On February 12, 2013, President Barack Obama issued an Executive Order calling for the development of a voluntary risk-based Cyber Security Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.
As a result, the National Institute for Standards and Technology in collaboration with the private sector, created the NIST Cyber Security Framework (NIST CSF) that uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.
Every MSP should be familiar with the framework and understand how to apply it to each of their clients, regardless of size. But you don’t need to be a compliance expert if you have Compliance Manager.
The NIST Cyber Security Framework is designed for individual businesses and other organizations to use to assess risks they face.
An organization typically starts by using the framework to develop a “Current Profile” which describes its cybersecurity activities and what outcomes it is achieving. It can then develop a “Target Profile” or adopt a baseline profile tailored to its sector (e.g. infrastructure industry) or type of organization. It can then define steps to switch from its current profile to its target profile.
The NIST Cybersecurity Framework organizes its “core” material into five “functions” which are subdivided into a total of 23 “categories.” For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 108 subcategories in all.
Here are the functions and categories, along with their unique identifiers and definitions:
“Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
“Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
“Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
“Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
“Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”