top of page
Search

Comprehensive Manual for NIST: Cybersecurity Framework, 800-53, 800-171

  • Writer: Keith Sanks
    Keith Sanks
  • May 10, 2023
  • 12 min read


Introduction: Cybersecurity and data privacy are critical issues that every organization must address. The challenge of safeguarding confidential information, proprietary intellectual property, and crucial business systems can seem insurmountable in the face of ever-evolving and relentless cyberattacks and breaches.


In recent times, ransomware attacks have surged worldwide and particularly in the United States. The Colonial Pipeline fell victim to an attack in May, while JBS, a meatpacking firm, suffered a similar fate in June, with both entities paying ransoms of $5 million and $11 million, respectively, to recover their systems and networks.


According to cybersecurity firm SonicWall, ransomware attacks have risen by over 150% in the US alone. Furthermore, the FBI reports that cyberattacks, particularly ransomware, have become more frequent and severe, resulting in estimated losses of over $29 million for businesses, representing a 200% increase from the previous year.

Every organization should have a plan to combat ransomware attacks, and the National Institute of Standards and Technology (NIST) can provide assistance to US-based businesses. Although originally developed to protect the country's critical infrastructure and Department of Defense operations, the NIST Cybersecurity Framework (NIST CSF) is a valuable tool for any organization seeking to manage risk.


NIST CSF is not mandatory, but given the high costs associated with a cybersecurity breach, complying with the framework is a risk worth taking. NIST has made it easier for organizations by providing a standard set of program functions with distinct components that can enhance security. The framework is written in straightforward language and is accessible to organizations at any stage of their cybersecurity program. NIST CSF is one of the most popular cybersecurity frameworks in the US, but implementing it can be challenging.


This guide aims to equip you with the knowledge needed to tackle NIST CSF implementation confidently. We have compiled extensive information on virtually every aspect of NIST CSF and included details on the new privacy framework. We have also added an NIST ransomware recovery checklist that can be incorporated into your incident response plan.


Read on for answers to the most frequently asked questions about NIST and even some that may not have crossed your mind. Click on the links provided for more detailed information. For assistance in preparing for a NIST compliance audit, use our NIST audit checklist. If you prefer a digital solution to help you through the NIST CSF compliance process, please contact us for a free demo.


What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework, also known as The Framework for Improving Critical Infrastructure Cybersecurity, was developed by the National Institute of Standards and Technology to bolster the security of the United States' critical infrastructure. NIST aimed to establish a common language, goals, and standards to enhance information security and facilitate better remediation following a cyberattack. Standardized language leads to better decision-making and fosters a similar methodology across industries, which is particularly desirable in combatting cyberattacks like phishing and ransomware.


NIST CSF was released in 2014 under an executive order from President Barack Obama and was updated in 2018. Since then, it has become an essential resource for risk management for private sector firms and public agencies. In 2017, an executive order mandated that federal government agencies and entities in their supply chain comply with NIST CSF.

NIST CSF comprises three components: framework core components, implementation tiers, and profiles. The core components are divided into five areas of cybersecurity:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recover

Each of these sectors comprises basic actions to reduce cybersecurity risks, subdivided into categories and subcategories, containing descriptions of leading information security procedures and strategies for successful ransomware recovery.


NIST has developed over 200 special publications, in addition to the CSF, that delve deeper into various aspects of cybersecurity risk management. These publications cover identity access control, protective technology management, cybersecurity incident response, and much more.


One of the most frequently used NIST publications is NIST 800-53, which provides a set of controls for organizations to satisfy the requirements of the Federal Information Security Modernization Act (FISMA), which is compulsory for federal entities and their supply chain partners, including defense contractors.


NIST 800-53 is regarded as the gold standard for federal agencies and is also utilized for compliance with the Federal Information Processing Standard Publication 200 (FIPS 200), which is mandatory for government-affiliated entities.


