Printer-friendly version

Browse the glossary using this index

Special | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ALL

N

Picture of Yee Wei Law

NIST Cybersecurity Framework

by Yee Wei Law - Wednesday, 8 March 2023, 10:52 AM
 

The National Institute of Standards and Technology (NIST) has an essential role in identifying and developing cybersecurity risk frameworks for voluntary use by owners and operators of critical infrastructure (see Definition 1) [NIS18, Executive Summary].

Definition 1: Critical infrastructure [NIS18, Sec. 1.0]

Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

One such framework is the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework for short), for which NIST is maintaining an official website.

As of writing, the latest version of the NIST Cybersecurity Framework is 1.1 [NIS18].

The Cybersecurity Framework provides a common language for understanding, managing and expressing cybersecurity risks to internal and external stakeholders [NIS18, Sec. 2.0].

The Cybersecurity Framework has three parts: 1️⃣ Framework Core, 2️⃣ Implementation Tiers, and 3️⃣ Framework Profiles.

Framework Core

This is a set of cybersecurity activities, desired outcomes and applicable references (industry standards, guidelines and practices) that are common across critical infrastructure sectors [NIS18, Sec. 1.1].

The Framework Core consists of five concurrent and continuous Functions that provide a high-level strategic view of the lifecycle of an organisation’s management of cybersecurity risks:

  1. Identify: Develop an organisational understanding to manage cybersecurity risks to systems, people, assets, data and capabilities [NIS18, p. 7].

    Applicable activities include [MMQT21]:

    • identifying critical enterprise processes and assets;
    • documenting information flows (how information is collected, stored, updated and used);
    • maintaining hardware and software inventories;
    • establishing cybersecurity policies specifying roles, responsibilities and procedures in integration with enterprise risk considerations;
    • identifying and assessing vulnerabilities and threats;
    • identifying, prioritising, executing and tracking risk responses.

  2. Protect: Develop and implement appropriate safeguards to ensure delivery of critical services [NIS18, p. 7].

    Applicable activities include [MMQT21]:

    • managing access to assets and information;
    • safeguarding sensitive data, including applying authenticated encryption and deleting data that are no longer needed;
    • making regular backups and storing backups offline;
    • deploying firewalls and other security products, with configuration management, to protect devices;
    • keeping device firmware and software updated, while regularly scanning for vulnerabilities;
    • training and regularly retraining users to maintain cybersecurity hygiene.

  3. Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event [NIS18, p. 7].

    Applicable activities include [MMQT21]:

    • developing, testing and updating processes and procedures for detecting unauthorised entities and actions in the cyber and physical environments;
    • maintaining logs and monitoring them for anomalies, including unexpected changes to systems or accounts, illegitimate communication channels and data flows.

  4. Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident [NIS18, p. 8].

    Applicable activities include [MMQT21]:

    • making, testing and updating response plans, including legal reporting requirements, to ensure each personnel is aware of their responsibilities;
    • coordinating response plans and updates with all key internal and external stakeholders.

  5. Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired by a cybersecurity incident [NIS18, p. 8].

    Applicable activities include [MMQT21]:

    • making, testing and updating recovery plans;
    • coordinating recovery plans and updates with all key internal and external stakeholders, paying attention to what, how and when information is shared;
    • managing public relations and company reputation.

Each Function comprises Categories, and each Category comprises Subcategories, and for each Subcategory, Informative References are provided [NIS18, Sec. 2.1].

  • A Category is a cybersecurity outcome closely tied to programmatic needs and particular activities.
  • A Subcategory is an outcome of technical and/or management activities for supporting achievement of the outcomes in each Category.
  • An Informative Reference is a specific part of a standard, guideline and practice common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory.

Fig. 1 shows Categories, and the Subcategories under the Category “Business Environment”, and furthermore the Informative References for each of these Subcategories.

Fig. 1: Functions, Categories, sample Subcategories and sample Informative References. Details about these Informative References can be found in [NIS18, p. 44].
Implementation Tiers

The four tiers in Table 1 provide context on how an organisation views cybersecurity risks and the processes in place to manage those risks [NIS18, p. 8].

Table 1: Implementation tiers [NIS18, pp. 9-11].
Tier Risk management process Integrated risk management program External participation
1, Partial Not formalised, ad hoc and reactive.

Limited cybersecurity awareness.

Risk management is irregular and case-by-case.

 Organisation does not engage with other entities, and lacks awareness of cyber supply chain risks.
2, Risk-informed

Formalised but not organisation-wide.

Prioritisation of cybersecurity objectives and activities is directly informed by organisational risks, business requirements, or the threat environment.

Cybersecurity awareness exists at the organisational level, but risk management is not organisation-wide.

Irregular risk assessment of assets.

Organisation receives information from other entities and generates some of its own, but may not share information with others.

Organisation is aware of cyber supply chain risks, but does not respond formally to the risks.
3, Repeatable Formalised and regularly updated based on the application of risk management processes to changes in business requirements and the threat landscape.

Risk management is organisation-wide.

Organisation accurately and consistently monitors cybersecurity risks of assets.

Organisation responds effectively and consistently to changes in risks.

Cybersecurity is considered through all lines of operation.

Organisation receives information from other entities and share its original information with others.

Organisation is aware of cyber supply chain risks, and usually responds formally to the risks.
4, Adaptive

Formalised and adaptable to experience and forecast.

Continuously improved leveraging advanced cybersecurity technologies and practices, to respond to evolving, sophisticated threats in a timely and effective manner.

Risk management is organisation-wide.

Decision making is grounded in clear understanding of the relationship between cybersecurity risks and financial risks / organisational objectives.

Risk management is integral to organisational culture and is supported by continuous awareness of activities on systems and networks.

Organisation receives, generates and reviews prioritised information to inform continuous risk assessment.

Organisation uses real-time information to respond formally and consistently to cyber supply chain risks.

Implementation tiers do not represent maturity levels; they are meant to support organisational decision making about how to manage cybersecurity risks.

Framework Profiles

A Framework Profile (“Profile”) is a representation of the outcomes that a particular system or organisation has selected from the Framework Categories and Subcategories [NIS18, Appendix B].

A Profile specifies the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of an organisation [NIS18, Sec. 2.3].

A Profile enables organisations to establish a roadmap for reducing cybersecurity risks, that 1️⃣ is well aligned with organisational and sector goals, 2️⃣ considers legal/regulatory requirements and industry best practices, and 3️⃣ reflects risk management priorities [NIS18, Sec. 2.3].

For example,

  • The NIST Interagency Report 8401 [LSB22] specifies a Profile for securing satellite ground segments.
  • A Profile for securing hybrid satellite networks is currently under development.
  • More examples of Profiles can be found here.

Watch a more detailed explanation of the Cybersecurity Framework presented at RSA Conference 2018:

References

[LSB22] S. Lightman, T. Suloway, and J. Brule, Satellite ground segment: Applying the cybersecurity framework to satellite command and control, NIST IR 8401, December 2022. https://doi.org/10.6028/NIST.IR.8401.
[MMQT21] A. Mahn, J. Marron, S. Quinn, and D. Topper, Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide, NIST Special Publication 1271, August 2021. https://doi.org/10.6028/NIST.SP.1271.
[MMBM22] J. McCarthy, D. Mamula, J. Brule, and K. Meldorf, Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN): Final Annotated Outline, NIST Cybersecurity White Paper, NIST CSWP 27, November 2022. https://doi.org/10.6028/NIST.CSWP.27.
[NIS18] NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 2018. Available at https://www.nist.gov/cyberframework/framework.