top of page
  • Tom Cummins

How Can NIST’s Cybersecurity Framework Help Your Business?

Updated: Apr 2, 2020

Cyber + Co.

Cyber + Co., No. 2

Business professionals need practical strategies for managing cybersecurity risk.

One leading source for managing this risk the Cybersecurity Framework put forward by the National Institute of Standards and Technology (NIST).

The framework was first finalized in 2014, and is currently undergoing updates. While large organizations have been early adopters, small businesses have lagged behind.

Cybersercurity Framework Summary

Last month, the Senate unanimously passed a bill requiring NIST to consider small businesses in developing the framework, as well as to disseminate resources for small businesses to help reduce their cybersecurity risk.

Here’s an introduction to the current version of the Cybersecurity Framework.

What is the Cybersecurity Framework?

The Cybersecurity Framework is a consensus guide to managing digital security.

Cybersercurity Framework Summary

Developed by NIST, it was created with input from thousands of business participants, academics, private citizens, and government representatives.

Comprehensive, flexible, and voluntary, the framework is designed to help organizations reduce their cybersecurity risk. It also provides a common language for understanding, managing, and communicating about cyber risk.

How is the Framework Organized?

The framework is organized into three basic parts: core, implementation tiers, and profile.

The core identifies five steps—the core components—of cybersecurity risk management: identify, protect, detect, respond, recover.

Cybersecurity Framework Summary

The framework organizes the five core functions into detailed categories and subcategories, connecting each subcategory to specific external standards, guidelines, and best practices.

Establishing a Common Language

Structuring your business’s cybersecurity risk management within a consensus-based set of defined categories and subcategories, linked to specific reference points, lays the foundation for your business to communicate in the common language of cybersecurity.

This shared language makes it easier to discuss cybersecurity risks both internally and externally. It also makes it easier to get a clear view of your business’s current cybersecurity posture, target improvements, and evaluate progress towards those goals.

Cybersecurity Framework Summary

And, if your business does fall victim to a cyberattack, your having adopted the Cybersecurity Framework may help mitigate your regulatory and litigation exposure.

Measuring Your Progress

The second component of the Cybersecurity Framework is the implementation tiers. They describe how an organization views its cybersecurity risk and the practices that it has in place to manage that risk.

The framework has four implementation tiers, from “partial” (tier 1) through “adaptive” (tier 4). The basic idea is to help organizations mature from informal, reactive programs to agile, intelligent programs.

Cybersecurity Framework Summary

Finally, the framework profile provides a method for improving an entity’s cybersecurity by comparing its current profile (the “as is” state) with the target profile (the “to be” state).

Further Reading

A full version of the Cybersecurity Framework is available here.

The Ponemon Institute’s “2016 State of Cybersecurity in Small & Medium-Sized Businesses” is available here.

About Cyber + Co.

Cyber + Co. is a periodic review of cybersecurity issues relevant to small businesses.

About the Author

Tom Cummins is the founder of Potomac Litigation. He has deep experience assisting clients in some of history’s largest data breaches, as well as a host of other cybersecurity incidents.

bottom of page