What is the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a voluntary tool, created in collaboration with the private sector. It is designed to help businesses and organizations mitigate risk from cyber security breaches. It also seeks to help protect against threats such as malware infection and the loss or theft of data.
Its core implementation organises cyber security activities into five functions: Identify, Protect, Detect, Respond and Recover. These are each sub-divided into 22 further categories and 98 subcategories. Each subcategory is linked to specific sections of standards, guidelines and practices.
The NIST Cybersecurity Framework also sets out four implementation tiers (Partial, Risk Informed, Repeatable and Adaptive). These provide a context for organizations to describe their views on cybersecurity and any processes they already have in place. There is also a Framework Profile which helps organizations to align themselves with the core cybersecurity activities that are a priority for them. They can then create both a ‘Current Profile’ and ‘Target Profile’ and put steps in place to move their organization forward.
What was added in Version 1.1?
In April 2018, Version 1.1 of the NIST Cybersecurity framework was released. The new framework increased its scope to cover operational technologies and cyber-physical systems. Version 1.1 encompasses the Internet of Things (IoT) which will feature many objects with only minimal IT hardware and software. The IoT is going to become a major factor in the future of business. Many supply chain operations are becoming automated. It is vital that every link in this chain is secured because cybercriminals will be actively hunting for the Achilles heel that could bring down a company. The interconnected nature of smart supply chains makes them particularly vulnerable.
Supply chain risk management is therefore another feature of the updated framework. There is also new information regarding cyber-security measurement and self-assessment. Additional resources about the cyber-attack lifecycle, governance, small business awareness have also been added.
Latest Password Guidance from the NIST
With more than 80% of breaches making use of stolen or cracked passwords, the NIST regularly provide guidance on creating passwords. Applicable across all industries, their current three-step advice is as follows:
- Don’t rely on passwords alone for protecting valuable accounts. Make use of multi-factor authentication too.
- Use password phrases that are hard to guess but easy to remember. The specific guidance is to use multi-word phrases that form a mental picture.
- Pay special attention to your most important accounts by giving each a unique password phrase.
Positive Signs for a More Inclusive Framework
Although the NIST Framework is a positive move in the right direction, there have been criticisms that it is inaccessible for small businesses. This is because many of the resources linked to the sub-categories are only available by paying for a subscription to the relevant standards body.
In response, politicians have presented two bills – the MAINSTREET Cyber security Act of 2017 and NIST Small Business Cyber security Act of 2017 – to ensure small businesses can access the information they need to stay safe.
The Trump administration has also shown that they recognize the importance of securing businesses. The DHS is getting involved in securing the business supply chain. The President has also directed that all federal agencies must use the NIST framework although there is still some flexibility when it comes to non-federal corporations and organizations.
The attendance of IT giants such as Microsoft and Google at the NIST conference indicates that there is more acceptance of the need for a collaborative approach to cybersecurity.
How will this impact businesses? Well, don’t be surprised to see compulsory NIST compliance sooner rather than later. If you don’t have an in-house IT support/cyber security team or sufficient IT consulting processes in place, now could be the time to start bringing in these resources and embracing the NIST Framework.