Connect with us

Hi, what are you looking for?



The NIST Cybersecurity Framework Revisited

In February 2014 the National Institute of Standards and Technology (NIST) issued a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks.

In February 2014 the National Institute of Standards and Technology (NIST) issued a new set of cyber security guidelines designed to help critical infrastructure providers better protect themselves against attacks.

The framework was the result of an executive order issued by President Barack Obama in 2013 to establish a set of voluntary cyber security standards for critical infrastructure companies. One year later, has the NIST Cybersecurity Framework had any measurable impact on improving cyber resilience or was it just smoke and mirrors as many opponents predicted at the time?

The NIST Cybersecurity Framework was born out of the realization that cyber-attacks represent one of the most serious economic and national security threats our nation faces. The framework offers:

• A set of activities to anticipate and defend against cyber-attacks (the “Core”)

• A set of measurements to assess to what degree an organization has implemented the core activities and benchmark how prepared they are to protect systems against an attack (the “Implementation Tiers”)

• A “Profile” that can be used to identify opportunities for improving an organization’s cyber security posture by comparing a current profile with a target profile.

In addition, the NIST Cybersecurity Framework includes a comprehensive collection of so-called Informative References, which are specific sections of standards, guidelines, and practices common among critical infrastructure sectors.

By assembling all these data points in a single repository, the government provided a common nomenclature and methodology to help less advanced organizations assess their level of security preparedness and benchmark themselves. In this regard, the NIST Cybersecurity Framework was a good first step towards creating a standardized approach to cyber security. However, it became immediately apparent at the time of its release that the framework required many substantial updates before it could really help improve the nation’s cyber resilience. It’s not surprising that, despite some anecdotal evidence presented to a Senate committee at a February 4th hearing, there has been no measurable proof that using the framework can help prevent cyber-attacks.

Advertisement. Scroll to continue reading.

Ultimately, the NIST Cybersecurity Framework provides some valuable building blocks for implementing better cyber security practices, but is not a silver bullet for preventing cyber-attacks and data breaches. It’s important to understand that guidelines and regulations are static by nature and therefore cannot evolve to detect and mitigate morphing threats. Meanwhile, regulatory compliance moves far too slowly to keep up with cyber-attackers. Guidelines can also expose holes in proposed measures, which attackers can use as a blueprint for their attack strategy.

Ultimately, proper security measures and best practices are just one part of the solution. One of the biggest challenges for organizations is managing the sheer volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized to even stand a chance of detecting a cyber-attack. The Target breach was a good example. Although the best-of-breed technology in place was able to detect the intrusion early on, the alerts were buried in a sea of data which prevented the security team from connecting the dots and responding in a timely fashion. Instead, a third-party reported the stolen data being posted on the Internet and exposed the breach.

Without data automation it can take months and even years to perform big data risk analysis and piece together an actionable security assessment. Findings ways to use technology to overcome the lack of human resources needed to extract intelligence from security feeds and respond in a timely fashion should remain a focal point for organizations.

In this context, the NIST Cybersecurity Framework is an important building block, but still just the first step towards implementing operationalized defenses against cyber security risks.

Related: NIST Releases Cyber Security Framework for Critical Industries

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights