In 2014 the National Institute of Standards and Technology (NIST) released their Framework for Improving Critical Infrastructure Cybersecurity. The document outlines how organizations can include cybersecurity in their risk management processes and offers best practices for approaching cybersecurity effectively.
In order to delve deeper into what the NIST framework means for your agencies cybersecurity practices, GovLoop’s recent Government Innovators Virtual Tech Day brought together Ken Durbin, Continuous Monitoring Practice Manager, Symantec; Henry J. Sienkiewicz, Former Senior Executive Service, Defense Information Systems Agency; Dave Otto, Branch Chief, Cybersecurity Performance Management, Department of Homeland Security, Federal Network Resilience; and Hannah Moss, Sr. Editor and Project Manager at GovLoop in the online training, “How NIST’s Cyber Framework is Changing the Cybersecurity Game.”
Here are the top 3 things you need to know about the framework:
It is gaining traction. Since the framework’s inception, agencies have struggled with how to implement it. Otto explained, “if you look historically at the first couple of years of implementation we saw that no one knew quite what to do with the framework but within the last year I’ve seen a huge improvement in agencies figuring out how to utilize the framework in a useful way.”
Awareness about the framework has been key for agencies to have a better understanding of how to implement it effectively. “Under the NIST framework, cybersecurity is shifting from a paper model to an operational compliance mindset,” Sienkiewicz emphasized. Through the framework, all aspects of government and industry can begin to be aligned in the same direction and bring a situational awareness to cybersecurity across sectors.
It is unifying cybersecurity. The biggest issue that cyber professionals face is training the massive cybersecurity workforce and looking forward, government organizations have to confront ways to build a strong cybersecurity workforce. Sienkiewicz stressed that the NIST framework fosters meaningful discussion on training and workforce resolutions, describing the framework as, “the perfect lexicon to train employees and unify cybersecurity.”
Additionally, Moss highlighted that cyber experts and frontline employees are increasingly looking for a holistic approach to cybersecurity. “NIST is useful because it ties every aspect of cybersecurity together by offering technology and training solutions rather than just one off points,” she said. While independent solutions like two-factor authentication, training, and insider threat detection software are valuable on their own, using the NIST framework to tie everything together allows agencies to most effectively foster cybersecurity best practices.
It is not a cure all solution. While the NIST framework solves many of the government’s cybersecurity problems, there are still a lot of issues in the cyber sphere. Durbin explained that Symantec’s recent Internet Security Threat Report found that half of all cyberattacks are perpetrated against small businesses. He suggested that there may be some complacency in small businesses’ cyber practice because many have the mindset of ‘this won’t happen to me.’ However, Durbin warns that this mindset is detrimental and everyone, no matter how big or small the organization is must be aware of cybersecurity best practices. Additional pain points that the experts discussed include ransomware and phishing attacks, insider threats, and nefarious third party websites.
The best way to overcome persistent cybersecurity challenges is to follow the NIST framework in a way that works for your agency. Durbin emphasized, “the framework is perfectly suited to tackle cybersecurity issues because it encompasses broad categories, making it easy to have meaningful conversations on each problem.” Continuing to foster these conversations across government and the private sector will promote sustainable solutions to cybersecurity for years to come.
This blog post is coverage from Government Innovators Virtual Tech Day. For more on the Tech Day, click here.