All About NIST

Back to Blog

All About NIST

In today’s dangerous digital world, companies are looking to solidify their defenses against the various potential attacks, leaks, breaches and thefts lurking in the shadows. It’s a multi-front battleground with constantly shifting landscapes and a steady stream of improvements, best practices and proactive measures required to protect data and maintain operations in the face of so many possible threats.

In large and regulated industries, adhering to industry standards and working only with certified partners and solutions provides a level of comfort and consistency that enterprises crave. When it comes to cybersecurity, a single standard or certification hasn’t yet been commonly adopted across all organizations, but the NIST Cybersecurity Framework is rapidly becoming a go-to benchmark for IT professionals and a requirement for some organizations.

What is the NIST Cybersecurity Framework?

NIST is the National Initiative for Cybersecurity Careers and Studies and rolls up under the U.S. Department of Homeland Security. The latest update from 2018 is a 55-page document that helps an organization determine their current cybersecurity state, set their end goal, identify opportunities to get there, track progress and communicate status to stakeholders.

The framework has five functions that are applied to various aspects of an organization’s IT profile:

  • Identify – Ascertaining an understanding of the various systems, individuals, assets, data and capabilities. This is applied to different functions such as asset management, risk management and governance.
  • Protect – Creating the safeguards to protect IT infrastructure and data, including identity management and protective technology.
  • Detect – Instituting processes and solutions to spot potential problems, such as continuous monitoring for anomalies and events.
  • Respond – Development of policies and procedures for how to react when an event occurs, including mitigation, communication and future improvements.
  • Recover – Devising and implementing plans to restore business activities and impacted systems after an event.

As organizations assess their cybersecurity preparedness, they can also determine what level of preparedness is ideal for various aspects of their IT infrastructure. The framework has four tiers (Partial, Risk Informed, Repeatable, and Adaptive), with a different criterion defined for various categories of the organization’s IT and their desired tier. This allows for some flexibility in how thorough and comprehensive an organization’s cybersecurity goals may be.

What are its benefits?

The NIST Cybersecurity Framework isn’t particularly groundbreaking or revolutionary. Examining any of its particulars reveals many more common-sense recommendations and widely accepted best practices than startling revelations. Its primary advantages come from its comprehensive nature and its potential to serve as a Rosetta stone between various organizations.

There are multitudes of cybersecurity solutions, recommendations and best practices out there, but most of them are only addressing a segment of an organization’s overall cybersecurity profile. There are guides to prevent phishing and benchmarks for backup and disaster recovery, but they’re rarely all found under the same umbrella. The framework attempts to encompass as many defensive mechanisms and preventative measures as possible under the relatively independent auspices of the federal government.

And when companies or organizations look to work with each other but seek to ensure their counterpart if following the same rigorous standards when it comes to cybersecurity, there aren’t many agreed-upon standards. If both parties are using the framework, there’s a common language and set of expectations established that makes collaboration and trust far easier.

Who is using it?

Since 2017 all federal agencies must apply the framework to their information systems and have integrated it into their overall risk management and compliance activities. Business that serve as contractors to some government agencies are also now being asked to comply with the framework to maintain those relationships.

But the framework isn’t just for the government and subcontractors. Businesses of all sizes can utilize it to assess their cybersecurity and inform their prioritization of which improvements to make first.

What it means for MSPs

If MSPs have government contractors among their clientele, then alerting these clients to the need for using this framework and assisting them with this process is an immediate opportunity. It is another way MSPs can offer additional value to existing relationships.

But the NIST Cybersecurity Framework can also be a convenient tool for planning, executing and communicating the results of a full cybersecurity assessment. MSPs can follow the framework or incorporate it into their existing methods for identifying a customer’s strengths and weaknesses, as well as making and implementing plans to shore up their defenses.

In most cases, MSPs are far more knowledgeable and capable than their clients to apply the framework to an environment. More importantly, they can leverage the tools they already rely on to complete many of the steps in the framework.

A NIST Cybersecurity Framework implementation isn’t cheap, either. Employing an MSP to lead the charge will minimize customer personnel time dedicated to this effort, and an MSP’s subject matter expertise and comprehensive toolset can help complete the effort faster and more efficiently.

And, of course, the framework represents another opportunity for MSPs to “eat their own dog food” by applying the framework to their own operation. Not only is it a good practice, but it might uncover areas for improvement that were otherwise overlooked.

