Blogpost

The NIST Risk Management Framework: Key Things You Should Consider

Are you familiar with the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity”? It’s often referred to as the “NIST risk management framework.” The interesting thing about the NIST framework is that it doesn’t work like other regulations, which ask businesses to fulfill a number of specific requirements for the sake of security. Rather, it breaks down security into five large categories and encourages organizations to examine the subcategories beneath them.

One of the reasons you may want to adopt the NIST framework is because nearly all other regulations look to it as a model for implementing specific changes. For example, if NIST begins adding more requirements around third parties, it’s likely other standard bodies will follow suit. In this article, we’ll dive into what the NIST framework looks like, why you may want to adopt it, and some considerations to keep in mind if you do.

ABOUT THE NIST RISK MANAGEMENT FRAMEWORK

The NIST “framework core” is broken down into four important sections:

  • Functions
  • Categories
  • Subcategories
  • Informative References

Here’s a quick overview of these sections.

There are five functions of effective cybersecurity:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

After functions are categories, which are subdivisions of the functions. An example of a category might be “Governance.”

Subcategories further divide the categories into more technical controls, like “Organizational information security policies established.”

Informative references are specific standards or practices that organizations can put into place in order to improve their cybersecurity postures in those areas.

(To read more about these categories, check out section 2.1 of the NIST risk management framework PDF.)

In 2013, President Obama signed an executive order, which forced critical infrastructure to prove that they had adopted the NIST framework in one way or another—but it is an optional framework for all other industries. However, all industries are recommended to put the guidelines into practice:
“The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.” Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0

KEY CONSIDERATIONS WHEN ADOPTING THE NIST FRAMEWORK

1. NIST is a framework, not a regulation.

Regulators are charged with telling you precisely what to focus on—but that is not what the NIST framework is about. It is more of an organizational planning tool that helps you look toward the right places more than anything else. So while it provides a frame of reference for businesses who want to undertake and achieve the listed subcategories, it doesn’t say how you can actually get those things done. This isn’t necessarily a benefit or a downfall—just a fact.

2. NIST doesn’t take a one-size-fits-all approach.

Your organization has unique risks based on industry, size, data, and many other things—and that is something NIST takes into consideration. Thus, it’s important for all businesses to map their systems and workflows to address the key top-level functions. In other words, be sure that your organization is addressing relevant subcategories under each of the five functions, but not necessarily all of them.

3. To successfully leverage this framework, you need to have the necessary expertise and tools.

If you don’t have the budget or tools in place to execute on the subcategory level or you don’t understand the technology you need behind those subcategories, you need to go back to the basics with your cybersecurity and vendor risk management (VRM) plan. Operationalizing these suggestions is far more important than simply reading and understanding their importance.

4. The ambiguity of NIST can make it very hard for small and midsized businesses to adopt.

As you can tell from a quick scan of the PDF, the categories and subcategories of the NIST framework are very broad. For example, one of the subcategories is: “Threats, both internal and external, are identified and documented.” It’s easy to see how this could mean many different things to many different people. The “informative references” help clear up some confusion, but they don’t offer concrete technical requirements or specifications—only suggestions. This makes it harder for companies to understand what products they need to invest in to properly secure themselves, particularly if the company doesn’t have an information security team that can understand and analyze this material.

IN CONCLUSION

The NIST risk management framework is one of the most highly regarded in the industry. In fact, there seems to be a general consensus among many organizations that you should begin adopting the framework now—before it’s required by law—so you don’t have to do it later. We’re waiting to see if they will add more guidance in future iterations for small and mid-sized businesses that don’t have large security teams or IT backgrounds.

Jake Olcott serves on the Shared Assessments Advisory Board and is the Vice President of Business Development at BitSight Technologies. Olcott previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, he served as legal advisor to the Senate Commerce Committee and also served as counsel to the House of Representatives Homeland Security Committee.