The Cybersecurity Framework provided by the National Institute of Standards and Technology (NIST) was published in early 2014 as a set of guidelines to strengthen cybersecurity for organizations that engage in elements of the critical infrastructure of the United States. While it initially focused on engagement with the federal government, the Framework, because of its comprehensive approach to security, is being adopted across all industries. Organizations not adhering to it should quickly consider it as a way to develop their own security best practices.
Financial institutions, utilities companies, transportation organizations; these and others like them contribute to the smooth functioning of our government, and by extension, our society. For many reasons, visibility and stature among them, they could become targets for cyber exploitation. If their data and and internal operations are exploited, the collateral effect could be potentially disastrous to the smooth functioning of daily business operations and national security. The NIST Framework safeguards against this type of disruption with a codified set of security requirements that aims to avoid vulnerabilities.
The concept of protecting organizations that participate in critical infrastructure paints a picture of the impact of what the Framework attempts to cover, namely, the operations of our entire country. Yet, NIST provides the framework publically, which means that a roadmap of this gravity in its approach can also be used by any organization conducting any type of digital business. In fact, the introductory remarks of the published Framework recommend using “business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.”1 It’s like being handed a manual that is based on the thinking and practical usage of some of the world’s most secure organizations.
Adhering to the Framework means that an organization has built their own security around a single reference that uses the comprehensive knowledge of hundreds of governmental agencies, all of which are required to use demanding security best practices. While it requires considerable effort to be compliant with the Framework, once achieved, the organization can tout compliance with the the myriad standards, governance policies, audit checklists and other aspects of critical security necessary for working with almost any organization that mandates strict security adherence. Organizations that use the Framework benefit by being prepared for almost any security requirements demanded by their industries, the government, or by their own customers.
It’s a no-brainer for government contractors, universities and research organizations, health care companies, and energy, utility, transportation and similar companies. They are doing the daily work that constitutes “critical infrastructure.” Their work provides material and intellectual progress that operates and advances our society. But every organization that seeks to innovate and deliver solutions, irrespective of the field, should quickly add NIST Cybersecurity Framework adherence to their list of priorities. Cloud service and application vendors will want to extend to their customers the benefits of the Framework; it’s a marketable advantage for them and provides an important measure of risk management.
Perhaps not all companies and organizations fall into the category of being critical to our nation’s infrastructure, but nearly all conduct some form of digital business, and ultimately this is what the Cybersecurity Framework addresses. Especially for organizations that operate their IT and application framework in the cloud, maintaining allegiance with a validated and accepted security framework not only provides a model for how to be secure now, but as NIST updates the Framework, it will continue to provide usable guidance for how to ensure continuous compliance as security measures change and as organizations evolve.
1 NIST. “Framework for Improving Critical Infrastructure Cybersecurity”. February 2014.