NIST Special Publication 800-30 provides guidance on conducting risk assessments, assisting with cyber risk management, and developing control baselines.


NIST Special Publication 800-171 helps non-federal organizations safeguard their sensitive information. Compliance with this publication is required for entities conducting business with the U.S. Department of Defense (DoD).


The CSF was updated by NIST in 2018. Version 1.1 includes guidance on self-assessments, supply chain risk management, interaction with supply-chain stakeholders, and creating a process for disclosing vulnerabilities.


The NIST CSF is a valuable tool for private enterprises seeking to enhance their cybersecurity, but it was initially established to safeguard the country's critical infrastructure. The Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience identifies 16 critical infrastructure sectors, including chemical, commercial facilities, communication, energy, financial services, and government facilities.


However, NIST CSF and NIST Special Publication 800-171 are becoming more popular among public entities such as universities and research organizations.


The U.S. Department of Defense's Cybersecurity Maturity Model Certification (CMMC), which is mandatory for DoD contractors, is based in part on NIST 800-171.


What are the Key Elements of the NIST Framework?

NIST outlines the fundamental components of the CSF as a collection of cybersecurity practices, results, and related resources that are shared across critical infrastructure fields:

"The Framework essentials convey cybersecurity guidelines, best practices, and benchmarks in a way that promotes communication of cybersecurity practices and achievements across the organization, from the executive to the implementation/operational level."

The CSF consists of these fundamental parts:

Maturity levels: the extent to which your organization has implemented the NIST controls:

  • Tier 1—Partial

  • Tier 2—Risk-informed

  • Tier 3—Repeatable

  • Tier 4—Adaptive


  • Framework core:

    • Functions: identify, protect, detect, respond, recover

    • Categories

    • Subcategories

    • Informative references


What Are the Five Functions of the NIST Cybersecurity Framework (NIST CSF)?

NIST CSF is a Framework for Improving Critical Infrastructure Cybersecurity that comprises three key components: implementation tiers, framework core, and framework profile.


At the center of the document, the framework core identifies five primary cybersecurity functions. Each of these functions includes 23 categories, which further divide into 108 subcategories specifying requirements and controls. The framework also provides “informative references” to additional frameworks and resources that organizations may use to seek more information.


It's important to note that the NIST CSF is not a one-size-fits-all framework. Each organization may decide which functions, categories, and subcategories it will comply with based on its unique security requirements, objectives, risk appetite, and resources.

The five cybersecurity functions, along with their categories and subcategories, are:






1. Identify

Establish a comprehensive comprehension of cybersecurity risks to effectively manage systems, assets, data, and capabilities.

Asset management (ID.AM):

Your organization has successfully identified and categorized the crucial data, personnel, devices, systems, and facilities that are vital for its critical business services. These assets have been prioritized based on their significance and aligned with the organization's risk strategy. Furthermore, your enterprise effectively manages these assets according to their priority, accomplishing the following objectives:

  • Conducted a comprehensive inventory of all physical devices and systems.

  • Conducted a comprehensive inventory of all software platforms and applications.

  • Mapped communication and data flows within the organization.

  • Cataloged external information systems that interact with the organization.

  • Prioritized resources such as hardware, devices, data, time, personnel, and software, considering their classification, level of importance (criticality), and business value.

  • Established clear and defined cybersecurity roles and responsibilities across the enterprise, including third-party stakeholders such as suppliers, customers, and partners.

Business environment (ID.BE):

Your teams possess a clear understanding of your organization’s purpose, goals, stakeholders, and prioritized activities, and leverage this knowledge to guide decision-making for cybersecurity responsibilities and risk management. This signifies that they have accomplished the following:

  • Recognized and conveyed your organization’s role in the supply chain;

  • Identified and communicated your organization’s position in critical infrastructure and its industry sector;

  • Established and communicated the priorities for the organization's mission, business objectives, and activities;

  • Mapped out the dependencies and vital functions required for the delivery of crucial services; and

  • Established resilience requirements to ensure the continuity of critical services during normal operations, in the face of an attack or pressure, and during the recovery phase.

