The National Institute of Standards and Technology (NIST) published The Cybersecurity Framework (NST CSFW) in February 2014. The NST CSFW arose through a collaborative process involving industry, academia and government agencies. The stated goal of the group was to develop a voluntary framework that would support organizations in their management of cybersecurity risk in the nation’s critical infrastructure, such as power grids, utilities and bridges. Since its inception, however, the NST CSFW has been widely adopted by many types of organizations across the country and around the world per directions in the authorizing Executive Order. Of those companies that have or plan to adopt the Framework, more than 70% see it as an industry best practice.
The Executive Order stated in part that:
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties…..The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”
In January 2017, NIST updated NST CSFW with the Framework for Improving Critical Infrastructure, incorporating feedback in order “to refine and enhance the original document and to make it easier to use,” said Matt Barrett, NIST’s program manager for the NST CSFW. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
As a result of the NST CSFW, the efforts of the federal government are moving further in the direction of working in partnership with the private sector to address and improve cybersecurity initiatives. In May 2017, President Trump signed an Executive Order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” Among other things, the Order instructed the Department of Homeland Security to: 1) “assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education”; and 2) “…report to the President with findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.”
Board members needn’t be experts in the nuanced technical aspects of implementing the NST CSFW, but should read the original Framework and subsequent orders and understand the principles the NST CSFW espouses for the private sector. There are five functions at its core, which provide a road map for organizations to implement their defense against cyber-threats:
- Identify – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
- Protect – “Develop and implement the appropriate safeguards.”
- Detect – “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
- Respond – “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
- Recover – “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”
Boards should also clearly understand how implementation of the NST CSFW will help their organizations face cybersecurity challenges:
This first step is crucial, and the NST CSFW breaks down the risk assessment process in clear understandable steps:
- Asset Management – data, personnel, devices, systems, facilities, etc.
- Business Environment – your organization’s mission and objectives, used to establish cybersecurity roles
- Governance – the management of cybersecurity risk via policies and procedures
- Risk Assessment – gaining an understanding of the specific risks to your organization and your operations
- Risk Management Strategy – how you prioritize your strategy to protect your organization from cyber threats
Be Prepared for Future Government Guidance
As highlighted above, the NST CSFW is an evolving protocol, with additional guidance in a wide range of areas expected over the next months in compliance with President Trump’s last Executive Order. While the NST CSFW is voluntary, by adopting it now, a company’s security platform will be best prepared to implement changes required by new legislation and regulations.
One Size Fits All
The NST CSFW is designed to fit any industry and any size company. It is inclusive, flexible and easily adaptable to existing programs. It is also designed as a cost-effective business strategy that can readily measure a security effort’s bottom line. It does so by identifying specific outcomes such as risk assessment, asset management, access control, employee training, policies and incident response.
A Common Language Across the Enterprise
Boards should view the NST CSFW as a flexible tool providing a common language that can be understood from the top to the bottom of an organization, regardless of size or industry. The NST CSFW’s language is understood from the highest levels of IT and management to the front desk. Timely protection from an ever-increasing array of cyber threats is critical, and effective communication across an organization is vital.
Perhaps most important, the Board should treat cybersecurity risk as an “equal party” in a company risk portfolio. Just as with financial, legal and other traditional risks, a Board must first ensure that its company has the resources and processes in place to understand the benefits, challenges and specific steps necessary to systematically implement the NST CSFW. Boards should assure that it is comprehensively implemented across all levels of the organization. To assist in this process, your Board may find it useful to address questions proposed by the Council of Institutional Investors:
- How are the company’s cyber risks communicated to the Board, by whom and with what frequency?
- Has the Board evaluated and approved the company’s cybersecurity strategy?
- How does the Board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
- How does the Board evaluate the effectiveness of the company’s cybersecurity efforts?
Spearheading the implementation of the NST CSFW across an organization is a ready-made prescription for Board effectiveness. The NST CSFW was created to enable organizations — “regardless of size, degree of cybersecurity risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” The NIST Framework has “the breadth and rigor to provide a meaningful framework for companies to succeed in their cybersecurity efforts.”