On the 12th of February 2014, the United States of America’s National Institute for Science and Technology (NIST) announced a voluntary Cyber Security Framework which provides through-life management of an organization’s Cyber Security Programme based on existing standards, guidelines, and practices.
You may ask “what relevance has this outside of the USA?” – well, I imagine if you want to do business in the USA, or your major customer does, you might need evidence of self-assessments and implementations of this framework. Don’t believe me? Check out this quote from the NIST roadmap:
“…Engaging foreign governments and entities directly to explain the Framework and seek alignment of approaches when possible; Coordinating with federal agency partners to ensure full awareness with their stakeholder community; Working with industry stakeholders to support their international engagement;”
Initially I thought this framework’s focus would be on reducing risks to national infrastructure, but at its heart, it is designed to be used by any organization. That’s because small companies are generally understaffed, softer targets, and a weak link in the chain. Hacking the right SMEs could cause a butterfly effect. An FBI awareness initiative in 2012 highlights this weakness, Cyber Security is everyone’s responsibility. (I love that phrase, I’m sure someone had Deming in mind).
“Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity.”
The framework claims to provide a common language for managing ‘cyber risk’ and addresses business protection needs in a cost effective way. The framework’s roadmap intends to extend guidance to supply chain risk management and privacy protection. This is a voluntary framework, but one would suspect that some government departments and sub-contractors may not necessarily have a choice. Non-regulation makes sense, especially for a new framework, even more so in a chaotic technology environment. Requirements may emerge for companies to validate their Cyber Security Risk Management Process against the framework, either as part of a bidding process, or sub-contractor/outsourcing evaluation process in the future – which can’t be a bad thing, unless used as a sledgehammer or blanket policy for non-critical services.
The framework can help organizations start managing cyber risks from scratch, or be used to identify gaps in current process and thinking to drive outcome focused activities.
It has three main components.
- The Framework Core – provides a set of activities to achieve specific cyber security outcomes, and references examples of guidance to achieve those outcomes. The core helps plan activities need to cover the evolution of cyber risks (functions) – Identify, Protect, Detect, Respond, and Recover.
- A Framework Profile specific to an organization’s requirements, risk tolerance and resourcing issues. Aligns elements of the Framework Core to achieve the desired outcomes. An organization may have multiple profiles depending on department, country, or ‘current’ and ‘future’ aspirations, leading to different elements of the Framework Core being chosen.
- Four Implementation tiers -from Partial to Adaptive. Each Tier represents an increasing degree of rigor and sophistication in risk management practices, but is not an indication of maturity, as it depends on the threat environment of the organization. Having said that, Tier 2 looks like a bare minimum target for any technology company.
Where do I find out more?
Read the release announcement NIST Releases Cybersecurity Framework Version 1.0.
Read the framework document v.1.0 (41 pages)
I recommend reading the roadmap (9 pages) to get an overview of framework’s maturity, scope & future.
Follow NIST on twitter @usnistgov.
Visit the framework web site.