Sergey Nivens - Fotolia

Get started Bring yourself up to speed with our introductory content.

How is the NIST Cybersecurity Framework being received?

The NIST Cybersecurity Framework gets mixed reviews, but it could be a good starting point for organizations looking to better manage cybersecurity.

President Obama's recent executive order concerning cybersecurity brought attention back to NIST's Cybersecurity...

Framework. When the framework was first released, experts had mixed views on it. Now that it's been available for some time, how are enterprises using it? What are some of the pros and cons of the Cybersecurity Framework?

As a result of President Obama's executive order in 2013, NIST released its Cybersecurity Framework (CSF) for Improving Critical Infrastructure Cybersecurity. The framework is a voluntary, risk-based approach to cybersecurity and enables organizations of any nature to apply strong cybersecurity measures to secure critical infrastructure, though it's been met with mixed reviews.

In April 2015, RSA conducted the Cybersecurity Poverty Index that polled more than 400 security professionals across 61 countries, using the NIST CSF. The poll contained 18 questions that covered the five keys outlined by the CSF: identify, protect, detect, respond and recover. It rated responses using a five point scale with one having the least capability to five indicating high maturity practices in a given area.

The results showed that 75% of all respondents have significant cybersecurity risk exposure, 5% have the highest capabilities and 20% have mature security strategies. Geographically, Asia Pacific with 39% ranked the highest of fours and fives, while the Americas were at 24% and EMEA at 26%. The study did not state how many respondents of the Americas' 24% were from USA.

The NIST CSF refers to other security standards such as NIST 800-53, COBIT 5 and ISO 27001. CSF does not provide templates on how to deploy the framework.

A controversial component of CSF is External Participation, which states "The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs." A bill recently introduced to Congress further explains cybersecurity threat intelligence between private and government entities. Privacy advocates strongly object to this bill.

The federal government is moving forward to support U.S. businesses especially in light of recent breaches. Unfortunately, for heavily regulated industries -- such as finance (GLBA, FDICIA, BSA, FFIEC), public companies (SOX), health (HIPAA), utilities (FERC) and government (FISMA) -- this is just another regulation to deal with. There are industries that are not as regulated but are still subject to security frameworks and compliance such as retail and e-commerce (PCI DSS). Then there are others such as COBIT, ITIL, NIST, ISO 27001, external auditors, internal auditors and our own internal policies.

The CSF is a good framework that should be a considered a starting point for any kind of organization when managing cybersecurity risks. It's a promising step for the federal government in the wake of large data breaches, which put customer's data at risk, because they are implementing guidelines to protect against cybersecurity risks. Since there are no details on how and what you need to be compliant with, until more concrete requirements are defined, you should map the guidance to existing regulations.

The NIST CSF may be voluntary and subjected to mixed reviews, but it offers improvements for organizations in many different industries. Although some may argue organizations are already heavily regulated, you can make your own judgment as to why CSF was introduced.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Here's how to put the NIST cybersecurity framework to good use and take a look at the strengths and weaknesses of the framework

Learn about how the Cloud Security Alliance is working on standardized frameworks for cloud access security brokers

This was last published in September 2015

Dig Deeper on Security audit, compliance and standards