What to Know About NIST Compliance

The NIST Cybersecurity Framework is a collection of guidelines for reducing cybersecurity risks, which is published by the U.S. National Institute of Standards and Technology.

For businesses that have to be compliant, the best way to do so is the use of a proven technology stack of hardware and software tools. Before an organization can get to that point, though, they need to understand the Framework, why it’s used, and how to generally be compliant.

Below is an explanation of NIST compliance and its implications.

The Basics

NIST compliance broadly refers to complying with one, or more than one, of the NIST publications. NIST is the National Institute of Standards and Technology, a division of the Department of Commerce. The goal of the NIST is to set technology-related standards and, in particular, controls for cybersecurity.

The standards are meant as a way to ensure uniform cybersecurity protocols and efforts across all government agencies and also businesses that work with the federal government.

What’s meant by compliance differs based on the particular NIST publication.

Any company that works with the federal supply chain must be NIST compliant. This includes prime contractors, subcontractors, and subcontractors who are working for another subcontractor.

Some companies opt to comply with the standards even when they’re outside the federal supply chain because it puts in place best practices for protecting their business data.

When an organization is NIST compliant, they have a framework to protect data and information, keeping it secure and safe while also protecting critical infrastructure from internal and external threats. The guidelines apply to all data from businesses that provide services to the federal government.

If an organization works with the federal government and they’re not compliant, it could lose its ability to do business with these agencies.

When compliant with NIST, an organization is also better able to be compliant with other regulations in their industry or governmental regulations.

Small Business NIST Compliance

Although it’s often associated exclusively with federal agencies and manufacturers, small and medium-sized businesses also benefit from NIST compliance.

According to the NIST Small Business Cybersecurity Act, the NIST is required to publish resources that can help small businesses voluntarily identify, assess and manage their cybersecurity risks.

The resources have to be technology-neutral and as much as possible based on international standards. They also have to be able to vary depending on the size and industry of the small business and how sensitive collected data is. They should be consistent with national cybersecurity programs under the Cybersecurity Enhancement Act of 2014.

Due to this Act, NIST created the Small Business Cybersecurity Corner with resources, including a guide to the fundamentals based on the Cybersecurity Framework.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework or CSF is a risk management framework that’s the most widely adopted of the NIST publications. The Framework was initially made for U.S. critical infrastructure sectors, but now organizations often rely on it to reduce cybersecurity risks broadly.

The CSF doesn’t recommend standards or concepts, nor does it recommend technologies. Rather, it collects the best practices related to cybersecurity from standards bodies, including not only the NIST but also the International Standards Organization (ISO).

Five key areas are used to evaluate cybersecurity controls according to the Framework.

These are identified, protect, detect, respond to, and recover.

These areas are meant to be inclusive of the entire lifecycle of cybersecurity risk. Every area has categories that associate with particular activities and needs, and the categories are broken into subcategories as well as standards, guidelines, and the practices needed to achieve category-specific outcomes.

Gartner reports as many as 50% of American companies and organizations use the NIST cybersecurity framework, and it’s also growing in popularity outside the U.S.

More details about the Framework are detailed below.

Identify

The goal of this function is to help organizations develop an understanding that allows them to appropriately assess their risks to assets, data, capabilities, and systems.

This includes:

• Asset management encompasses everything that allows an organization to achieve its business purposes.
• Business environment including stakeholders and activities. This is the information that an organization uses to inform its cybersecurity roles and responsibilities as well as decisions related to risk management.
• Governance includes the processes and procedures that are used for the management and monitoring of the regulatory, legal, and operational environments.
• Risk assessment ensures an organization understands the risk that it faces in terms of organizational operations and assets as well as individuals.
• Risk management strategies encompass priorities, assumptions, and constraints that are used in support of risk-related decisions.
• Supply chain risk management includes all the decision-making associated with the management of risk related to the supply chain.

Protect

The Framework includes the development and implementation of particular safeguards to make sure that there’s a delivery of critical services.

This includes:

• Access control, making sure access to assets is available only to authorized devices, processes, and users.
• Awareness and training are how not only employees and staff are trained, but also partners. Everyone involved needs cybersecurity awareness training, and they need to receive specific training that allows them to carry out their duties and responsibilities that comply with cybersecurity policies.
• Data security includes how information and data are maintained.
• Information protection processes and procedures include how security policies, processes, and procedures are maintained.
• Maintenance is what’s required to make sure that everything is performed consistently.
• Protective technology is the solution that is used to make sure there’s compliance.

Detect

According to the NIST Framework, organizations need to develop and accordingly implement activities to identify a potential cybersecurity event. This can include detecting anomalous activity in a timely manner and security continuous monitoring.

Finally, other elements of the Framework are Response, meaning the development and implementation of the needed activities to take action following the detection of an event and Recover. Recover is the development and implementation of activities to stay resilient and restore capabilities and continuity after a cybersecurity event.

Susan

Susan is an avid writer, traveler, and overall enthusiast.

Follow us :