The Framework for Improving Critical Infrastructure Cybersecurity (aka the NIST Cybersecurity Framework, aka the NIST CSF) offers security organizations a framework to build, manage, and measure their cybersecurity programs.
However, when reading the document, it can feel like the actual framework is a secret—much like Dr. Strangelove’s doomsday device. I don’t actually believe the framework is a secret, but there is a certain level of decoding that organizations need to do to understand how to apply the CSF.
But before I dig into how, let’s look at why the NIST CSF is even worth decoding in the first place. After all, your time is finite. Is it worth the effort to understand the CSF as a framework for your cybersecurity program? We think that it is.
As we’ve written previously, the NIST CSF can help security professionals overcome the three hurdles of security maturity reporting. These are: building a shared language with executives and the board of directors, facilitating complex cybersecurity conversations, and mapping cybersecurity assessment findings to cybersecurity roadmaps. It’s critical that security organizations overcome these challenges because boards and executives are becoming increasingly interested in cybersecurity planning and strategy. Once you have the Board’s attention, you need to present a cybersecurity assessment they’ll actually care about. That’s where the NIST CSF fits in.
OK, so let’s dig in. The NIST CSF is structured into four core elements:
- Five Functions
- Twenty-two Categories
- Ninety-eight Subcategories
- Numerous Informative References
The Functions and Categories are generally a grouping methodology. The Subcategories are described by NIST as “specific outcomes of technical and/or management activities.” It is excellent to know what outcomes an organization should look for from a cybersecurity program. However, if the desired outcome for a Subcategory is not being achieved, what activities should an organization start to perform or enhance to achieve that outcome? This information isn’t spelled out in the NIST CSF document. You need to dig into the Informative References.
The Informative References section includes references to a number of standards, guidelines, and practices, including the Center for Internet Security Critical Security Controls, COBIT, ISO 27001, and NIST SP 800-53. These resources are great tools that organizations can use while determining the cybersecurity controls and activities that will be the most beneficial to the organization’s cybersecurity posture. For example, NIST SP 800-53 contains over 700 cybersecurity controls and control enhancements that can be leveraged to meet the outcomes included in the NIST CSF Subcategories. That alone can be overwhelming—if you go it alone.
In order to assist organizations, build, manage, and measure their cybersecurity programs with the NIST CSF, we have created the NIST CSF Edition on the Axio360 platform. The Axio360 platform enables organizations to evaluate their cybersecurity programs using the NIST CSF (as well as the Cybersecurity Capability Maturity Model (C2M2)). The NIST CSF Edition of the Axio360 platform contains direct linkage to the NIST SP 800-53 controls that correlate with the NIST CSF Subcategories, which allows users to quickly and easily dive deeper into areas and controls where additional information is required. Users are then able to use the Axio360 platform to create Action Items and Targets to which the organization can manage.
These resources on the Axio360 platform ensure that organizations are driving towards cybersecurity industry best practices and have the means to measure themselves against targets they can set for themselves.
By providing a framework for assessing and communicating the organization’s cybersecurity posture, the NIST CSF accomplishes several very important objectives. However, there is a gap when organizations look for guidance on shoring up their weaknesses. This is where the Axio360 platform comes into play. And we’d love to show you how.