The NIST Cybersecurity Framework (NIST CSF) is the “Swiss Army Knife” of cybersecurity. Just as the venerable pocketknife has a plethora of tools to handle almost any survival task, the NIST CSF is an affordable and flexible framework designed to address all areas of cybersecurity for organizations of any size and industry.
What is NIST?
The National Institute of Standards and Technology (NIST) is an agency within the U.S. Department of Commerce. Although it provides guidance and standards that are referenced in laws and regulations, NIST has no regulatory authority on its own. Hence, its documents are referenced by technology professionals all over the world.
NIST CSF at Work
The comprehensive framework helps MSPs determine the current cybersecurity state of each client, set their end goal for securing the client, identify what needs to be done to get there, track progress, and communicate status to stakeholders.
As such, the NIST CSF serves as a “gold standard” methodology that MSPs can follow to be sure they are delivering world-class security to their clients.
The framework boasts five core functions:
- Identify: What data do you have and where is it located? What devices do you own? How does your data move?
- Protect: Safeguard IT infrastructure and data, including identity management and protective technology – this is where most MSPs and IT departments have always focused.
- Detect: Institute processes and solutions to spot potential problems, such as continuous monitoring for anomalies and events. This function should be implemented or improved.
- Respond: Develop policies and procedures on how to react during an incident, including mitigation, communication, and future improvements.
- Recover: Devise and implement plans to restore business activities and impacted systems after an incident.
As MSPs assess the cybersecurity posture of each client, they can also determine the appropriate level of preparedness based on the specific needs and budget of each client.
The framework has four tiers: Partial, Risk-informed, Repeatable, and Adaptive. Each tier establishes different levels of security defined for various categories of the client’s IT infrastructure. This grants some flexibility in how the MSP works with its clients to establish their cybersecurity goals.
In general, MSPs should get all of their clients set up at the Repeatable and Adaptive tiers to protect them from breaches and the expensive and damaging after effects.