Unlocking the Power of NIST’s Cybersecurity Framework

Den Rise/Shutterstock.com

In the not-so-distant past, it was hard to get people to think cyber risk management.

Richard P. Tracy is the chief security officer of Telos Corporation.

Five years ago, it would have been a struggle to get more than 100 people to attend a cyber risk management conference.

Yet last year’s National Institute of Standards and Technology conference in Gaithersburg, Maryland, drew more than 1,000 eager attendees ready to learn about NIST’s Cybersecurity Framework (CSF). That passion to pursue strategies for cybersecurity risk management has only grown stronger in the past year.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

NIST developed the CSF three years ago as a set of voluntary industry standards and best practices to help critical infrastructure organizations manage cybersecurity risks. It was intended to be effective and specific in its recommendations while remaining flexible enough for all organizations to implement it.   

The CSF makes complex information about cybersecurity and risk management more accessible. It creates a common vocabulary that personnel can understand at all levels of the organization from the server room to the boardroom. 

Universal Grammar: The CSF’s Core Components

The flexibility of the NIST CSF is its strongest asset. Just as a language’s flexibility comes from its grammar, the framework’s flexibility comes from the Framework Core. Once you embrace the basic principles, you can tailor them to serve individual needs and challenges.

According to the framework document, the core’s five functions—Identify, Protect, Detect, Respond, and Recover—“are not intended to form a serial path, or lead to a static desired end state… [they] can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.”

In other words, the CSF isn’t linear and it’s not static; it is a living, breathing framework that is constantly evolving.

Broader Adoption Brings Greater Understanding and Greater Security

As with any standard, the more organizations embrace it, the more the community as a whole benefit.  The network effect of a broadly adopted cybersecurity standard means that more personnel across more organizations share a common point of reference when planning, evangelizing and deploying cybersecurity strategies. 

Growing adoption is a hallmark of the NIST CSF. According to Gartner, it had been adopted by about 30 percent of U.S. organizations by the second year of its release, and that number could reach 50 percent by 2020.  Private-sector organizations beyond critical infrastructure are already embracing the CSF to take advantage of its benefits.

Given its growing acceptance among public and private enterprises worldwide, it makes sense that cybersecurity professionals in the federal government are also taking notice. In fact, a recently proposed executive order would require federal agencies to use the CSF for managing cyber risk.

With this in mind, Matthew Barrett, NIST’s CSF program manager, recently announced that guidelines will be finalized within the next two months to integrate the NIST Risk Management Framework for the federal government with the NIST CSF. He stated that the goal is to “unify NIST’s risk management documents into a singular approach for federal agencies.”

Whether federal adoption is voluntary or compulsory, this initiative further extends the framework’s “universal language” to federal agencies. This will enable a broader range of security-conscious organizations to communicate effectively while making possible a common understanding of cyber risk management.

Automating While Maintaining Flexibility Helps Encourage Adoption

Automation has a critical role to play here. Emerging tools can help organizations embrace the framework without spending heavily to meet compliance requirements. This will further reduce barriers to deploying the CSF, increasing the number of “native speakers” and continuing a sea change in securing the data and infrastructure of increasingly interconnected organizations.

A workflow-enabled system allows organizations to establish and maintain a lifecycle enterprise cyber risk management process.  It also provides tools to help automate the collection of validation data needed to demonstrate achievement of security objectives and create a body of evidence that demonstrates a standard of due care. 

Fostering a Shared Point of Reference for Cyber Security and Risk Management

The NIST CSF continues to prove its value across a broad range of business sectors, soon to include the federal government.  It creates a common frame of reference in planning, deploying, and discussing cybersecurity strategies and tactics. It also enables cybersecurity personnel to communicate ideas about cybersecurity to the boardroom in order to marshal support and gain funding for critical security initiatives. 

Key to the efficient deployment of the CSF is automating as many of the processes that underlie the framework as possible.  The ability to inherit security controls, collect and manage the right data, and maintain a supporting body of evidence to prove compliance makes the CSF a powerful regimen for assuring cybersecurity and enabling IT risk management across the enterprise. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.