The NIST Cybersecurity Framework provides an easy-to-use governance process for managing cyber risk. Organizations should consider the NIST Cybersecurity Framework if they are just forming a Cybersecurity program or have no immediate need for an independent audit/certification. CISA puts CSF into practice with free public resources and services. CSF and CISA is the 1-2 punch to get Cybersecurity programs initiated.

The stakeholders of your organization expect visible due diligence in protecting your assets as well as steps to address the liabilities of doing business. Many regulations and state laws also require a formal Cybersecurity program where management sets the direction for control objectives through policy and measures control implementation using baseline standards. Management’s part is to establish their framework for deciding upon the policies and controls to get the ball rolling. In the Security 360^o Perspective, this practice area is called Risk Governance.

In 2014, the National Institute of Standards and Technology (NIST) offered its first non-government option for Risk Governance – The Cybersecurity Framework.[i] CSF gave an option for municipalities, local government, schools, and the private sector to define business requirements in Organizational Profiles, set baselines in performance Tiers, and work from one common Core of cybersecurity functions to build Cybersecurity capability.

With its 2.0 release this past month, CSF is a must have Cybersecurity Risk Governance![ii] Most notably, CSF 2.0 has added the Govern Core function, strengthening the cohesion between senior management in their leadership and support of the program, and their involvement in risk management activities. Re-usable Profiles exist for many of the sixteen Critical Infrastructure sectors that use CSF. CSF 2.0 directly supports the US National Cybersecurity Strategy and takes advantage of recently developed guidance on supply chain security and small business security.

The flexibility of choosing Organizational Profiles and performance Tiers gives the option to establish a solid foundation and then build capability on that solid footing. Organizations should start with an Organizational Profile and performance Tier closest to their demonstratable compliance. Establish a stable, verifiable Current Profile before chasing capabilities well beyond your reach! You can start with Tier 1 – Partial to assess your capabilities but still need to get to Tier 2 – Risk Informed – to truly Risk Govern any gaps discovered. The payback to the business is when Tier 3 – Repeatable – establishes operational effectiveness. Organizations with high-risk will eventually want to achieve Tier 4 - Adaptive - in select profiles associated with that risk.

The Cybersecurity and Infrastructure Security Agency (CISA) provides several free resources and tools that complement CSF. One resource is the Cyber Security Evaluation Tool (CSET) which supports several security assessments, including the NIST Cybersecurity Framework.[iii] Use CSET to assess against the profiles and performance tiers discussed earlier. Organizations with limited resources might consider establishing Cross-Sector Cybersecurity Performance Goals to tailor their initial CSF implementation.[iv]

Cybersecurity capability is subdivided into 6 functional areas covering 22 categories. Govern includes the Organizational Context, Risk Management Strategy, Roles and Responsibilities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management. Identify creates the focus of your program with Asset Management, Risk Assessment, and Improvement. The remaining functions Protect, Detect, Respond, and Recover within that area of focus.

Mappings bring other standards into CSF, either manually using NIST documentation, or automatically using CSET. Mappings exist for COBIT 5, CIS CCS, ISO 27001, and ISA 62443. Vendors also offer mappings to SOC2!

At the end of the day, remember that stakeholders of your organization expect visible due diligence in protecting your assets as well as steps to address the liabilities of doing business. Don’t bury them in the weeds. Proudly demonstrate your Risk Governance strategy. Let CSF and CISA get you started!

---------------------------------

Donald Borsay is an advisor, auditor, and instructor, with over 20 years dedicated to Cybersecurity. Borsay is a thought leader and Security Advisor for Coyote Brown, supporting Cybersecurity program initiation, assessment, and fractional CISO managed services. Feedback is welcome at: Donald.borsay@cyberbuyer.io.

Coyote Brown offers Cybersecurity Advisory, Consulting, and Assessment Services, composed of highly experienced strategic cybersecurity advisors and consultants helping clients maintain a healthy cyber security posture.

[i] NIST Releases Cybersecurity Framework Version 1.0 - https://www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framewortk-version-10

[ii] NIST Releases Version 2.0 of Landmark Cybersecurity Framework - https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

[iii] NIST Cyber Security Evaluation Tool - https://www.cisa.gov/downloading-and-installing-cset

[iv] Cross-Sector Cybersecurity Performance Goals - https://www.cisa.gov/cross-sector-cybersecurity-performance-goals