This post is an excerpt from GovLoop’s recent industry perspective, Achieving Security with the NIST Cybersecurity Framework. The brief details the development of the Framework, and offers tips for effective implementation.
There are many benefits to the NIST Cybersecurity Framework. Through being neutral, broadly applicable, vetted by industry, and engaging to stakeholders, the Framework can reduce time and expense of starting an information security program and also reduce risk within current programs by identifying areas for improvement.
Neutral and Broadly Applicable
“The thing that we like about the NIST Framework is that it is neutral,” said Christman. “It’s neutral to mission of organization, to industry, and to data type.”
Although it can be used with specific data types or objectives in mind, the Framework is a much broader approach to security. Therefore, its benefits can be realized by a variety of organizations, such as hospitals, civilian federal agencies, educational institutions, defense agencies, commercial enterprises, and more.
“The other thing that we like about the Framework is that it’s neutral to threat factor,” Christman continued. “It could be a trusted insider threat, an advanced persistent threat from a nation state, or a malicious hacker. The threat factor is really not the issue. Regardless of mission, industry, data type, or threat factor, your organization can improve its security posture.”
Vetted by Industry
The Framework is also beneficial because it meets industry-vetted criteria. According to the Information Technology Industry Council (ITI), a high-tech trade association based in Washington, D.C., an effective cybersecurity effort should:
- Leverage public-private partnerships and build upon existing initiatives and resource commitments
- Reflect the borderless, interconnected, and global nature of today’s cyber environment
- Be able to adapt rapidly to emerging threats, technologies, and business models
- Be based on effective risk management
- Focus on raising public awareness
- Focus on bad actors and their threats
“The Framework is the right approach because it hits almost all of those guiding truisms,” said Danielle Kriz, Director of Global Cybersecurity Policy at ITI. “It’s globally workable and it leverages already existing standards and best practices that were developed by industry.”
Engaging to Stakeholders
The NIST Framework helps organizations communicate their cybersecurity requirements with stakeholders, including partners and suppliers. It is a good way to start a discussion with technical and non-technical stakeholders to further the security posture of organizations.
“The beauty of the Framework is we can drill down into the finite details. But at a very high level, I could explain what it means to a business person in a line of an agency or an educational institution, and help them understand what needs to happen because it can be explained in plain English,” Christman said. “We can use this Framework to connect the stakeholders – the people with access to money, people, and resources – and connect the technical, policy, and governance issues.”