The then-new 2014 NIST Cybersecurity Framework (CSF) was designed to plug security gaps in operational technology. It’s still in use today and more relevant than ever. Fortra’s whitepaper provides a cohesive review of this security staple and how to glean the best out of it for your strategy.
A Brief History of NIST CSF
“The full maximum NIST Cybersecurity Framework is about as big an umbrella as you are going to find,” says Edward G. Amoroso, CEO of TAG Cyber, in the Fortra report. He advises, “… if you’re going to pick something, you might as well pick the thing that has everything.”
Created as a best practice by the Obama Administration in 2013, it became a requirement for all federal agencies by May 2017 under President Trump. Initially developed by the National Institute of Science and Technology (NIST) in conjunction with organizations in the critical infrastructure industry, NIST CSF promised to make securing complex, OT-rich environments simpler.
However, it delivered so much more. It is now in use as a way to provide a common language for all security stakeholders, reaching beyond its intended OT environments (manufacturing, utilities, energy, transportation, healthcare, chemicals) and into other industries and even countries.
NIST’s New Pillar
Leaning into its new role, NIST recently made this cross-industry application official by formally expanding its scope from critical infrastructure to organizations of any type and size.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere, from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical,” explained the framework’s lead developer, Cherilyn Pascoe.
NIST CSF 2.0, which is currently in public draft and accepting comments and feedback, also comes with an additional pillar, a significant alteration. What was previously a collection of five core functions has now become six, with the addition of “govern” to the original identify, protect, detect, respond, and recover core functions.
Why the change? Larry Whiteside Jr., CISO at RegScale and President of Cyversity noted that we increasingly find governance at the foundation of all aspects of cybersecurity. “An organization can set all the policies it wants,” he stated, “but without a mandate and focus on governing those policies and the actions performed to enable and perform the functions that support the policies, none of it matters."
Anticipating Integrity-Related Threats
As the ways to manipulate data become myriad, the focus a lot of companies are going to be putting on NIST compliance is its ability to help them defend against integrity-related threats. Organizations need to know that their systems, files, networks and people are what they say they are.
“Integrity is really at the heart of information security protections for any system,” states Ron Ross, Fellow for NIST, in the report. “Because if someone is able to indiscriminately change an application or a piece of data or the BIOS instructions or anything within the computing stack—whether the customer is aware or not aware of those changes—then that really attacks the basic underpinnings of an information system, along with everyone’s trust in it.”
Notes Amoroso, “Most security experts, including myself, are predicting that the shift towards integrity-oriented threats is coming like a tsunami, and most organizations are poorly set up to stop those types of things.” This is where uniform adherence to NIST CSF principles comes in and is a major reason so many organizations of all types have adopted it.
How it Works
The main value add of NIST CSF is that it teaches organizations to triage their critical systems based on the total negative impact on business and operations. In other words, it helps companies prioritize security and remediation based on where the biggest damage is likely to occur.
“There are things that are low impact, moderate impact and high impact,” notes Ross. “Once you figure out what’s most critical, then you can actually engineer and apply all of the security tools and security controls and best practices in a way that’s really focused on those most critical assets...Then everything else you can kind of let go and be less rigorous in that process.”
To aid in that process, the NIST CSF 2.0 walks organizations through a series of six actionable steps.
Six Pillars of NIST CSF
The main objective of the NIST CSF 2.0 is to help organizations prioritize areas of weakness, implement cybersecurity industry standards to shore them up, and communicate the whole process to technical and non-technical stakeholders alike, and it does so using six core functions:
- Govern | Establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. This entails understanding what’s at stake, the organization’s risk tolerance, any supply chain risk management processes, the cybersecurity chain of command, and policies, processes, and procedures.
- Identify | Help to determine the current cybersecurity risk to the organization. Understand the resources that support critical functionality and their related cybersecurity risks. This allows companies to see risks in a business context and determine what is most important.
- Protect | Use safeguards to prevent or reduce cybersecurity risk. Implement the appropriate security safeguards that will contain or limit event impact. This is applied to the most critical resources first, as identified in step two.
- Detect | Find and analyze possible cybersecurity attacks and compromises. Discover known and unknown exploits in a timely manner, leveraging the appropriate tools for both. This can include vulnerability scanning, web application scanning, behavioral-based detection, monitoring, pretesting, and red teaming.
- Respond |Take action regarding a detected cybersecurity incident. Contain the threat incident by developing response plans. Response capabilities can be manual or automated and managed service-based to better respond at scale.
- Recover | Restore assets and operations that were impacted by a cybersecurity incident. Bring all systems back online and return the organizations to normal operations. This function ensures timely recovery from a cybersecurity incident to mitigate the overall impact.
Applying NIST CSF with Fortra
Fortra’s Tripwire solutions contain controls that provide support for all six functions of the Framework, including integrity controls specific to 13 of the Framework’s subcategories. From identifying critical-value areas to restoring systems in a timely fashion, Fortra solutions provide functionality to aid with every step in the NIST CSF.
To learn more, discover how Fortra can help your organization begin Closing the Gap with NIST’s Cybersecurity Framework today.