Governance (ID.GV):

The cybersecurity risk management team and board members possess knowledge of and actively utilize your enterprise's security policies, procedures, and processes to effectively handle and monitor the organization's regulatory, legal, risk, environmental, and operational obligations.


Key accomplishments include:

  • Development and dissemination of a comprehensive cybersecurity policy.

  • Coordination and alignment of cybersecurity roles and responsibilities with internal positions and external partners.

  • Managers have a clear understanding and are actively overseeing compliance with legal and regulatory cybersecurity requirements, including privacy and civil liberties obligations.

  • Governance and risk management processes have been implemented to address cybersecurity risks effectively.

Risk assessment (ID.RA):

Your organization has a clear understanding of the risks posed to its operations, assets, and personnel from cyber threats.

  • You have conducted a comprehensive vulnerability assessment of your assets.

  • You have established connections to information sharing platforms and other sources to gather threat intelligence.

  • You have identified and documented the types of threats that your organization is likely to face, both from internal and external sources.

  • You have assessed the potential business impacts of identified risks and threats, and their likelihood of occurrence.

  • You have used this information to determine the overall level of risk to your organization.

  • You have identified and prioritized appropriate responses to these risks.

Risk management strategy (ID.RM):

Your organization has defined its priorities, limitations, risk thresholds, and presumptions, and leverages them to facilitate operational risk determinations.

  • You’ve instituted a comprehensive risk management framework and continually oversee it with the involvement of stakeholders.

  • You’ve identified and communicated your organization’s level of risk tolerance.

  • When assessing risk tolerance, you’ve taken into account your enterprise’s position in critical infrastructure and considered sector-specific risk evaluations.

Supply chain risk management (ID.SC):

Your organization has implemented processes to manage supply chain risks in accordance with established priorities, constraints, risk tolerances, and assumptions.

  • You’ve identified, established, and evaluated processes for managing supply chain risks and ensure stakeholder consensus in their implementation.

  • You’ve identified, prioritized, and evaluated suppliers and third-party partners responsible for your information systems, components, and services, employing a cyber-supply-chain risk assessment process.

  • You utilize contracts with suppliers and third-party partners to align with the objectives of your cybersecurity program and cyber-supply-chain risk management strategy.

  • You regularly evaluate your suppliers and third-party partners through audits, testing outcomes, or other assessments to verify their compliance with contractual obligations.

  • You prepare and test response and recovery protocols in collaboration with suppliers and third-party providers.



2. Protect

Ensure the continuity of critical infrastructure services.

Identity management, authentication, and access control (PR.AC):

Ensure that only authorized entities, processes, and devices can access your physical and digital assets and associated facilities. The access management approach you adopt should be based on the risks associated with unauthorized access.

  • Establish, regulate, validate, revoke, and monitor identities and credentials for authorized devices, users, and processes;

  • Supervise and safeguard physical access to assets;

  • Oversee remote access;

  • Control user account access permissions and administrative privileges based on the principle of least privilege necessary to carry out job duties, and separation of duties;

  • Secure network integrity using techniques such as network segregation, network segmentation, up-to-date antivirus software, and safe data backup;

  • Verify and link identities to credentials and assert them in interactions; and

  • Authenticate users, devices, and other assets commensurate with the risk of each transaction.

Awareness and training (PR.AT):

All personnel and partners are provided with cybersecurity awareness training and education.

  • Training programs are tailored to each user's specific duties and responsibilities.

  • Users with privileged access receive specialized training to ensure they understand and fulfill their security obligations.

  • Third-party stakeholders, including suppliers, customers, and partners, receive training on their roles and responsibilities.

  • Senior executives are provided with specific training and education on cybersecurity risk management.

