History of NIST
Before the National Institute of Standards and Technology (NIST) was formed in 1901, the United States had at least 8 different gallons and 4 different feet in use — who really even knew what time it was — all depended on whose clock you were using and if it was calibrated and tested correctly. Originally named the Bureau of Standards, NIST was created as a way to provide and ensure a consistent standard of weights and measures — and to serve as the standards laboratory for the country. It created standards for science including electricity, length, mass, temperature, chemical composition, and even time.
Over the next 40 years, the bureau’s scope expanded, getting it involved in radio technology and wartime weapon systems. The work done was integral to providing safety standards in a variety of industries. By the 1950s, the bureau had pioneered electric computing and built the first-generation SEAC, followed by the SWAC and DYSEAC. NIST began working extensively on cybersecurity in the 1970s.
As time has progressed more and more of NIST’s focus is on technology programs. One of these programs is the NIST Cybersecurity Framework (NIST CSF), which is a set of industry standards, guidelines and best practices for managing cybersecurity-related risk. More specifically, it is a catalog of cybersecurity outcomes, providing a consistent, systematic approach to managing cyber risk that’s intended to be customized for different sectors.
What is included in the Cybersecurity Framework?
The bureau’s cybersecurity initiative was originally chartered in 2013 through an Executive Order, and version 1.0 of the framework was released in February 2014. This original framework was the result of an extensive, year-long process involving more than 1,000 private and government entities. An update was recently published on April 16, 2018, and the framework now provides a more complete assessment of identity management and additional information on managing cybersecurity through the supply chain.
The framework consists of three basic components.
The framework core is a catalog of various cybersecurity actions and outcomes. It is divided into five risk management functions, and is intended to provide a high-level view of an organization’s cybersecurity situation. The catalog uses relatively simple language and concepts, so that an entity’s cybersecurity strategy can be communicated effectively across the organization.
Identify: Developing a complete understanding of cyber environments, specifically systems, assets, data and capabilities. Organizations should have visibility into all assets and recognize their specific roles and responsibilities.
Protect: Implementing the appropriate safeguards to limit the damage of potential cybersecurity events. This involves controlling access to assets, providing training and education to employees, and deploying protective technology.
Detect: Applying suitable measures to quickly identify cybersecurity events. Organizations should have continuous monitoring solutions to detect threats.
Respond: Containing the impact of a cybersecurity event, should one occur. Response plans should be developed and include communication procedures as well ways to collect and analyze information about the event. Recovery plans should be in place along with a prioritized list of actions to take for a timely recovery following an event.
Recover: Developing and implementing activities to restore capabilities that may have been limited due to a cybersecurity event.
These five functions are divided into 22 categories and a total of 98 subcategories. Each of the 98 subcategories map to a list of external reference materials. As an example, Asset Management is a category under the Identify function. One of its six subcategories is “Organizational communication and data flows are mapped,” for which three external informal references are listed. Similarly, the Detect function contains a category called Detection Process, which has five subcategories.
Framework profiles represent the customization and prioritization of activities and outcomes found in the core for different industries and organizations, based on individual business needs. They are an organization’s alignment of business objectives, risk tolerance and resources. They are meant to be used to identify areas to improve cybersecurity preparedness, and can help organizations create gap analyses and roadmaps for success. To create a profile, businesses can review all of the core’s categories and subcategories, and determine which are the most important to them. Organizations are also encouraged to create profiles representing their current state as well as target profiles representing where they’d like to be.
3. Implementation Tiers
Implementation tiers are a system that helps organizations describe the extent to which they measure up to the characteristics defined in the framework: risk and threat aware, repeatable and adaptable. The measurement is accomplished using four tiers: Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3) and Adaptive (tier 4). These tiers represent an increasing degree of precision and discipline around an organization’s cybersecurity, and the degree to which it gives and receives information externally. Organizations are encouraged to determine the tier at which they currently are, and an appropriate desired tier based on business goals, acceptable risk levels and viability of implementation.
NIST offers an extensive library of information and tool kits available for companies interested in adoption.