NIST Cybersecurity Framework

Background

The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework that is comprised of risk-based guidelines that leverage well-established cybersecurity practices. It is a scaled-down version of NIST 800-53 that was designed to help organizations design, implement, and manage a recognized cybersecurity structure, using a flexible and customizable approach. As new cyber threats, technologies, and processes emerge, the NIST CSF will evolve to address the changing landscape.

NIST CSF is broken down into five framework functions, each function contains a set of categories and subcategories. The five functions are:

1. Identify: Understand and manage cybersecurity risks to systems, assets, data, and capabilities. The categories within the Identity function are:
   1. Asset management
   2. Business environment
   3. Governance
   4. Risk assessment
   5. Risk management strategy
   6. Supply chain risk management
2. Protect: Implement safeguards to ensure the delivery of critical services and the protection of sensitive information. The Protect categories are:
   1. Access control
   2. Awareness and training
   3. Data security
   4. Information protection
   5. Maintenance
   6. Protective technology
3. Detect: Identify and react to cybersecurity events quickly. The Detect controls are:
   1. Anomalies and events
   2. Security monitoring
   3. Detection process
4. Respond: Develop and implement actions to take following a detected cybersecurity incident. The Respond controls are:
   1. Response planning
   2. Communications
   3. Analysis
   4. Mitigation
   5. Improvements
5. Recover: Develop and implement plans to restore services and capabilities damaged in a cybersecurity event. The Recover controls are:
   1. Recovery planning
   2. Improvements
   3. Communication

Because it is less rigorous, NIST CSF does not meet the security requirements needed to achieve certification or compliance with many common standards such as GDPR, CPRA/CCPA, and PCI DSS.  NIST 800-53 or 800-171 is a better option for organizations that need to comply with one or more of those standards. NIST CSF can be used to comply with HIPAA security standards.

Benefits of NIST CSF Compliance

For small and medium-sized businesses and organizations NIST CSF is a proven framework to defend against cyber threats and establish a unified approach to security throughout the enterprise. NIST CSF utilizes an adaptive approach that will account for emerging threats. Your organization with likely find the continuous compliance strategy more effective and efficient than a one-off audit strategy.

Adhering to the highly recognized standard will allow your business to meet potential customers’ security requirements. NIST CSF compliance will build trust with your vendors, suppliers, and partners and help enable business growth.

How We Can Help

CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet the requirements of whichever NIST standard is the right fit for you. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.