Get schooled on NIST

For MSPs and their employees that want to fully explore the potential to make the NIST Cybersecurity Framework part of their portfolio, NIST offers two online courses: NIST Cybersecurity Framework Foundation Certification Training and NIST Cybersecurity Framework Practitioner Certification Training. Independent training firms also offer related courses and training as well.

The right tools for the job

Implementing the NIST Cybersecurity Framework isn’t a trivial task, but many of the same tools MSPs use to manage and secure their client’s IT environments can be used to expedite the process. Check out our blog on the Top Tools for Following the NIST Framework and see what should be in your toolbox.

  • Identify – Ascertaining an understanding of the various systems, individuals, assets, data and capabilities. This is applied to different functions such as asset management, risk management and governance.
  • Protect – Creating the safeguards to protect IT infrastructure and data, including identity management and protective technology.
  • Detect – Instituting processes and solutions to spot potential problems, such as continuous monitoring for anomalies and events.
  • Respond – Development of policies and procedures for how to react when an event occurs, including mitigation, communication and future improvements.
  • Recover – Devising and implementing plans to restore business activities and impacted systems after an event.

As organizations assess their cybersecurity preparedness, they can also determine what level of preparedness is ideal for various aspects of their IT infrastructure. The framework has four tiers (Partial, Risk Informed, Repeatable, and Adaptive), with a different criterion defined for various categories of the organization’s IT and their desired tier. This allows for some flexibility in how thorough and comprehensive an organization’s cybersecurity goals may be.

What are its benefits?

The NIST Cybersecurity Framework isn’t particularly groundbreaking or revolutionary. Examining any of its particulars reveals many more common-sense recommendations and widely accepted best practices than startling revelations. Its primary advantages come from its comprehensive nature and its potential to serve as a Rosetta stone between various organizations.

There are multitudes of cybersecurity solutions, recommendations and best practices out there, but most of them are only addressing a segment of an organization’s overall cybersecurity profile. There are guides to prevent phishing and benchmarks for backup and disaster recovery, but they’re rarely all found under the same umbrella. The framework attempts to encompass as many defensive mechanisms and preventative measures as possible under the relatively independent auspices of the federal government.

And when companies or organizations look to work with each other but seek to ensure their counterpart if following the same rigorous standards when it comes to cybersecurity, there aren’t many agreed-upon standards. If both parties are using the framework, there’s a common language and set of expectations established that makes collaboration and trust far easier.

Who is using it?

Since 2017 all federal agencies must apply the framework to their information systems and have integrated it into their overall risk management and compliance activities. Business that serve as contractors to some government agencies are also now being asked to comply with the framework to maintain those relationships.

But the framework isn’t just for the government and subcontractors. Businesses of all sizes can utilize it to assess their cybersecurity and inform their prioritization of which improvements to make first.

What it means for MSPs

If MSPs have government contractors amongst their clientele, then alerting these clients to the need for utilizing this framework and assisting them with this process is an immediate opportunity. It is another way MSPs can offer additional value to existing relationships.

But the NIST Cybersecurity Framework can also be a convenient tool for planning, executing and communicating the results of a full cybersecurity assessment. MSPs can follow the framework or incorporate it into their existing methods for identifying a customer’s strengths and weaknesses, as well as making and implementing plans to shore up their defenses.

In most cases, MSPs are far more knowledgeable and capable than their clients to apply the framework to an environment. More importantly, they can leverage the tools they already rely on to complete many of the steps in the framework.

A NIST Cybersecurity Framework implementation isn’t cheap, either. Employing an MSP to lead the charge will minimize customer personnel time dedicated to this effort, and an MSP’s subject matter expertise and comprehensive toolset can help complete the effort faster and more efficiently.

And, of course, the framework represents another opportunity for MSPs to “eat their own dog food” by applying the framework to their own operation. Not only is it a good practice, but it might uncover areas for improvement that were otherwise overlooked.

Get schooled on NIST

For MSPs and their employees that want to fully explore the potential to make the NIST Cybersecurity Framework part of their portfolio, NIST offers two online courses: NIST Cybersecurity Framework Foundation Certification Training and NIST Cybersecurity Framework Practitioner Certification Training. Independent training firms also offer related courses and training as well.

The right tools for the job

Implementing the NIST Cybersecurity Framework isn’t a trivial task, but many of the same tools MSPs use to manage and secure their client’s IT environments can be used to expedite the process. Check out our blog on the Top Tools for Following the NIST Framework and see what should be in your toolbox.