting from cybersecurity breaches, this legislation primarily impacts electricity providers and distributors and businesses involved in the manufacture, use or storage of hazardous and explosive chemicals and microbiological substances.
  • Networks and Information Systems (NIS) directive. Introduced by the EU in July of 2016 for countries to benchmark against, the NIS Directive is aimed at critical infrastructure such as businesses within the sectors of oil, gas, energy, transportation, banking, water, food and telecommunications, and also companies providing an online service or platform, such as cloud computing or search facilities.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

Julian Hall is a freelance journalist and copywriter, Textual Healing.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...