Unlocking the Power of NIST’s Cybersecurity Framework

Richard P. Tracy is the chief security officer of Telos Corporation.

Five years ago, it would have been a struggle to get more than 100 people to attend a cyber risk management conference.

Yet last year’s National Institute of Standards and Technology conference in Gaithersburg, Maryland, drew more than 1,000 eager attendees ready to learn about NIST’s Cybersecurity Framework (CSF). That passion to pursue strategies for cybersecurity risk management has only grown stronger in the past year.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

NIST developed the CSF three years ago as a set of voluntary industry standards and best practices to help critical infrastructure organizations manage cybersecurity risks. It was intended to be effective and specific in its recommendations while remaining flexible enough for all organizations to implement it.   

The CSF makes complex information about cybersecurity and risk management more accessible. It creates a common vocabulary that personnel can understand at all levels of the organization from the server room to the boardroom. 

Universal Grammar: The CSF’s Core Components

The flexibility of the NIST CSF is its strongest asset. Just as a language’s flexibility comes from its grammar, the framework’s flexibility comes from the Framework Core. Once you embrace the basic principles, you can tailor them to serve individual needs and challenges.

According to the framework document, the core’s five functions—Identify, Protect, Detect, Respond, and Recover—“are not intended to form a serial path, or lead to a static desired end state… [they] can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.”

In other words, the CSF isn’t linear and it’s not static; it is a living, breathing framework that is constantly evolving.

Broader Adoption Brings Greater Understanding and Greater Security

As with any standard, the more organizations embrace it, the more the community as a whole benefit.  The network effect of a broadly adopted cybersecurity standard means that more personnel across more organizations share a common point of reference when planning, evangelizing and deploying cybersecurity strategies. 

Growing adoption is a hallmark of the NIST CSF. According to Gartner, it had been adopted by about 30 percent of U.S. organizations by the second year of its release, and that number could reach 50 percent by 2020.  Private-sector organizations beyond critical infrastructure are already embracing the CSF to take advantage of its benefits.

Given its growing acceptance among public and private enterprises worldwide, it makes sense that cybersecurity professionals in the federal government are also taking notice. In fact, a recently proposed executive order would require federal agencies to use the CSF for managing cyber risk.

With this in mind, Matthew Barrett, NIST’s CSF program manager, recently announced that guidelines will be finalized within the next two months to integrate the NIST Risk Management Framework for the federal government with the NIST CSF. He stated that the goal is to “unify NIST’s risk management documents into a singular approach for federal agencies.”

Whether federal adoption is voluntary or compulsory, this initiative further extends the framework’s “universal language” to federal agencies. This will enable a broader range of security-conscious organizations to communicate effectively while making possible a common understanding of cyber risk management.

Automating While Maintaining Flexibility Helps Encourage Adoption

Automation has a critical role to play here. Emerging tools can help organizations embrace the framework without spending heavily to meet compliance requirements. This will further reduce barriers to deploying the CSF, increasing the number of “native speakers” and continuing a sea change in securing the data and infrastructure of increasingly interconnected organizations.

A workflow-enabled system allows organizations to establish and maintain a lifecycle enterprise cyber risk management process.  It also provides tools to help automate the collection of validation data needed to demonstrate achievement of security objectives and create a body of evidence that demonstrates a standard of due care. 

Fostering a Shared Point of Reference for Cyber Security and Risk Management

The NIST CSF continues to prove its value across a broad range of business sectors, soon to include the federal government.  It creates a common frame of reference in planning, deploying, and discussing cybersecurity strategies and tactics. It also enables cybersecurity personnel to communicate ideas about cybersecurity to the boardroom in order to marshal support and gain funding for critical security initiatives. 

Key to the efficient deployment of the CSF is automating as many of the processes that underlie the framework as possible.  The ability to inherit security controls, collect and manage the right data, and maintain a supporting body of evidence to prove compliance makes the CSF a powerful regimen for assuring cybersecurity and enabling IT risk management across the enterprise.