Founded more than a century ago, the National Institute of Standards and Technology (NIST) has always been about innovation: Congress established the agency – then named the National Bureau of Standards – as a physical science laboratory designed to close an industrial competition gap that caused the U.S. to lag behind the UK, Germany and other countries.
At first, the bureau developed standards for weights and measures. But, over time, what we now call NIST branched out to help lead advancements in automotive brake manufacturing, electrical safety, radio aircraft landing systems and – in the modern age – computer chips, software, robotics, artificial intelligence (AI), the Internet of Things (IoT) and nanotechnology.
This includes cybersecurity, too, especially in recent years. As a result, the NIST Cybersecurity Framework (CSF) is now setting standards for what it calls its “framework core” activities and objectives – “Identify, Protect, Detect, Respond, Recover” – which gives organizations a strategic view of the process lifecycle and allows mapping to other industry frameworks. While the CSF is primarily about the protection of critical infrastructure, NIST specifies that it serves a broader purpose in the interest of cybersecurity. “(It) can be used by organizations in any sector of the economy or society,” it states. “It is intended to be useful to companies, government agencies, and not-for-profit organizations regardless of their focus or size.”
The effort goes back to 2013 when President Obama’s Executive Order 13636 assigned agencies responsibilities to “maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In response, NIST released the first preliminary version of the framework in July of that year, followed by Cybersecurity Framework Version 1.0 in February 2014. By May 2017, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (EO 13800) required agencies to implement the CSF.
The management of risk plays a major role in the framework, as it directs agencies to rigorously identify, catalog and prioritize risk, with a more strategic and tactical approach. Through this, they are expected to build an enterprise view of mission/business processes and information security and ensure the traceability and transparency of risk-based decisions.
On a purely pragmatic level, the CSF makes it easier for organizations of all kinds to adopt and implement the framework and immediately benefit because it establishes a common language to managing risk. This is essential with respect to familiarity, accessibility and adaptability, as it readily maps to a number of standards/frameworks, including the International Organization for Standardization (ISO) 27001, the Information Systems Audit and Control Association’s Control Objectives for Information and Related Technologies (COBIT) and NIST 800-53, which assists federal agencies and contractors in satisfying requirements of the Federal Information Security Management Act (FISMA). It focuses on business drivers to guide cybersecurity activities, so organizations can take core goals of the CSF and align them with their own strategic mission objectives to identify, prioritize and address the most cost-effective approaches. It comprehensively covers the 16 critical infrastructure assets – including nuclear, energy, financial and healthcare – so organizations can manage the risks of these assets while boosting their resilience in light of today’s sophisticated and ever-evolving threat landscape.
Then, from a “bigger picture” perspective, the CSF is about a transformation of cybersecurity policies and practices. Just as the broader digital transformation within government and industry is producing compelling advancements in cloud computing, AI, IoT and other innovations, the evolution and subsequent impact of the framework – for today and tomorrow – is driving agencies to new levels of a protected state through the following, key qualities:
Ideal collaboration. NIST has cast a “wide net” in developing the CSF. Through multiple workshops, Requests for Comment and what it describes as “thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world,” the agency has collected “best of the best” insights and recommendations from top leaders in academia, the private sector and government. These leaders are happy to take part because – in addition to the potential to initiate positive change on a large scale – NIST is a non-regulatory agency that allows them to work with a wide variety of users across multiple industries and government agencies.
By earning this trust in the interest of free-flowing, collaborative exchanges, NIST has ensured that its guidelines and mandates reflect “real-world thinking” about risk management, critical infrastructure defense, threat monitoring/mitigation/prevention and a host of additional, pressing topics.
Ongoing continuous improvement. The framework is a living document, with numerous drafts and versions released, as NIST proactively fosters its evolvement. Why? Because it has to. Without a commitment to continuous improvement, the CSF will lose relevancy in a short time. Cyber adversaries, after all, are always changing their “playbook.” They come up with new and intricate technologies, tactics and schemes to launch attacks with ever-increasing velocity and volume, with the intent to maximize the extent of damage they can do. Given this, NIST considers itself in a ceaseless “revision cycle” for the framework, with universities, corporations and agencies weighing in at every step to respond to the rapidly shifting threat landscape with new tools and techniques.
Optimal flexibility – united by common standards. There is no “one size fits all” model for cybersecurity, and the CSF reflects this reality. The framework is flexible enough for a vast range of agencies to leverage – whether they’re within Defense, Agriculture, Education, Health and Human Services, etc. – regardless of the unique quality of their IT infrastructure, overall operations, organizational makeup, and circumstances. Each agency supports its mission and goals. Each agency faces its technology and cybersecurity challenges. NIST recognizes this and allows for a level of flexibility that paves the way for actionable responses aligning with these distinctive goals and challenges. At the same time, however, the CSF brings a unified sense of purpose and execution here, with a core set of common standards that apply to all areas of government.
Because it has stood at the edge of innovation throughout its existence, NIST remains quite comfortable with constant change. That makes it the ideal agency to serve as the central clearing house for perspectives, policies and best practices to address the shifting state of cybersecurity. Strengthened through its embracement of collaboration, continuous improvement, and flexibility, the framework establishes standards that will provide practical value for the indefinite future. That’s why it will never be viewed as some relatively inconsequential, “check the boxes” directive. That’s why it will always matter.