Translating the NIST Cybersecurity Framework into Practice
If you are an IT professional, you undoubtedly have heard of the NIST Cybersecurity Framework. And if you are an IT professional in the federal government, you have probably been in meetings with upper management discussing what the NIST Cybersecurity Framework guidance means for your agency.
The problem that most technical folks have with documents like this is that their high-level management speak offers no clear way to translate their guidance into practice. This blog is going to provide that translation with a “cheat sheet” that maps the Cybersecurity Framework Functions to solutions and actual products that will enhance the cybersecurity posture of your organization or agency (see Cybersecurity Enhancement Act of 2014 [Public Law 113-274]).
First a bit of background. It all started with an Executive Order (EO). In 2013, the White House came out with Presidential EO 13636, Improving Critical Infrastructure Cybersecurity, which outlines the responsibilities for Federal Departments and Agencies to bolster cybersecurity defenses. In response to this order, in February 2014, the National Institute of Standards and Technology (NIST) issued the Cybersecurity Framework. The NIST Cybersecurity Framework is voluntary guidance. The idea behind the framework is to help federal organizations better understand, manage, and reduce cybersecurity risks.
The graphic below presents the NIST Cybersecurity Framework in a nutshell. If you’re an IT professional, you should probably memorize it.
It all starts with:
- Identifying assets and associated risks – hence the IDENTIFY
- Then, once we know what assets we’ve got, we have to implement defenses – hence
- So we’ve got our walls and moat, but we should still have some watchmen seeing if anyone is trying to swim the moat or, maybe, attempting to get a Trojan Horse into the city gate – we need to
- Once we’ve detected something suspicious (such as an Advanced Persistent Threat [APT]), we need to RESPOND to what we detected.
- Finally, if there was any damage done, we need to rebuild and RECOVER, and revisit step 1 above to see what it is we are actually protecting.
That’s the essence of the NIST Cybersecurity Framework. Of course, each function can be further subdivided into different areas of business, and protective controls can be assigned to each. For example, the IDENTIFY (ID) function is subdivided by NIST into:
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
An organization can dig down and create a set of categories as granular as it wants. However, as an IT professional, you would need a technical control to address the security of each category. In other words, you may need a firewall box to PROTECT, an IDS appliance to DETECT and a continuity of operations (COOP) site to RECOVER. The cheat sheet shows the product/app/solution/box/appliance you need to provide security for each of the NIST Framework functions and associated categories (see Figure 1 below).
We at SwishData understand the NIST Cybersecurity Framework and developed a comprehensive solution offering to help your agency be protected. For each solution in the far right column of Figure 1, SwishData works with the best-of-breed vendor for that particular category. We pride ourselves on taking the time to research all products in our cyber portfolio and work only with vendors who are security industry leaders and visionaries. When you hire SwishData to architect your agency’s cybersecurity defenses, you will be working with the world’s best security companies on your side!
Figure 1: Federal IT managers can use this SwishData “cheat sheet” to identify the appropriate cyber solutions for each of the major functions in the NIST Cybersecurity Framework.