  • Physical and cybersecurity personnel are provided with comprehensive training to ensure they understand and fulfill their security responsibilities.

Data security (PR.DS):

Ensure data protection in accordance with the organization's data risk strategy, safeguarding the confidentiality, integrity, and accessibility of information.

  • Secure data storage at rest. Secure data transmission in transit.

  • Manage assets during transfer, removal, and disposal.

  • Maintain adequate storage capacity to ensure data availability.

  • Establish measures to prevent data leaks and plan for recovery efforts.

  • Verify the integrity of software, firmware, and information.

  • development and testing environments separate from the production environment.

Information protection processes and procedures: (PR.IP):

Your organization has established comprehensive security policies that define the purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, processes, and procedures to manage the protection of information systems and assets.

  • You implement the concept of least functionality in your information technology/industrial control systems to ensure a baseline configuration of security principles.

  • Your systems development lifecycle includes security considerations to manage the systems effectively.

  • You have established configuration change control processes to manage changes to your systems.

  • Your information backups are conducted, maintained, and tested regularly to ensure availability and recoverability.

  • Your physical operating environment meets all relevant policies and regulations to ensure the protection of organizational assets.

  • Your data destruction processes adhere to your policies to prevent unauthorized access to sensitive information.

  • You continually improve your data protection processes and share the effectiveness of protection technologies.

  • You have established response and recovery plans and regularly test them to ensure readiness.

  • Your human resources practices include cybersecurity measures such as deprovisioning and personnel screening to prevent unauthorized access to your systems.

  • You have a vulnerability management plan to manage and address system vulnerabilities in a timely and effective manner.

Maintenance (PR.MA):

Your organization maintains and repairs its industrial control and information system components according to policies and procedures.

  • You maintain and repair organizational assets, and log those activities, with approved and controlled tools.

  • Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.

Protective technology (PR.PT):

You manage technical security solutions to ensure your systems and assets are secure and resilient, consistent with organizational policies, procedures, and agreements.

  • You document and review your audit/log records according to policy.

  • You protect removable media and restrict its use according to policy.

  • You configure systems to provide each user with only what they need (“principle of least functionality”).

  • Your communications and control networks are protected.

  • You use mechanisms such as fail-safe, load balancing, and hot swap for greater resilience.



3. Detect

Develop and execute measures to detect cybersecurity incidents. The following are categories and subcategories:

Anomalies and events (DE.AE): Your enterprise is aware of any abnormal activity transpiring within your systems.

  • You uphold and oversee a standard reference for network operations and anticipated data flows concerning users and systems.

  • Your organization scrutinizes identified incidents to comprehend the targets and techniques of attacks.

  • Your systems accumulate and correlate event-related data from various sources and sensors.

  • You possess knowledge of the repercussions resulting from cybersecurity incidents.

  • You have defined thresholds for incident alerts.

Security continuous monitoring (DE.CM):

Your organization performs continuous monitoring of information systems and assets to detect cybersecurity events and evaluate the effectiveness of protective measures. Monitoring is conducted in the following areas:

  • The organizational network

  • The physical environment, including facilities and equipment

  • Third-party service provider activity

  • Employee activity and behavior

Monitoring activities are designed to detect anomalies, such as:

  • Malware and other malicious code

  • Unauthorized mobile code execution

  • Unauthorized users, connections, devices, and software

  • Known or unknown vulnerabilities and exploits

Detection process (DE.DP):

Your enterprise has established and documented detection processes and procedures.

  • You have clearly defined the roles and responsibilities for detecting anomalous events.

  • Your detection processes are regularly tested and reviewed to ensure they meet compliance requirements.

  • You have a system for communicating event detection information to the appropriate personnel in a timely manner.

  • You continually improve your detection processes based on new information and feedback.



4. Respond

Create and execute a plan to respond to detected cybersecurity events.

Response planning (RS.RP):

  • Your organization has established protocols and procedures to follow in the event of a cybersecurity incident.

