NIST Cybersecurity Framework Overview

Very often managed services providers (MSPs) are responsible for helping to develop information security standards for their customers, as well as setting up their own processes. A comprehensive strategy is crucial for effectively defending against cyber threats. But how can MSPs and other IT professionals be sure that they have covered all the bases?

Information security frameworks were developed to address this very issue. Rather than relying on each organization to create its own protocols and risk something falling through the cracks, a cybersecurity framework provides a uniform standard to ensure a base level of security. There are a variety of standards in place, each targeted at a different industry. Among the most popular are the ISO 27000 Series, NIST^® SP 800-53, Payment Card Industry Data Security Standard (PCI DSS), Health Information Trust Alliance (HITRUST) CSF, and Control Objectives for Information and Related Technologies (COBIT).

In this article, we’ll focus on one of the newest standards, the NIST Cybersecurity Framework, and discuss how it can provide an IT security roadmap for MSPs.

What is the NIST Security Model?

The NIST Cybersecurity Framework is an exhaustive set of guidelines for how organizations can prevent, detect, and respond to cyberattacks. Officially known as the Framework for Improving Critical Infrastructure Cybersecurity, it was developed by the federal government to serve as a standard for private sector companies.

The NIST framework was written by the U.S. Commerce Department’s National Institute of Standards and Technology. The original version (1.0) was released in February of 2014, followed by the release of the updated current version (1.1) in April of 2018. The NIST CSF was originally aimed at industries essential to economic and national security such as banking, defense, commerce, and communications. However, a wide variety of organizations in all industries have since voluntarily adopted it. The standard has also proved useful for federal, state, and local governments, and has even been utilized by foreign governments in Japan and Israel.

Version 1.1 of the NIST framework for cybersecurity is available to the public as a 55-page document on the NIST website. Businesses can use the report to assess the risks they face and see what practical steps are necessary to move to a higher level of security. Rather than starting from scratch, an organization can use these best practices as a framework to secure their computer systems.

The NIST CSF is divided into three components: Framework Core, Framework Implementation Tiers, and Framework Profile. The Framework Core presents industry standards and practices in a way that helps guide organizations in managing cybersecurity risks. The Framework Implementation Tiers define levels of Framework Core compliance, helping organizations communicate and consider what level of rigor is best for their cybersecurity program. Finally, Framework Profiles represent and identify an organization’s unique priorities against the desired cybersecurity outcomes of the Framework Core.

What are the Five Elements of the NIST Cybersecurity Framework?

NIST cybersecurity categorizes security principles into five key functions, known as the Framework Core Functions. These five elements represent a strategic overview of an organization’s cybersecurity risk management program, with each category representing a key chronological step in enhancing an organization’s security.

The five steps for MSPs to follow when implementing the NIST Cybersecurity Framework for their customers are:

1. Identify: To begin managing an organization’s cybersecurity risk to systems, assets, data, and capabilities, an MSP must develop an understanding and visibility into the organizational environment. Identifying current risks and exposure, existing digital and physical assets, and organizational roles and responsibilities are all crucial elements of this step. To define these elements, this function is further divided into six categories: asset management [], business environment, governance, risk assessment, risk management strategy, and supply chain risk management.

2. Protect: MSPs must develop and implement the necessary safeguards to prevent or reduce the effects of a potential cyberattack. To do so, MSPs and their customers should require controlled access to assets, put policies in place to authenticate identities and keep data secure, and educate users about cybersecurity awareness. Categories within this function include: identity management, authentication and access control, awareness and training, data security, information protection and procedures, maintenance, and protective technology.

3. Detect: MSPs and their customers should have the appropriate measures in place to be able to quickly identify cyberattacks and other events. This step likely consists of monitoring solutions and threat hunting to detect any unusual activity. Categories that provide visibility into networks include: anomalies and events, security continuous monitoring, and detection process.

4. Respond: In the case of a cyberattack or breach, organizations need a clear plan of action to limit the impact of such an event. This step is further separated into five categories to be considered after a cybersecurity event: response planning, communications, analysis, mitigation, and improvements.

5. Recover: Finally, MSPs and their customers need a plan to get systems back in order after a cybersecurity event. The appropriate activities and the plan to restore impaired services should be implemented long before any such event, including: recovery planning, improvements, and communications.

The NIST Cybersecurity Framework is a comprehensive model, detailed out in five essential functions to safeguard  IT environments. Organizations should look to these Core Functions to evaluate their cybersecurity program from top to bottom, guiding them from identification through recovery.

How Many Controls are there in the NIST Cybersecurity Framework?

Beyond the above five Core Functions and their listed categories, CSF NIST goes even further to divide each of these categories into subcategories of cybersecurity outcomes and security controls. There are a total of 108 security controls that provide specific security action items for organizations. Each subcategory also provides resources referencing elements of other frameworks such as ISO 27001, COBIT, ISA 62443, and NIST SP 800-53 for further guidance.

For example, to comply with the first function, Identify, a business should complete an inventory of all its hardware, software, and data, including desktops, laptops, servers, smartphones, tablets, and point-of-sale devices. Then it should write a company cybersecurity policy covering roles and responsibilities for employees and contractors with access to sensitive data. SolarWinds^® Risk Intelligence is designed for compliance with the Identify function. Scanning for unsecured data across a network, it provides a financial estimate of an organization’s potential liability in the event of a data breach, showing where security fixes are most urgently needed.

The second function, Protect, entails steps to guard against an attack and minimize the damage if and when one occurs. This includes installing antivirus software, firewalls, secure passwords, multi-factor authentication, performing regular backups, encrypting private data, automating software updates, implementing secure hardware disposal procedures, and cybersecurity training. SolarWinds Passportal can be an invaluable tool for protecting your clients’ networks. Passportal is an encrypted password manager that makes password security simple, even allowing regular password updates to be automated for ease of use.

Next comes Detect. To comply with this function, organizations must continuously monitor their systems for unauthorized users, software installations, and devices like plug-in USB drives. Any unusual connections to the network should be investigated immediately. SolarWinds Threat Monitor provides unparalleled network and host intrusion detection systems, log correlation and analysis, streamlined security monitoring, and a customizable alarm engine.

The fourth function, Respond, means having a plan for when disaster strikes. This means notifying anyone whose data may have been compromised, informing law enforcement authorities, containing the attack, and updating the security policy with lessons learned. SolarWinds Endpoint Detection and Response is built for responding to cyber attacks. It provides custom, policy-driven automated responses, quarantines infected machines from the rest of the network, and rolls back compromised files to the last known healthy version.

Finally, Recover comes into play in the aftermath of a penetration. Affected software, hardware, and areas of the network must be repaired and restored to their previous state. It’s essential to inform employers and customers of restoration plans to maintain their confidence. For a robust recovery solution, consider SolarWinds Backup. It features True Delta deduplication for faster restores, automated system restores to Hyper-V or VMware, and the capacity for recovery from a bare-metal image.

Explore our layered security solutions to find out how you can help your customers stay ahead of security threats.