The NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. We spoke with Amy Mahn, an international policy specialist in the NIST Applied Cybersecurity Division, about the framework, who can use it, and how it’s evolving.
ADVERTISEMENT |
What is the Cybersecurity Framework, and what was it created to accomplish?
AVM: The Framework for Improving Critical Infrastructure Cybersecurity, or the Cybersecurity Framework as many of us refer to it, is voluntary guidance for organizations to better manage and reduce their cybersecurity risk. NIST developed the framework at the direction of the White House with the active participation of industry, academia, and multiple levels of government. It’s designed to be a “common language” that spans the entirety of cybersecurity risk management and that can be easily understood by people with all levels of cybersecurity expertise. Five functions comprise the core of the framework: identify, protect, detect, respond, and recover. Under these overarching functions, the framework provides a catalog of cybersecurity outcomes based on existing standards, guidelines, and practices that organizations can customize to better manage and reduce their cybersecurity risk.
Although we designed the framework specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors are using and gaining value from the approach. A 2017 Executive Order requires federal agencies to use it, but the Cybersecurity Framework remains voluntary for industry. Twenty-one states are using it, and we have also seen an increase in the use and adaptation of the framework internationally.
Why should businesses use the Cybersecurity Framework? Are there certain kinds and sizes of companies that should use it? How about others?
AVM: NIST encourages all organizations—for-profit businesses, not-for-profit organizations, and government agencies—to review and consider using the framework to understand and manage their cybersecurity risk. Because NIST and our collaborators designed the framework to be flexible enough to be adopted by 16 disparate U.S. critical infrastructure sectors , e.g., utilities, financial services, agriculture, healthcare, etc., we ended up creating something that is applicable to all types of businesses, including smaller organizations with fewer IT resources, regardless of the state of their current cybersecurity practices. It offers a common and understandable language that all can use to communicate their cybersecurity risks and expectations to suppliers and customers alike. The framework is risk-based, so it allows organizations to determine the appropriate level of cybersecurity for their individual risk environment, requirements, and business objectives. The Cybersecurity Framework is easily paired with the many excellent standards and practices that already exist, allowing users to take advantage of what’s working now and what will emerge over time. It’s also valuable as a living document because this voluntary risk management tool can evolve faster than regulation and legislation in the face of quickly changing technology and threats. NIST updates the framework based on regular input from stakeholders as we learn from their customized implementations.
I’d like to emphasize that every organization faces its own set of cybersecurity challenges, and it’s not an issue that just larger companies need to address. There is a great risk to small- and medium-sized businesses as well as the larger supply chain upon which the U.S. relies for its economy and national security. We encourage all businesses to consider using the framework and adapt it in ways that support their cybersecurity and maximize their business value.
Does it provide a recommended checklist of what all organizations should do?
AVM: The framework is guidance that is meant to be adapted to varying sectors, organizations, requirements, and technologies. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks—different threats, different vulnerabilities, different risk tolerances—and how they implement the practices in the framework to achieve positive outcomes will vary. The framework should not be implemented as an uncustomized checklist or a one-size-fits-all solution.
For small businesses, cybersecurity can be beyond the skills of the people who work there. They might be too small to have an IT department. How can they use the framework to defend themselves?
AVM: We recognize that smaller businesses, especially those with few IT resources, can have special challenges assessing cybersecurity risks and implementing risk management measures.
The tiered structure of the Cybersecurity Framework holds the key to applying it in a small business setting. Often the extended Cybersecurity Framework catalog of outcomes is too detailed for the initial efforts of small businesses. If so, businesses will find value in reflecting on the five functions and their corresponding outcomes. The functions—identify, protect, detect, respond, and recover—remind us of how important it is to balance proactive safeguards while preparing for worst-case scenarios. This balance is especially important in small business settings where a worst-case incident could drastically affect the solvency of a business.
Generally, NIST has always placed emphasis on meeting the cybersecurity needs of small businesses by providing guidance through various publications, meetings, and events. Materials and an associated program description are available at the Computer Security Resource Center.
One particularly useful resource for better understanding cybersecurity activities from a small business perspective is Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1). We recommend this guide, which is organized according to the five framework functions, as a starter kit for small businesses.
We anticipate developing even more resources to help small- and medium-sized businesses within the coming year. The president signed the NIST Small Business Cybersecurity Act in early August 2018, which requires the director of NIST, within one year, to issue guidance and a consistent set of resources to help small- and medium-sized businesses identify, assess, and reduce their cybersecurity risks. NIST will be producing more accessible information and resources, and amplify awareness of helpful resources produced by others that will be handy for these smaller organizations as they address cybersecurity risks and explore implementing the framework.
How is the framework evolving? Any insight into future revisions?
AVM: We just released our first update, Framework v. 1.1, in April this year. This version includes language and features that stakeholders identified as important, including supply-chain risk management, coordinated vulnerability disclosure, and authentication and identity proofing. There’s a new section on the relevance and utility of the framework for organizational self-assessment, and we’re also updating the framework’s Informative References to reflect the advancement of standards and guidelines by private and public-sector organizations. That said, Framework v. 1.1 is still fully compatible with the first version. When considering using the framework, NIST recommends that organizations incorporate the additional content and functionality of v. 1.1 based on the needs of the individual organization.
We will continue to refine and improve the framework over time to keep pace with the evolution of technology and threats, integrate lessons learned, and establish best practices as common practices. As part of that process, we will ask our stakeholders every three years whether it’s time to consider an update and what they would like to see in that update. But because we recognize that cybersecurity threats and the general risk landscape changes quickly, our decisions about the timing of updates will also be based on user experiences, technological advances, and standards innovations.
What do you wish we had asked you?
AVM: We always appreciate a chance to highlight the increased work we have been doing at NIST on seeking greater international alignment of the framework and where we’re headed in this area.
The Cybersecurity Enhancement Act of 2014 affirmed and emphasized our role in driving global alignment in consultation with international organizations and governments of other nations. To do this, we have been increasing our Cybersecurity Framework-related engagement efforts with partners and supporting participation in standards-developing organizations.
We don’t see the framework as a “U.S. only” document, as it references globally recognized standards, guidelines, and practices. This allows the framework to be used to more easily and efficiently manage new and evolving risks outside of the United States. Parties may prefer to reference the recently published ISO/IEC Technical Report 27103—“Information technology—Security techniques—Cybersecurity and ISO and IEC standards,” which incorporate language from the first version of the framework but does not mention the framework specifically. It provides a nice, neutral outlet for the dramework’s language, so countries can use its content while citing their alignment with an internationally accepted document.
We have also ramped up our engagement with other countries. This includes recent meetings, arranged by the U.S. Commerce Department’s International Trade Administration, with Brazilian government and industry organizations to encourage them to adopt the framework. While countries like Japan, Israel, Italy, and Bermuda have already translated and adapted the framework for their needs, we have also noticed even more translations and adaptations of the framework surfacing recently.
The government and various industries in Uruguay, for instance, have been using it. We also know that Switzerland has recently incorporated it into a minimum standard for improving information and communications technology resilience. I’d also like to note that NIST is currently producing a Spanish translation of the framework that will help make the content accessible to an even wider audience.
Add new comment