I think the primary reason for the excitement about the NIST Cybersecurity Framework is that it is a security guidance that is based directly on known risk and attacks. The NIST Cybersecurity Framework does not introduce new concepts, technologies or standards.
Instead, it codifies existing best practices across many industries, not just for the government and military, based on input from over 3,000 security professionals. It is a solid, broadly inclusive, realistic and grounded security guidance assembled by a well-respected government agency.
What is the NIST Cybersecurity Framework?
The NIST (National Institute of Standards and Technology) Cybersecurity Framework is the standard and best business practices for the development, implementation, and management of security.
The NIST Cybersecurity Framework was drafted in direct response to President Barack Obama’s Executive Order 13636. It provides guidance and instruction to private and public organizations on how to implement more reliable security against known attacks and exploitations. This framework is derived from risk-based evaluations of current industry cybersecurity practices, provides recommendations on improving existing security and establishes a communication platform for the exchange of security information.
Framework adoption rates
Research performed by Tenable Network Security shows that while adoption is not as widespread as hoped, 29 percent of surveyed organizations have integrated the NIST Cybersecurity Framework (NCF) into their security infrastructure. The adoption rate is expected to reach 43 percent by the end of 2016. With less than two years since the formal publication of the NCF, this is an amazing adoption rate.
Keep in mind that many organizations adopted a security framework years earlier or crafted their own proprietary framework. Shifting to adopt a new framework is costly both monetarily and in terms of man-hours, so organizations need to perceive a significant benefit to switch from what they are already using to NCF.
The survey also revealed that 84 percent of surveyed organizations already use a security framework and at least 44 percent use more than one framework or components from multiple frameworks. Thus it is clear that the concept of a security guidance is widely recognized as essential to a successful security strategy and a growing number of entities are adopting the CSF to achieve that goal. A few examples of major organizations that have adopted the CSF include Intel, Chevron, Walgreens, Pepco, Apple, QVC, and Bank of America.
Benefits of framework adoption
Adopting the CSF has some key benefits that organizations are eager to realize. First, the CSF provides well-researched industry best business practices on how to defend against and respond to a wide range of known attacks, compromises and exploits.
By using this framework there is a direct benefit of reduced compromises, less downtime, and improved reliability and available of resources. Second, the CSF can be adopted in stages and adjusted to the organization’s goals. While adopting the entirety of the CSF all at once can be daunting and expensive, it can be rolled out in manageable and affordable stages. Other benefits include:
- Risk-based security infrastructure.
- More effective collaboration and communications regarding security both internally and externally.
- Assistance with regulatory compliance.
- Improved compliance and due care in relation to future legal rulings.
There is also some discussion of future adoption incentives, such as cyber insurance, government grants, streamlining regulatory compliance, and government-funded technical assistance. While none of these are established currently, the CSF does include directives for the U.S. Department of Homeland Security to craft adoption incentives.
Need for revision and management by the private sector
The CSF is not perfect. Fortunately, there is an inherent revision process. Since the initial release in 2014, efforts have already been made to gather more data and input on how the CSF is in use across various industries and what changes or improvements are needed. NIST has stated that the level of changes being considered for the first update to the CSF are more in line with a 1.1 level of fine tuning rather than a drastic evolution to a new 2.0 version.
Some groups have indicated that the CSF is lacking in various areas, such as supply chain risk management, and that its reference section to related resources needs to be significantly expanded. Others even suggest that a generic framework is unworkable because of the significant variances in various industries, such as communication, financial, and energy, that separate industry versions are needed.
It has also been discussed whether the framework is best handled by a government agency. This is based on the concept that often government moves too slow in comparison to the rapid changes of technology and exploitation. Potentially, an international non-profit could be a better steward of the framework. However, this could also have its own negative effects as some organizations have chosen to use the CSF based on it originating with NIST and its association with easing regulatory compliance.
The NIST Cybersecurity Framework is a solid set of security guidelines that every organization should consider as a means to improve their security infrastructure. It will likely improve further with proposed revisions. It can always be adopted piecemeal and be integrated along with other frameworks. The CSF adoption rate is growing and is respected by most organizations that see the need for framework to guide security improvement.
NIST Cybersecurity Framework Training