The NIST Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity Framework (CSF), provides private sector organizations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents. Version 1.1 was published by the US National Institute of Standards and Technology ( NIST ) in April 2018 and has seen fast adoption across various industries.

The Framework uses business drivers to guide cybersecurity activities and considers cybersecurity as part of an organization’s risk management processes. Many organizations are embracing this framework to help manage their cybersecurity risks. According to the 2019 SANS OT /ICS Cybersecurity Survey the NIST CSF is the number one framework in use today. How does your organization plan to use or expand your compliance with the NIST CSF in 2020? Let’s dissect this popular framework and share how you can comply.

The 3 Parts of the Framework

Framework Core

The framework core is a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. It consists of five concurrent and continuous Functions: Identify, Protect, Detect, Respond and Recover. Implementation Tiers

Implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, over a range from Partial (Tier 1) to Adaptive (Tier 4). Framework Profile

A framework profile represents the Core Functions’ Categories and Subcategories prioritized by an organization based on business needs and can be used to measure the organization’s progress toward the Target Profile.

The 5 Core Functions

When considered together, the 5 Core Functions provide a strategic view of the lifecycle of an organization’s cybersecurity risk management and should be treated as a key reference point. Here are the 5 Functions and how to comply with them:

Identify

Organizations must develop an understanding of their environment to manage cybersecurity risk to systems, assets, data and capabilities. To comply with this Function, it is essential to have full visibility into your digital and physical assets, their interconnections, and defined roles and responsibilities, as well as to understand your current risks and exposure and put policies and procedures into place to manage those risks. Protect

Organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. To comply, your organization must control access to digital and physical assets, provide awareness education and training, put processes into place to secure data, maintain baselines of network configuration and operations to repair system components in a timely manner and deploy protective technology to ensure cyber resilience. Detect

Organizations must implement the appropriate measures to quickly identify cybersecurity events. The adoption of continuous monitoring solutions that detect anomalous activity and other threats to operational continuity is required to comply with this Function. Your organization must have visibility into its networks to anticipate a cyber incident and have all information at hand to respond to one. Continuous monitoring and threat hunting are very effective ways to analyze and prevent cyber incidents in ICS networks. Respond

Should a cyber incident occur, organizations must have the ability to contain the impact. To comply, your organization must craft a response plan, define communication lines among the appropriate parties, collect and analyze information about the event, perform all required activities to eradicate the incident and incorporate lessons learned into revised response strategies. Recover

Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event. Your organization must have a recovery plan in place, be able to coordinate restoration activities with external parties and incorporate lessons learned into your updated recovery strategy. Defining a prioritized list of action points which can be used to undertake recovery activity is critical for a timely recovery.