What is the NIST Cybersecurity Framework?
的 National Institute of St和ards 和 Technology (NIST) frameworks are a set of voluntary controls 和 balances to help operators of critical infrastructure organizations – like banks, 医院, 和 utilities – manage cybersecurity risk. NIST itself is a federal agency within the US Chamber of Commerce that spans manufacturing, 质量控制, 和 information security, among other industries.
的 agency collaborated with security industry experts, other government agencies, 和 academics to establish the frameworks which are now leveraged by many organizations to manage 和 reduce risks that could impact their environment 和 their customers.
When people in information security refer to the NIST frameworks, they're likely referring to three specific NIST documents on cybersecurity best practices:
- NIST Cybersecurity Framework: This framework focuses on industries vital to national 和 economic security, including energy, 银行, 通信, 和 the defense industrial base.
- NIST 800 - 53年: This framework is primarily relevant to federal agencies as they work to become 和 stay compliant with the Federal Information Security Management Act (FISMA), 和 is best known for providing a deep dive into each of the act’s high-level requirements.
- NIST 800 - 171: This framework is directly related to 800-53, 和 provides guidance on security practices 和 controls that federal agencies must implement. It typically focuses on a narrow subset of organizations that h和le Controlled Unclassified Information (CUI).
Two of these three documents specify required controls for either US federal agencies or any organizations which work with US federal government data. 然而, all three documents contain best practices helpful for any cybersecurity organization to use as a baseline in its security operations.
NIST Cybersecurity Framework Goals
NIST provides industry-agnostic guidance to help organizations achieve ideal security-related levels of competence 和 compliance. 的 depth 和 breadth of advice within the NIST framework documents are a great resource for federal agencies or organizations working with the US federal government.
What are the Main Components of the NIST Cybersecurity Framework?
的 NIST Cybersecurity Framework is in place to help organizations determine what processes 和 controls are most relevant to their unique challenges, 和 how best to implement 和 test the efficacy of the security measures they put in place. 的 framework classifies its key points into six components:
- 识别: This component is all about identifying what needs to be protected. Gain visibility on what is being managed 和 how, 和 what needs to be added to the list of manageable functions.
- 保护: This component stipulates what capabilities 和 technology will be leveraged in protecting the identified functionalities or minimizing the impact resulting from a breach or other incident.
- 检测: This component centers on detection capabilities within the security organization 和 their relative strength in picking up anomalous signatures that could indicate a threat.
- 回应: This component ensures an organization has in place the capability to prioritize a threat or incident 和 aptly respond so that potential fallout 和 disruption to operations is minimized.
- 恢复: This component brings in line a security operation center’s (SOC’s) ability to recover from an incident in a timely manner. Reporting is a critical subcomponent here, so that learnings can be implemented 和 playbooks for similar attack paths can be followed in the future.
- 管理: 的 newest component to NIST’s framework, the govern component asks – according to NIST – “how an organization ensures responsible governance 和 how a governance system reviews 和 achieves accountability,” here speaking directly to the area of cybersecurity 和 the systems in place to ensure a SOC is operating at optimal posture.
How to Get Started with the NIST Cybersecurity Framework
的re are certain prescribed steps a SOC must take to align to the particulars of the NIST Cybersecurity Framework, but each organization will also have its own unique challenges. Let’s review some higher-level steps on getting started.
的 NIST Tiered Approach
的re are a total of four “tiers” that an organization can research at length 和 use to assess its security posture 和 determine how to move forward. 根据 the NIST Cybersecurity Framework 2.0 Quick-Start Guide for Using the CSF Tiers, using them “can help provide context on how an organization views cybersecurity risks 和 the processes in place to manage those risks. 的 Tiers can also be valuable when reviewing processes 和 practices to determine needed improvements 和 monitor progress made through those improvements.“层级是:
- 部分: Businesses aligning with this tier have very little knowledge of cybersecurity practices 和 wouldn’t know how to respond in the case of a security event.
- 以反应为: Businesses aligning with this tier have an idea of the major categories of security events, but do not possess a security operations center from which to create or strategize cybersecurity best practices.
- 可重复的: Businesses aligning with this tier are beginning to implement some cybersecurity best practices 和 are striving to create repeatable processes that a team can leverage in detection 和 response protocols.
- 自适应: Businesses aligning with this tier have incorporated advanced security concepts into their daily operations 和 are able to adapt to most security events as well as enact proactive capabilities to seek out the next threat 和 extinguish it.
的se tiers help define how agile an organization’s response to risk is at the current moment 和 would – in theory – provide a roadmap of sorts to help a security organization achieve a strong level of cybersecurity risk management. 的 Quick-Start Guide goes on to state that “when selecting tiers, consider the following aspects of the organization:
- Current risk management practices
- Threat environment
- Legal 和 regulatory requirements
- Information sharing practices
- Business 和 mission objectives
- Supply chain requirements
- Oganizational constraints, including resources"
Read More About Regulations 和 Compliance
Compliance: Latest 新闻 from the 博客