Select Page

By Harry Brelsford

I’m constantly amazed at how little I know the wiser and more experienced I get. Case in point. A couple weeks ago I attended the SolarWinds Empower 2019 conference in Atlanta. During a partner panel conversation, the term NIST arose (and I didn’t know what it means – hey – I only know what I know). So as you might imagine, I quickly searched on my laptop while the panelist were speaking.

That got me to thinking. If I don’t know what NIST is…perhaps my readers also do not know this framework. Ergo – this blog and my attempt to shed NIST insights.

First – NIST stands for the US National Institute of Standards and Technology (2014) so it is an entity. But in reality, it’s common usage refers to the five functions of the NIST Cybersecurity Framework. According to Erin Anderson, Solutions Marketing Manager, OT and Industrial Technologies at Forescout, the NIST framework uses “business drivers to guide cybersecurity activities and considers cybersecurity as part of an organization’s risk management processes.”

Framework Parts

There are three parts to the NIST Cybersecurity Framework. This can be visualized in Figure 1.

Framework Core: There is some debate about what the core consists of. The NIST entity at www.nist.gov views that “Core” as three parts: Functions, Categories and Subcategories. The core also includes five higher level functions: Identify, Protect, Detect, Respond and Recover.

Framework Implementation Tiers. According to NIST, tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. This is show in Figure 2 where you can see four tiers: Partial, Risk Informed, Repeatable and Adaptive.

Figure 1: NIST Cybersecurity Framework

Framework Profiles. Think of this as alignment between various organization areas (e.g. Business Objectives, Threat Environment, Requirements and Controls) to create the Cybersecurity Profile.

Figure 3: All together now. Orchestrating security protection.

 

 

 

Figure 2: Viewing the workflow of four tiers.

Bottom line. Implementing the NIST Cybersecurity Framework can Managed Services Providers (MSPs) help customer organizations become more focused on protecting critical assets. My goal has been to pique your interest in NIST and hand you off to the following resource “