Leveraging the NIST Cybersecurity Framework to Improve Your Cybersecurity Risk Management

Make the seemingly complex seamlessly simple.

With its 102 example subcategories and lengthy descriptions, the NIST Cybersecurity Framework can at first appear to be an exercise in eye strain. Yet this powerful set of best practices is critical to implement, as the big question about cybersecurity shifts from not if your agency or organization could suffer a serious attack, but when.

The best remedy for eye strain is to relax your eyes. Let’s start the relaxation process by looking at the Framework’s top level. There are five, and only five, main Framework functions: Identify, Protect, Detect, Respond, and Recover. Under each function lie three to six categories. Under Protect, for example, are Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. Yes, there are plenty of subcategories under each category, but addressing each subcategory is going to be a task for a specific implementation team. Knowing the functions and categories is enough for IT leadership to begin work on the other components of the Framework involving profiles and readiness tiers.

In these activities as well, the overall complexity of the tasks at hand is less than it might seem at first read (and that’s almost it for the reading/eye chart metaphor!). Simply put: Where does your organization currently stand when it comes to the Framework categories and subcategories, and where do you want to stand? There are four readiness tiers:

  1. Partial
  2. Risk Informed
  3. Repeatable
  4. Adaptive

The closer you are to #4, the better your cybersecurity risk management. Your organization may already be at the Adaptive level in a number of areas, and while the overall quantity of effort required to start the profile may be substantial, that work is going to be split up among a number of different groups; your backup experts aren’t going to be analyzing your access control, your asset inventory staff won’t be taking a look at network security concerns, and so on.

So you gather current-state information in order to build a readiness profile. Then you determine what you want your target readiness state to be. Then you do gap analysis. Then you start working on closing the gaps.

Nothing mysterious to be seen here! No eye strain necessary!

If you’d like more demystification of the Framework, read our white paper, Know More: The NIST Cybersecurity Framework Decoded. It’s a solid, simple (yet handsome…) graphical overview of the Framework, and provides links to Quest, hardware, and services solutions that can help you improve your organization’s cybersecurity readiness.

For a more in depth look at the origins, development, and implementation of the Framework, take a look at the GovLoop Industry Perspective, Achieving Security with the NIST Cybersecurity Framework.

You can see better already, can’t you?

Join us on October 29th at 11:00 EST for a live webcast event and learn how the Framework is designed to scale from small to large organizations of any type – commercial as well as government -- and to help you facilitate improving your cybersecurity in a phased approach based on priorities. You will hear directly from the actual program manager for the framework at the NIST – Matt Barrett.