The NIST Cybersecurity Framework
In 2014, the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) created one of the most crucial pieces of cybersecurity guidance called the NIST Cybersecurity Framework, a common denominator for businesses across all industries to better assess risk and enhance the security and resilience of critical infrastructure. The Framework provides both private and public sector organizations a set of voluntary industry standards and best practices to help manage risk. In less than three years, over 30% of all U.S. organizations have adopted the Framework or some portion of it. By 2020, that number is expected to rise to 50%.
Earlier this month, I had the opportunity to discuss the Framework and best practices for implementing it at the Billington Cybersecurity Summit in Washington, DC, alongside an impressive group of fellow industry leaders:
- Jeff Snyder, Vice President, Cyber Programs, Raytheon Corporation
- Rear Admiral (Ret.) Michael Brown, Vice President and General Manager, Global Public Sector, RSA
- Donna Dodson, Chief Cybersecurity Advisor, NIST and Director, NCCOE, NIST
- Ryan Gillis, Vice President, Cybersecurity Strategy and Global Policy, Palo Alto Networks
- Terry Rice, Vice President, CISO Information Technology, Merck
Improving cybersecurity for the nation
The NIST Framework came in response to an Executive Order by President Barack Obama, which called for a framework to improve the cybersecurity of our nation’s critical infrastructure. What was intended for public policy has broadened into a larger business solution, where any organization can not only use The Framework but also feasibly grasp it. The Framework’s adoption has been so successful for four reasons:
- It’s flexible. The Framework is not a ‘one-sized fits all’ model. Organizations can tailor it to their unique needs, plug it into their existing cybersecurity policies and supplement it with sector-specific guidance, like the Health Care Sector Cybersecurity Framework Implementation Guide.
- It provides a common language. Finally, there is a way for everyone in an organization, from the server room to the boardroom, to clearly communicate risk in ways all can understand. This in turn helps buyers and suppliers to indicate their current or desired cybersecurity processes.
- It helps organizations prioritize their investments in cybersecurity. By identifying which IT activities are mission-critical, the Framework can help target where biggest threats lie, thus maximizing every dollar spent on IT.
- It’s realistic. It acknowledges that breaches will occur, and provides guidance for detecting, responding and recovering as quickly as possible.
This month, NIST released a supplement to the guide, the Baldrige Cybersecurity Excellence Builder (BCEB), a self-assessment tool that organizations can use to more effectively measure their cybersecurity efforts. It’s important to note that adopting the Framework or the BCEB does not mean an organization is complying with federal, state, or industry regulations. Rather, these documents are voluntary guidelines that organizations can adopt to customize to their unique needs.
NIST has taken its convening power to bring together industry and government organizations and develop a voluntary, flexible, risk-based approach to cybersecurity. To make the Framework even more useful, we in the business and security communities must share with each other and with the government our lessons learned. If your organization isn’t already putting the Framework to use, be the change to help 30% get to 50%
About the Author: Ralph Kahn is Vice President of Federal for Tanium. In this role, he is delivering on the U.S. Government’s need for real-time situational awareness at scale. Ralph has more than 25 years’ experience in the technology industry. Previously, Ralph served as Vice President for Intel and emerging technologies at McAfee, where he was responsible for leading an advanced technology group chartered with forward-looking cyber research. Under his direction, this group discovered several new threat vectors and developed an information sharing and cyber system interaction model that is being used at the core of the McAfee products and is being extended to include other cyber security products.