The NIST Cybersecurity Framework: Defending the Digital Frontier and Beyond
Ten years ago, the National Institute of Standards and Technology (NIST) published the first version of its Cybersecurity Framework (CSF) to support critical national infrastructure organisations in the US in providing appropriate and effective security controls. The framework isn’t prescriptive, nor is it designed to be a “one size fits all” solution but complements existing security programmes and risk management processes. Organisations can then leverage the framework to identify opportunities for improvement and improve the effectiveness of their security capability.
Since its first release in February 2014, with a subsequent minor update in April 2018, the NIST CSF has been adopted by many countries outside the US and by many organisations outside of those responsible for protecting critical national infrastructure. NIST maintains and ongoing dialogue and collaboration with industry, academia, and government, to ensure this framework stays current and relevant to the challenges of the day, including the ever-changing threat landscape.
In 2022, NIST started work on the first major update to the framework since its initial publication, with the final draft now in review and expected publication of version 2.0 of the standard due shortly. In future articles, we will explore some of the proposed changes in this new version but to begin with, we explore the origins of the NIST CSF, the legislative support that brought it into existence, and the anticipated 2024 update underscoring its adaptability and effectiveness.
A brief background on NIST and the Cybersecurity Enhancement Act of 2014
With the passage of the US Cybersecurity Enhancement Act of 2014 (CEA), the role of NIST, an institution already renowned for its scientific and technological advancements, took on an important role. The CEA formalised a previous executive order, tasking NIST with the responsibility of defining the NIST Cybersecurity Framework, a comprehensive set of guidelines aimed at enhancing cybersecurity across critical infrastructure.
The United States recognised the escalating threats to its critical infrastructure, which includes systems critical to national security, the economy, and public safety. Cybersecurity risks, were acknowledged as influential factors affecting an organisation's bottom line. In response, the CEA formalised NIST's role in developing a framework that provides a prioritised, flexible, repeatable, performance-based, and cost-effective approach to managing cyber risks voluntarily, rather than placing an additional regulatory burden on them.
Components of the NIST Cybersecurity Framework
The Framework employs a common language to address and manage cybersecurity risks cost-effectively based on business and organisational needs. It consists of three integral parts: the Framework Core, the Implementation Tiers, and the Framework Profiles.
Framework Core: A set of cybersecurity controls, activities, outcomes, and informative references common across sectors, providing detailed guidance for developing individual organisational profiles. This is probably the most familiar part of the framework for most security professionals, as it defines the functional groups of controls, organised into categories and subcategories, which break the controls down to a level which allows them to be measured.
Implementation Tiers: Mechanisms allowing organisations to understand the characteristics of their approach to managing cybersecurity risk, aiding in prioritising and achieving cybersecurity objectives.
Framework Profiles: Align and prioritise cybersecurity activities with business/mission requirements, risk tolerances, and resources by defining the current profile and target profile for the organisation, allowing for the development of a roadmap for improvement.
The flexibility of the Framework enables organisations of all sizes, cybersecurity risk levels, and sophistication to apply its principles and best practices to enhance security and resilience. It offers a common organising structure, incorporating globally recognised cybersecurity standards.
Relevance Beyond US Borders
Although initially aimed at US organisations, the NIST CSF extends its influence globally, recognising that cyber threats transcend borders. Many international companies headquartered in the US will likely already align to the NIST CSF and to ensure global consistency, will mandate their operations in other countries to use the same framework. The Framework serves as a model for international cooperation, fostering the strengthening of cybersecurity not only in critical infrastructure but across various sectors and communities.
The United Kingdom's National Cyber Security Centre (NCSC) operates the Cyber Assessment Framework (CAF) for the UK’s Critical National Infrastructure, which is closely aligned to its American counterpart. This collaboration highlights the universal principles essential for safeguarding critical national infrastructure on an international scale.
Updates to NIST CSF and the Anticipated 2024 Release
The NIST Cybersecurity Framework is designed to evolve over time, reflecting the dynamic nature of the cybersecurity landscape. Updates ensure the framework remains relevant, integrating lessons learned, and maintaining good practice security as the world around us keeps changing. Stakeholder feedback plays a pivotal role, with NIST actively seeking input through public webinars, workshops, and various channels.
As the NIST Cybersecurity Framework continues to evolve, it stands as a beacon of collaboration, adaptability, and resilience in the face of emerging cyber threats. Its universal principles, flexibility, and global applicability underscore its importance not only to US critical infrastructure but to organisations worldwide. With the anticipated release of version 2.0 in 2024, the Framework reaffirms its commitment to staying ahead of cyber threats and providing invaluable guidance in the ever-changing digital landscape.
Stay tuned for the next chapter where we evaluate the main changes between v1.1 and v2.0 of the NIST CSF.