We often get asked about NIST. What is it? How does it affect our business? Let’s take a brief view of NIST and explore some further reading.
NIST stands for National Institute of Standards and Technology, which is a non-regulatory agency of the US Federal Government founded in 1901. However, in the IT world, NIST is generally shorthand for compliance standards relating to cybersecurity frameworks. This is very often, specifically NIST 800-53.
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure
and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while
promoting safety, security, business confidentiality, privacy, and civil liberties.”
Executive Order 13636
February 12, 2013
And thus, the NIST Cybersecurity Framework (CSF) was born. Consisting of three major components—the implementation tier, framework core, and profiles—and five core components—identify, protect, detect, respond, and recover—NIST is broken down categorically by function, category, and subcategory. Confused yet? Don’t worry, it gets easier.
Essentially, each core component forms a function identified by a two letter code. For example, Identify uses the code ID. The Identify function is, itself, then broken into categories which, again, have two letter designations. “Business Environment” is BE. This is then broken down into numbered subcategories. The subcategory dealing with supply chains is 1. So, in this case, the shorthand name would be ID.BE-1. There are a total of 108 subcategories in the various functions.
Tiers are a bit easier to understand. These are essentially levels 1-4: Partial (1), Risk-Informed (2), Repeatable (3), Adaptive (4). These are a way to measure efficacy of a cybersecurity defense. It should be noted that not all businesses are going to want or need to invest to get to the Adaptive level for everything: some items may not apply or simply may be out of a realistic budget reach.
Profiles use business objectives, threat environment, and requirements and controls to assess current vs. target organizational cybersecurity posture.
While you liekly already know if your business is required to meet NIST compliance standards, a NIST audit can be a valuable way for any business to get a good baseline on their local and online security. An IT professional is desirable to help organizations determine where they currently sit in their ability to prevent and respond to cybersecurity threats.
Having trouble with your NIST compliance? Just curious about your own business’s IT security? Or you’d simply like to explore this further? Contact us!
The official documents from NIST: https://nvd.nist.gov/800-53
Direct link to the official PDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NIST Online Learning Resources: https://www.nist.gov/cyberframework/online-learning/components-framework
NIST 800-53 on Wikipedia: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53