The National Institute of Standards and Technology, or NIST, is an organization in the U.S. Department of Commerce that deals with many aspects of technology—from communications systems, to quantum science, to health & bioscience. However, one of the things that NIST is best known for is its publications and standards regarding cybersecurity (such as the NIST cybersecurity framework and NIST 800-171).
Maintaining compliance with the NIST cybersecurity framework is a major goal for many organizations because it helps to protect them against cyber threats. What is NIST compliance and how can you achieve it? Here is a quick guide to NIST standards that should help your organization achieve compliance.
What is NIST Compliance for Their Cybersecurity Framework?
As stated on the NIST website, the NIST cybersecurity framework is a voluntary solution that “consists of standards, guidelines, and best practices to manage cybersecurity-related risk.” The NIST cybersecurity framework’s core consists of five different framework functions:
- Identify. “Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.” In other words, this is about learning your organization’s cybersecurity risks so you can identify ways to increase security.
- Protect. “Develop and implement appropriate safeguards to ensure delivery of critical services.” Based on the data gathered for the Identify portion of the framework, you should adopt or create cybersecurity measures that help you ensure business continuity in the face of an attack.
- Detect. “Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.” Your organization should have detection measures in place that allow it to detect a cybersecurity event either as it happens or shortly after it has started.
- Respond. “Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.” Basically, this function consists of creating an incident response plan (IRP) and assigning roles and responsibilities for employees throughout the organization in case of a cybersecurity breach.
- Recover. “Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.” This can be interpreted almost as an extension of the Respond function, but it requires the organization to go a step further to ensure recovery from different types of security incidents. This may mean implementing a disaster recovery (DR) solution such as remote backups of mission-critical data or even queuing up additional computing resources to take over in case of a shutdown.
These core functions can then be broken down into categories and subcategories.
At the time of this writing, the latest version of the framework is Version 1.1, which was published in April 2018. Compliance with NIST standards can be graded on a range of tiers going from “Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.”
For example, if an organization has a Tier 1 “partial” level of NIST compliance, then it most likely does not have any sort of incident response plan (IRP) in place to handle a security breach, nor the tools necessary to detect it in a timely fashion. So, when hit with a cyberattack, this organization will have to take a manually-directed response and may struggle to recover from the breach.
How Can I Achieve and Maintain Tier 4 NIST Compliance with Their Cybersecurity Framework?
Ideally, the goal of following the NIST cybersecurity framework is to achieve Tier 4 compliance that provides the most robust level of protection against cyber threats. However, achieving this level of NIST compliance is often easier said than done.
The trick to achieving and then maintaining Tier 4 “Adaptive” NIST compliance with their cybersecurity framework is to work at it constantly—analyzing your current cybersecurity architecture, measures, policies, and procedures on a regular basis and making adjustments based on the threats you’ve faced and the weaknesses you’ve identified.
Some examples of ways you can work to meet the “Adaptive Tier” of compliance with the NIST cybersecurity framework include:
- Running Penetration Tests. Stress testing your cybersecurity measures and business software for potential vulnerabilities can help uncover weaknesses before they’re exploited.
- Studying Threat Intelligence Feeds. Threat intelligence feeds help cybersecurity professionals remain aware of new and emergent cyber threats so they can start implementing countermeasures. Studying these feeds can help your organization prepare for upcoming threats.
- Periodically Reevaluating Cybersecurity Measures and Policies. Leveraging the information from pen tests, threat intelligence feeds, and past attacks, the organization should review its current cybersecurity measures and determine if they are sufficient for mitigating cybersecurity risks. Budget for cybersecurity measures and activities should be based on an objective assessment of the organization’s overall level of risk based on what it needs to protect and the threats it can reasonably expect to face.
- Creating a Formal Cybersecurity Education Program. A key aspect of achieving adaptive-tier NIST certification is having a thorough understanding of roles, dependencies, and risks throughout the organization. Establishing a security education, training, and awareness program (SETA) that makes cybersecurity part of the onboarding process as well as the ongoing education of employees helps improve employee knowledge and the organization’s ability to effectively respond to cybersecurity incidents.
- Employing Security Information and Event Management (SIEM) Solutions. SIEM systems can provide a wealth of real-time information about cybersecurity events on the network—as well as forensic data after the fact. This helps keep the organization aware of developments in its network security. Intrusion detection and intrusion prevention systems (IDS and IPS) can also help organizations stay abreast of attacks and, in the case of an IPS, partially automate the incident response.
It also helps to create a “target profile” of the cybersecurity state your organization is attempting to achieve, though NIST standards outlined in their cybersecurity framework document do “not prescribe Profile templates, allowing for flexibility in implementation.”
Need help meeting NIST cybersecurity framework compliance standards on your macOS devices? Reach out to Kandji to learn more.