The final publication date of the most significant update yet to NIST’s Cybersecurity Framework (NIST CSF 2.0) is on the horizon. Whether you are only hearing about the NIST CSF in light of the upcoming changes or you’re seeking more clarity on why the framework might be useful for your business, this article gives you a simple breakdown of exactly what the framework is.
The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a set of voluntary guidelines, best practices and standards designed to help organizations manage and reduce cybersecurity risks. The framework gives a structure to help align policy, business and technological approaches to address cyber risks.
NIST published the first version in February 2014 as a response to a presidential Executive Order by Barack Obama that called for developing a voluntary framework to help critical infrastructure organizations manage and reduce their cybersecurity risks. This need for a framework arose due to repeated cyber intrusions into critical infrastructure by state-sponsored and other sophisticated hackers.
Over time, it became clear that the framework’s focus on managing cyber risks in critical infrastructure was applicable to and useful for a far wider variety of organizations. The wide applicability was built into NIST CSF from the outset, focusing on adaptability and scalability.
Here’s a brief breakdown of the framework’s core:
These tiers help gauge where your company is on its approach to managing cybersecurity risk:
Profiles help organizations align their cybersecurity activities with their business requirements, risk tolerances and resources. They are essentially a snapshot of your current cybersecurity activities and a roadmap to a desired state.
Another helpful way to grasp the role of NIST CSF is to contrast it with another popular security framework, the MITRE ATT&CK Matrix. With a publication date not long after NIST CSF (in 2015), MITRE initially developed the ATT&CK framework to document and categorize the tactics and techniques observed in real-world cyberattacks. Here’s how these popular frameworks differ from and ultimately complement each other.
NIST CSF is a strategic, risk-based framework designed to help organizations manage their cybersecurity posture. The CSF provides a high-level, strategic view of an organization’s approach to cybersecurity that focuses on understanding, managing and reducing risk. On the other hand, MITRE ATT&CK is a tactical, knowledge-based framework that focuses on understanding and defending against specific cyber threats.
MITRE ATT&CK is designed as a matrix of tactics (columns) and techniques (rows) used by threat actors. The tactics include Initial Access, Persistence and Privilege Escalation. With several techniques listed per tactic, clicking the link for a given technique brings you to a page that reveals more info on that technique, including detection and mitigation tips.
The structure of NIST CSF is a core of critical cybersecurity functions, each representing a specific aspect of managing and mitigating cybersecurity risk. Functions include Identify, Protect and Detect. Each function includes categories and subcategories that provide a more detailed breakdown of outcomes and objectives that help achieve the high-level aims of core functions.
In terms of approaches, NIST CSF emphasizes identifying and understanding the range of risks organizations face, and then managing these risks with a set of practices that align with the organization’s objectives. This risk-based approach is all about mitigating risks to an acceptable level rather than eliminating all possible threats.
MITRE ATT&CK instead focuses on what adversaries do, which can help companies develop more effective defense and detection strategies. The adversary-based approach provides a granular view of potential attack methods that can help inform both reactive and proactive defenses.
NIST CSF helps align cybersecurity practices with business requirements, risk tolerances and resources. Its audience of potential users expands beyond the IT security department to include executives and managers who need to understand and manage cybersecurity risk in alignment with organizational goals and business practices.
The MITRE ATT&CK Matrix helps understand the specific methods used by attackers and develop effective detection and defense strategies. Security analysts, red teams and researchers can gain a detailed, tactical understanding of threats from ATT&CK, but a non-technical audience may have little use for the framework.
Both frameworks are complementary; there is not necessarily an either-or choice here. The NIST CSF helps shape and guide your organization’s overall cybersecurity strategy, while the MITRE ATT&CK framework assists in understanding and defending against specific types of threats and attack methods. It might be worth starting with CSF, though, if you need a more general cybersecurity framework, then incorporating ATT&CK for a deeper understanding of threats.
Frameworks like NIST CSF are helpful for providing a basic structure to your cybersecurity program. But even after adopting CSF, there inevitably comes a point where you need to know what to do next with your cybersecurity program to use limited security resources and identify gaps effectively.
Nuspire’s security posture assessment helps you gauge how mature your security controls are based on industry-specific threats. You’ll also get a gap analysis and recommendations on remediation.