  • Your response plan is regularly updated and tested to ensure its effectiveness.

  • Your incident response team is trained and ready to respond to incidents promptly.

  • Your organization maintains clear lines of communication and coordination during incident response.

  • You have procedures for containing and isolating incidents to minimize the impact on systems and data.

  • You conduct a thorough analysis of each incident to identify the root cause and make appropriate improvements to prevent similar incidents from occurring in the future.

  • You promptly report incidents to relevant stakeholders, including regulators and law enforcement if necessary.

Communications (RS.CO):

  • Personnel understand their assigned roles and responsibilities in the event of a cybersecurity incident.

  • Cybersecurity incidents are reported and escalated in accordance with established criteria and procedures.

  • Information sharing among response teams follows established protocols and guidelines.

  • Response activities are coordinated with internal and external stakeholders based on the organization's response plan.

  • The organization communicates relevant information about cybersecurity incidents to external stakeholders, including law enforcement agencies, to facilitate a coordinated response.

Analysis: (RS.AN):

  • Analyze cybersecurity incidents to improve and support recovery efforts: Investigate system notifications for detection.

  • Determine the impact of each incident.

  • Perform forensic analysis of incidents.

  • Categorize incidents according to the response plan.

  • Implement processes for receiving, analyzing, and responding to disclosed vulnerabilities from internal and external sources, such as security bulletins or researchers.

Mitigation (RS.MI):

  • Containment measures are applied to limit the impact of incidents.

  • You have response plans for addressing incidents, including mitigation measures.

  • You continuously review and update your incident response and mitigation plans to ensure their effectiveness.

  • You document newly identified vulnerabilities and evaluate them for potential impact on your organization's security posture.

Improvements (RS.IM):

  • Improve your organization's response to security threats, events, and incidents by integrating insights acquired from prior and current detection and response activities.

  • Ensure that your response plans reflect lessons learned.

  • Regularly update your response strategies to improve efficacy.



5. Recover

Establish and execute an incident response plan upon detecting a cybersecurity event.

Recovery planning (RC.RP):

You have established processes and procedures for recovering systems or assets affected by cybersecurity incidents.

Improvements (RC.IM):

You enhance your recovery planning and processes by integrating insights gained from past experiences into future activities.

  • You regularly revise your recovery plans based on lessons learned.

Communications (RC.CO):

Your organization collaborates with relevant parties, both internal and external, to ensure effective restoration activities. This includes coordinating centers, internet service providers, owners of attacking systems, victims, other incident response teams, and vendors.

  • You manage communication and public relations after an incident to mitigate reputational damage.

  • You prioritize restoring critical business operations and services.

  • You provide updates to internal and external stakeholders, as well as executive and management teams, about your progress towards restoration.

 
 
 

Comments

Keith - 5Z5A8429 - 4x6.jpg

Hi, I'm Keith Sanks

I am a seasoned Cyber Security Professional with more than 16 years of industry experience. During my tenure in the Navy, I honed my skills in safeguarding National Security interests and assets against the constant threat of cyberattacks from hackers and foreign national advanced persistent threats.

  • LinkedIn

Effective. Secure. Protected

Creating a well-designed security program is essential for protecting an organization's critical assets and data from cyber threats. To achieve effectiveness, a security program must be designed with a risk-based approach that considers the organization's unique business requirements, regulatory compliance obligations, and the current threat landscape. The program must include policies, procedures, and controls that are tailored to mitigate the identified risks effectively. It is essential to establish a comprehensive security framework that includes technical solutions such as firewalls, intrusion detection systems, and endpoint protection, as well as employee training and awareness programs. A well-designed security program should also be regularly reviewed and tested to ensure that it remains effective and relevant as the threat landscape continues to evolve.

Subscribe

Thanks for submitting!

©2035 by Keith Sanks. Powered and secured by Wix

bottom of page