In February the National Institute of Standards and Technology (NIST) marked the fifth anniversary of its Cybersecurity Framework (CSF). NIST issued the first version in February 2014 following a series of five workshops held in 2013. It included contributions from a wide range of industry, academia, and government stakeholders. Since then there has been a regular series of updates and improvements, adding value to the Framework as a tool for improving security in the critical infrastructure. NIST released a comprehensive update (Version 1.1) in April 2018 that added a section on self-assessment, an expanded description of its use in the supply chain, and a new sub-category related to the vulnerability disclosure life cycle.
NIST has continued to enhance the value of the Framework by defining and developing supporting and interpretive information such as industry profiles. The institute has also provided a means for standards developers and other stakeholders to identify additional informative references for those applying the Framework.
ARC Advisory Group strongly encourages anyone responsible for defining, implementing or operating a program to address cybersecurity risk to learn more about the NIST Framework.
Introducing the NIST Cybersecurity Framework
In February 2013, the President of the United States issued Executive Order 13636 (Improving Critical Infrastructure Cybersecurity). This directed the National Institute of Standards and Technology (NIST) to develop a voluntary framework for reducing cyber risks to critical infrastructure. This imperative was reinforced by the Cybersecurity Enhancement Act of 2014.
In response to this directive, NIST created the Cybersecurity Framework consisting of standards, guidelines, and practices to promote the protection of critical infrastructure and help asset owners and operators of critical infrastructure manage cybersecurity-related risk.
The purpose of the Framework is to help organizations manage their cybersecurity risks, identify appropriate responses, and prioritize investments in this area. It also provides a common context for communication and collaboration on cybersecurity-related matters.
Although developed with a specific focus on the critical infrastructure (as defined by Presidential Policy Directive 21), the Framework is also suitable for use in many other industries. NIST encourages any organization or sector to review and consider the Framework as a helpful tool in managing cybersecurity risks.
The Framework consists of three primary components: the core, tiers, and a profile. The core contains most of the guidance information. This describes cybersecurity activities and desired outcomes that are common across critical infrastructure sectors. It introduces the five essential functions for addressing cybersecurity: identify, protect, detect, respond, and recover.
Each of these stages are described in terms of categories and sub-categories. The core also includes a list of informative references to specific material from a variety of standards, guidelines, and practices that define the details of what is to be accomplished at each stage.
The second Framework component, the profile, describes desired outcomes based on business need. A profile represents the alignment of the chosen standards, guidelines, and practices for a particular scenario.
The four tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the Framework. They range from partial (tier 1) to adaptive (tier 4), representing a progression from informal, reactive responses to agile approaches that are more adaptable to changing risk.
In the five years since its initial release the NIST Framework has become a widely referenced and recommended source of guidance on how to mount an effective response to cybersecurity risk.
Some misconceptions and mischaracterizations remain. For example, there are still references to the Framework as a “standard,” although this is neither its purpose nor intent. Standards generally define requirements that must be met to achieve conformance or compliance. They may be developed by an industry body (e.g., NERC) or by a standards development organization (e.g., IEC, ISA). The Framework provides a useful context for applying standards and guidelines, allowing those using them to determine at what stage specific requirements are best applied.
It is also common to hear statements about companies or organizations being “in compliance” with the Framework. Since the Framework does not specify or prescribe requirements this is clearly not possible. That is the purpose of standards.
There is also some confusion about the intended audience or scope of application for the Framework. Although initially developed with the critical infrastructure sectors in mind, the structure and approach described in the Framework are suitable for application in virtually any industry.
Sharing of Experiences
To promote adoption and information sharing NIST has begun to assemble a catalog of “success stories” that describe approaches, results, lessons learned, and next steps. NIST has also developed guidance on how to submit such stories for inclusion on the Framework web site. As this catalog continues to expand it will become a useful source of information for organizations planning their implementation of the Framework.
The Framework does not prescribe the specific requirements that must be met at each stage. These are to be drawn from the standards and guidelines most appropriate for the situation. For example, there may be certain standards (e.g., NERC CIP) that must be followed for a given sector. Other, more general, industry standards such as ISO 27000 and ISA/IEC 62443 are applicable across a broad range of sectors. Standards and guidelines continue to emerge, and existing standards are always evolving, so it is not possible to assemble a complete list.
The Framework core includes a representative list of informative references mapped to each category and sub-category. NIST recognizes that the content of this list will change over time as standards are created or updated.
Although the Framework is certainly broadly useful in its current form, it continues to evolve with improvements to the key elements and the introduction of new supporting tools. In April, NIST updated the detailed Roadmap that outlines the areas of future investigation and development. It also conducted a webinar to review the progress since the launch of the Framework and future plans. A recording of this webinar is available on the NIST web site.
Section 4 of the roadmap describes several new focus areas for collaboration. These include alignment across federal agencies, international considerations, and small business awareness and resources. Although the first of these may appear to be of interest only to the government it also has implications for the private sector as it includes the identification of areas of alignment between the Framework and existing standards.
Although the Framework was developed by the US government, modern infrastructure is not confined to national boundaries and risks posed in one region or country can have implications in others. Cybersecurity requires a truly international response, and US legislation has confirmed NIST’s role in “…driving global alignment in consultation with international organizations, as well as governments of other nations.” This complements the role of international standards development organizations in creating standards and practices in this area. Several of the topics identified for future work in the roadmap correspond directly to current activities of ISA, IEC, and ISO committees.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Critical Infrastructure, Cybersecurity, NIST, Framework, Profiles, Roadmap, ARC Advisory Group.