NIST CSF: A Prominent Cyber Risk Framework
Since its inception in 2014, the NIST Cybersecurity Framework has rapidly gained adoption and recognition. Gartner estimates that by 2020, 50% of organizations will be using NIST CSF to better understand their cyber risk. As the collaborative brainchild of leaders in academia, the private sector, and government, NIST CSF has enjoyed world-wide publicity and importance while maintaining an image of fairness and objectivity.
NIST CSF is backed by a 100+ year old federal sciences laboratory without a regulatory agenda, and the framework is designed to accommodate any industry. Because US CEOs have ranked cybersecurity as their biggest threat to business NIST CSF has become the public-facing whisperer for the elephant in the room: cybersecurity risk.
The members of the Axio team have been closely involved in the development of the NIST CSF from day one, and have decided to compile a list of the top 10 things that you may not know about it. We hope you enjoy reading it and learn something new! If there’s something you feel should be added to our list, please feel to reach out to us and we’ll make sure to add it, and credit your contribution!
1. NIST CSF can be used as the basis for cybersecurity program evaluation.
An organization’s cybersecurity program is the first line of defense against cyber risk. In using a reference framework for cybersecurity program evaluation, organizations have access to commonly used descriptions of program activities, a means for evaluating achievement consistently over time, a roadmap for program investment and improvement, and the potential for peer and internal benchmarking. NIST CSF provides these capabilities, covering both traditional IT security and the security of operational technology (OT, or industrial control systems), and is widely adopted.
2. NIST CSF is not prescriptive; it focuses on outcomes rather than actions.
Unlike some control sets, NIST CSF provides outcomes rather than details on how to achieve outcomes. One example of this is Subcategory DE.CM-8, which states “Vulnerability scans are performed.” While the outcome of vulnerability scans is identified here, the framework does not indicate what systems should be scanned, how often, or what methods should be used.
3. NIST CSF can easily be supplemented with additional control sets, such as the CIS Controls, other NIST Special Publications, and ISO standards.
NIST CSF is not designed to stand on its own and integrates well with other, more prescriptive industry standard control sets, such as NIST SP 800-53, ISO 27001, the Center for Internet Securities CIS Controls, and COBIT. Continuing with the vulnerability scan example, NIST SP 800-53 provides a much deeper control description for vulnerability scanning, including supplemental guidance and control enhancements.
4. NIST CSF links to a number of valuable resources that provide guidance on the Subcategories.
NIST CSF makes it easy to refer to supplemental resources by providing great cross-references to a number of control sets that can guide the actions needed to meet the intent of a Subcategory. In Axio360, these control sets (which are called the Informative References) are shown in the help documentation, and links are provided to the referenced NIST SP 800-53 controls so you don’t need to search for these yourself.
5. NIST CSF can be used as the Rosetta Stone for various standards.
In addition to the supplemental guidance they provide for Subcategories, the Informative References allow you to speak the same language as other entities and organizations that may be using one of the other control sets. They can also help in mapping CSF-based cybersecurity program improvement initiatives to those based on other standards.
6. The framework is required for certain entities through an executive order.
Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, requires US federal agencies to apply the NIST Cybersecurity Framework to federal information systems and provide a risk management report to the Department of Homeland Security and the Officer of Management and Budget.
7. CSF is not just used by government entities but also by many in the private sector.
Although use of NIST CSF is required by US federal agencies, many entities in the private sector have adopted it as well. As can be seen in its title, the framework is particularly intended for the critical infrastructure community, but it is applicable to organizations of all types and sizes.
8. The NIST CSF program is under active development to ensure that the framework is sustained with current best practices.
NIST views CSF as a living document and routinely reviews and updates it. At a high level, the update process includes community outreach, soliciting direct feedback, and monitoring various resources. NIST CSF was initially released in February of 2014 and was updated in April 2018 with refinements and enhancements, including management of supply chain cybersecurity.
9. The structured elements of CSF allow for reporting and decision making at different levels within the organization, including the Board.
The five Functions in NIST CSF—Identify, Protect, Detect, Respond, and Recover—are written in plain language that helps security professionals to communicate the state of cybersecurity in terms leadership can easily understand. Profiles allow an organization to focus on the Subcategories that are most relevant and impactful to its resilience, assisting in discussions and reporting toward getting the most from cybersecurity spend.
10. NIST CSF is available in the Axio360 platform.
The Axio360 platform is a cyber risk management information system. It includes modules for continuous cybersecurity program assessments and improvement planning, cyber risk quantification and evaluation of cybersecurity control changes, and insurance analysis to determine how your insurance portfolio would respond to a complex cyber event. The assessment and planning module supports NIST CSF, the Cybersecurity Capability Maturity Model (C2M2 v1.1 and v2 draft), Cybersecurity Maturity Model Certification (CMMC), Center for Internet Security Controls (CIS Controls, also known as CIS20), and more to come. For CSF and the other assessment types, Axio360 enables continuous current-state assessments, target-state profiles, and improvement roadmap development, tracking, and reporting.
After completing an assessment in Axio360 using the NIST CSF, your path to improve cybersecurity risk posture has only begun. You can then leverage this data to quantify the risks that matter most to your organizations, determine their actual financial outcomes and plan for the investment and improvement by implementing controls and optimizing your cyber insurance portfolio.