NIST Cybersecurity Framework

NIST-CSF: the essentials

The NIST published the first version of the Cybersecurity Framework in February 2014. What few people know is that it was created in response to US Presidential Executive Order 13636, entitled Improving Critical Infrastructure Cybersecurity. Signed by Barack Obama in 2013, it recognized the importance of critical infrastructure to national security and economic stability—and, by extension, the need to better protect that infrastructure from cyber threats.

As with NIS 2, "critical infrastructure" includes many sectors: energy, healthcare, transportation, finance, telecommunications, etc. The NIST-CSF framework was designed to provide these entities with a set of best practices, standards, and recommendations to better manage and reduce the cyber risks to which they are exposed.

Please note: NIST-CSF does not impose rigid requirements! Its main purpose is to encourage organizations to assess their own context, resources, and risks in order to choose the most appropriate practices. This flexibility is ultimately an advantage, as it has contributed to its rapid adoption in several sectors.

What does the NIST-CSF consist of?

The five main functions

This principle of five core functions aims to provide an overview of the essential capabilities that organizations must have in order to effectively manage cybersecurity risks. These five functions are:

Identify

Understand the risks and assets that need to be protected. This includes identifying the systems, data, human resources, and processes that are essential to the organization's proper functioning.

Protect

Once the risks have been identified, measures must be put in place to protect critical systems and data:

• implementation of access controls,
• employee safety training,
• protection technology management

Detect

Being able to identify cybersecurity incidents as they occur ensures a better response. This feature covers:

• network and system monitoring activities;
• detection of anomalies and events;
• maintaining real-time threat detection capabilities.

Reply

The aim here is to respond quickly and effectively in the event of an incident through effective communication and techniques to mitigate the effects of the security breach.

Recover

After a cyberattack or cybersecurity incident, the organization must recover to return to normal. This involves restoring the affected systems and services, but also identifying lessons that can be learned from the event to improve future preparedness.

Categories and subcategories

In fact, each main function is subdivided into categories and subcategories, which provide additional details on the specific activities to be implemented.

For example, the "Protect" function contains several categories, including "protection of sensitive information." The latter is then divided into subcategories, such as the use of encryption, user ID management, and access auditing.

Does this seem unnecessarily complicated? However, this system allows general security objectives to be linked to concrete and achievable actions. Bonus: it also allows the organization's practices to be aligned with specific standards and benchmarks, such as—for example— ISO standards.

Why adopt the NIST-CSF?

Flexibility and adaptability

One of the main advantages of NIST-CSF is its flexibility. It is designed to be used by any organization, regardless of its sector or size, and can be customized to meet the specific needs of each entity.

For example, a small e-commerce business can use the same fundamental principles as a large financial institution, but adapt them to its limited resources and level of risk.

In addition, the NIST-CSF allows for gradual implementation: an organization can choose to adopt certain parts of the framework based on its level of cybersecurity maturity, then expand its use over time. Handy, right?

Standardization and interoperability

We are aware of the growing importance ofharmonization and international collaboration against cyber threats: NIS 2 is just one example among many.

The NIST-CSF addresses this challenge: built on widely recognized standards and best practices, it is particularly useful for organizations operating in regulated environments or those that must comply with multiple compliance frameworks.

By adopting this framework, such organizations can better align their cybersecurity practices with regulatory requirements, while using a common language to communicate with partners, customers, and regulators.

Improvement of safety posture

Last but not least: the main objective of the NIST-CSF is above all to help organizations better manage and reduce their cyber risks! By following the five core functions, organizations can establish a comprehensive cybersecurity framework that covers all phases of risk management —from prevention to detection, response, and recovery.

In short, NIST-CSF helps companies better protect themselves by:

• encouraging them to identify potential vulnerabilities in advance and take measures to address them;
• creating robust response and recovery processes to limit the impact of incidents when they occur.

How can you implement NIST-CSF in your company?

#1 Assess the risks

The first step in any NIST-CSF implementation is to conduct a comprehensive risk analysis that includes:

• identification of the organization's critical assets;
• understanding potential threats;
• Assessment of existing vulnerabilities.

This step allows cybersecurity investments to be prioritized by targeting the most sensitive areas. It is largely covered by the "Identify" function of the NIST-CSF, which encourages companies to have a clear view of their assets, environments, and associated risks.

#2 Develop a safety plan

This plan must cover the four other functions of the framework: "Protection," "Detection," "Response," and "Recovery."

Please note: each function must be addressed comprehensively! For example, protective measures must include not only technical controls such as firewalls and encryption, but also policies such as employee training and credential management.

#3 Monitor the implementation of the plan

Once the plan is in place, the organization must implement it and monitor its effectiveness over time. This monitoring is particularly important in the context of the "Detect" function, as it allows securityincidents to be identified in real time.

It also plays a key role in the ongoing assessment of security controls and the organization's ability to respond to emerging threats.

#4 Continuously improve

The NIST-CSF is not a static framework! Organizations must regularly review their security plan, evaluating the effectiveness of the measures in place and adjusting them in line with evolving threats, technologies, and business needs.

All of this is essential to maintaining a strong security posture in a constantly changing environment...

The limitations of NIST-CSF

A complex implementation for small businesses

For small organizations, full implementation of the NIST-CSF is often complex and/or costly. Despite its (almost) unfailing flexibility, this framework can require significant resources that not all organizations have at their disposal:

• qualified personnel;
• appropriate technological tools;
• time to devote to risk assessment and the implementation of security measures.

No legal obligation

Since implementation of the NIST-CSF framework is voluntary, it does not constitute a legal obligation for most organizations. Although a handful of government agencies and private companies have adopted this framework as a benchmark for strengthening their cybersecurity, there is no universal requirement that would force organizations to comply with it.

At the same time, in certain regulated sectors (such as finance, energy, and healthcare), authorities may impose specific cybersecurity regulations, and even if there is overlap with the NIST-CSF, the requirements may differ. This situation may limit the adoption of the framework by certain companies, which prioritize compliance with legal regulations over voluntary frameworks. This is logical, but it is unfortunate.

The evolution of threats

The NIST-CSF framework, while robust, cannot always keep pace with the rapid evolution of cyber threats.

For example, the emergence of new forms of attacks such as sophisticated ransomware, or threats related toartificial intelligence (at random), may require adjustments more quickly than a formal update of the framework allows.

It is then up to companies to figure out how to combine the use of NIST-CSF with internal processes for technology monitoring and regular updating of cybersecurity skills. This is not always easy.

Required technical expertise

Implementing the NIST-CSF often requires a high level of technical expertise. Organizations that do not have cyber experts on staff may therefore find it difficult to understand and apply certain specific subcategories, particularly those relating to advanced technologies or complex threats.

This obstacle can be overcome by hiring external consultants or managed security service providers (MSSPs)—but this incurs additional costs.

The good news is that the NIST-CSF framework is available in Tenacy! The tool can generate automated action plans tailored to your current context to help you achieve compliance. You can also track all your data and actions on a single platform for greater speed and efficiency.

‍

‍