Quick summary of the standard
NIST CSF is short for “National Institute of Standards and Technology Cybersecurity Framework”. On February 12, 2013, President Obama’s administration released Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” which initiated the NIST CSF development process. Within a year, NIST released the first CSF (version 1.0). The NIST CSF has since been updated to version 1.1, released in April, 2018. Despite the federal government’s support for the NIST CSF, use of the framework is voluntary.
The CSF was designed to provide a risk-based approach to “cybersecurity” and it’s composed of three parts: the Framework Core, Framework Implementation Tiers, and Framework Profiles. Use of the CSF as a risk management mechanism can be complicated due to the subjective nature of the implementation methodology. The most referenced (and used) part of the NIST CSF is the Framework Core and associated “Informative References”. Informative References are information security standards from which controls can/have been derived. The Framework Core is further divided into Functions, Categories, and Subcategories.
- IDENTIFY (ID) Function contains six (6) Categories and 29 Subcategories
- PROTECT (PR) Function contains six (6) Categories and 39 Subcategories
- DETECT (DE) Function contains three (3) Categories and 18 Subcategories
- RESPOND (RS) Function contains five (5) Categories and 16 Subcategories
- RECOVER (RC) Function contains three (3) Categories and six (6) Subcategories
Today, the NIST CSF is the most referenced framework in the information security industry. If used properly, the NIST CSF can be a very effective reference for building a comprehensive information security program.
Description of the report contents (what it is and what it isn’t)
The NIST CSF Report is simple and easy to understand. The report is high-level enough to be used with executive management and detailed enough to assign specific tasks. The report quantitatively scores (using the S2Score) the organization’s information security program against the NIST CSF. Each Function, Category, and Subcategory is scored for a useful and quick representation of the current state of the information security program. The state of each Subcategory is justified by one or more S2Org controls for ease of use.
Who can use it
The NIST CSF Report is one of SecurityStudio’s most popular specialty reports, commonly used by executive management, IT management, information security management, and interested external entities (regulators, auditors, and/or customers). The report fits well for a wide range of audiences. Executives appreciate how easy the report is to understand and how quickly they can get a grasp on “current state”. Tactical personnel appreciate how the report is fully auditable for more granular direction and scrutiny.
How to use the NIST CSF Specialty Report
SecurityStudio customers have used the NIST CSF Report for justifying the strength of their information security program to external entities. In many cases, simply sharing the report has been sufficient.
For internal use, the report is helpful with information security task and project prioritization. Better information and prioritization leads to justified and objective information security budgeting.
In most internal use cases, the process is very simple:
- Complete the S2Org information security risk assessment for the organization.
- Download the NIST CSF Report and review. The report is automatically created with the completion of S2Org.
- Note which Functions, Categories, and/or Subcategories that scored poorly (or worse than expected).
- Use SecurityStudio’ S2 platform to build the organization’s information security road map, using the information noted above.
- Execute on the road map, noting progress in the S2 platform as you go. The NIST CSF Report will be automatically updated as you make changes.
We strive to take the confusion and complexity out of information security wherever we can, without taking shortcuts. We developed this report, and all reports, from customer feedback. As you familiarize yourself with the report, tell us more about how we can make your information security life simpler!