Security Experts:

Connect with us

Hi, what are you looking for?



The NIST Cybersecurity Framework Revisited

In February 2014 the National Institute of Standards and Technology (NIST) issued a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks.

In February 2014 the National Institute of Standards and Technology (NIST) issued a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks.

The framework was the result of an executive order issued by President Barack Obama in 2013 to establish a set of voluntary cyber security standards for critical infrastructure companies. One year later, has the NIST Cybersecurity Framework had any measurable impact on improving cyber resilience or was it just smoke and mirrors as many opponents predicted at the time?

The NIST Cybersecurity Framework was born out of the realization that cyber-attacks represent one of the most serious economic and national security threats our nation faces. The framework offers:

• A set of activities to anticipate and defend against cyber-attacks (the “Core”)

• A set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack (the “Implementation Tiers”)

• A “Profile” that can be used to identify opportunities for improving an organization’s cyber security posture by comparing a current profile with a target profile.

In addition, the NIST Cybersecurity Framework includes a comprehensive collection of so-called Informative References, which are specific sections of standards, guidelines, and practices common among critical infrastructure sectors.

By assembling all these data points in a single repository, the government provided a common nomenclature and methodology to help less advanced organizations assess their level of security preparedness and benchmark themselves. In this regard, the NIST Cybersecurity Framework was a good first step towards creating a standardized approach to cyber security. However, it became immediately apparent at the time of its release that the framework required many substantial updates before it could really help improve the nation’s cyber resilience. It’s not surprising that, despite some anecdotal evidence presented to a Senate committee at a February 4th hearing, there has been no measurable proof that using the framework can help prevent cyber-attacks.

Ultimately, the NIST Cybersecurity Framework provides some valuable building blocks for implementing better cyber security practices, but is not a silver bullet for preventing cyber-attacks and data breaches. It’s important to understand that guidelines and regulations are static by nature and therefore cannot evolve to detect and mitigate morphing threats. Meanwhile, regulatory compliance moves far too slowly to keep up with cyber-attackers. Guidelines can also expose holes in proposed measures, which attackers can use as a blueprint for their attack strategy.

Ultimately, proper security measures and best practices are just one part of the solution. One of the biggest challenges for organizations is managing the sheer volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized to even stand a chance of detecting a cyber-attack. The Target breach was a good example. Although the best-of-breed technology in place was able to detect the intrusion early on, the alerts were buried in a sea of data which prevented the security team from connecting the dots and responding in a timely fashion. Instead, a third-party reported the stolen data being posted on the Internet and exposed the breach.

Without data automation it can take months and even years to perform big data risk analysis and piece together an actionable security assessment. Findings ways to use technology to overcome the lack of human resources needed to extract intelligence from security feeds and respond in a timely fashion should remain a focal point for organizations.

In this context, the NIST Cybersecurity Framework is an important building block, but still just the first step towards implementing operationalized defenses against cyber security risks.

Related: NIST Releases Cyber Security Framework for Critical Industries

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Security Architecture

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.