Using the NIST Cybersecurity Framework to address organizational risk

The U.S. federal government has been very active the past year, particularly with the cybersecurity executive order (EO) and associated tasks and goals that have come out of it. One framework and industry source that has been getting increased attention is the NIST Cybersecurity Framework (CSF).

The CSF came out of another EO, 13636, which is from 2013 and directed NIST to work with stakeholders to develop a voluntary framework for reducing risk to critical infrastructure. It was produced through coordinated efforts with industry and government, which have both widely adopted the framework.

Here’s how the CSF is composed, how aspects of it can help meet some of the recent cybersecurity EO objectives, and how any organization can use it to better map risk to threats.

What are the Cybersecurity Framework components?

At its foundation the CSF has three components:

• Core is essentially a set of desired cybersecurity activities and outcomes.
• Implementation Tiers are used by adopting organizations to give context when it comes to how organizations view cybersecurity risk management.
• Framework Profiles help provide customized alignment with organization requirements and objectives when it comes to achieving outcomes and reducing organizational and even industry-wide risk.

Within these three components are additional areas, such as categories and subcategories within functions, that tie to outcomes for a cybersecurity program. NIST has already produced several example framework profiles as well, such as for manufacturing, elections and the smart grid.

One of the most recognizable aspects of CSF is the functions it breaks down activities into: Identify, Protect, Detect, Respond and Recover. The reason these functions are so widely recognized is because they are both practical and logical. They align with the activities and lifecycle of cybersecurity and risk management within an organization’s security program. These functions are also applicable to organizations across many industries and verticals, making CSF dynamic and adaptable.

Since CSF is built on top of existing standards, guidelines and practices, it contains activities that are common among other industry-leading guidance such as CIS Critical Controls. This is evident through activities such as “identify critical enterprise processes and assets”. To better leverage existing standards, guidelines and practices, CSF also has what are called “Informative References” that align under each function and point to existing framework security controls and references.

How the Cybersecurity Framework helps enable EO compliance

The CSF isn’t explicitly referenced in the recent cybersecurity EO, but NIST is referenced extensively. With CSF being its flagship risk management framework, it will be tied to a lot of the activities and tasks that NIST conducts as part of the EO. All the cybersecurity tasks and activities defined in the EO can be mapped across the CSF functional categories as discussed above.

To promote further adoption of the CSF, NIST has published guidance including NISTIR 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework and NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). Coupling this guidance with tasks associated with the EO will let federal agencies address their existing risks and security deficiencies.

A major aspect of the EO was the push for agencies to adopt zero trust (mentioned 11 times). This is where agencies as well as industry organizations can start to see real synergies between CSF and the EO objectives. For example, when it comes to zero trust, the NIST National Cybersecurity Center of Excellence (NCCoE) has provided guidance that maps applicable zero trust components to CSF functions, categories and subcategories. These are core zero trust components, such as policy engines, administrators, enforcement points and more common security components such as SIEMs.

Federal agencies and industry organizations can leverage the CSF like in the example above, to map security program objectives across the five CSF functions, categories and subcategories. This includes mapping tools and aspects of the tech stack to CSF criteria. A key benefit of the CSF is its ability to help guide decisions regardless of where an individual sits within the organization. This applies from senior executives to business/processes and implementation and operations.

Aligning Cybersecurity Framework objectives to threats

Organizations, government and industry alike can take additional steps to align CSF objectives to actual threats. One great way to do so is by leveraging MITRE’s ATT&CK Evaluations, which emulate adversarial tactics and techniques against leading cybersecurity products. The information is then made available to industry end users to see how products performed and how well they align with organizational security objectives. Another excellent resource from MITRE is from the Center for Threat-Informed Defense’s mapping MITRE ATT&CK and NIST 800-53. By using these mappings, organizations could potentially cross reference the mapping from the Center to the Informational References in the CSF, which tie to specific functions and categories.

Regarding actual threats, self-assessment and measurement through the CSF can be used to improve decision making about investment priorities as well. A limited set of resources and funding is a reality for all security leaders regardless of industry. Identifying gaps in the security program and driving investments to the areas that present the most significant risk can provide massive benefits. This is why it is important for security leaders to ensure that the implementation of security controls and activities are tied to organizational outcomes and business objectives. Doing so ensures alignment with business leadership, bolsters buy-in for security initiatives and helps enable the business to operate securely.

NIST CSF is a flexible framework for managing organizational risk and security program maturity. It’s use cases include managing cyber requirements, reporting cybersecurity risks and integrating and aligning cyber and acquisition processes. All these use cases are applicable when it comes to meeting the slew of tasks and objectives that came out in the 2021 cybersecurity EO.

Learning about the CSF

NIST’s CSF can be a valuable tool for organizations improving the maturity of their security program and looking to drive down organizational risk and cover critical security functions. There are numerous resources to begin with CSF, most notably from NIST itself. They provide online learning, presentations and detailed documentation of the framework. There’s even a book dedicated to the NIST CSF. As organizations continue to improve their security program, a dynamic and comprehensive framework, mapped to existing standards is incredibly valuable, and that is the role that NIST’s CSF plays.