In 2013, President Obama issued an Executive Order (Improving Critical Infrastructure Cybersecurity) to address the growing impact of cybersecurity breaches in the United States. The order directed the National Institute of Standards and Technology (NIST) to create a “voluntary framework—based on existing standards, guidelines, and practices — for reducing cyber risks to critical infrastructure.” Government agencies and contractors were required to implement cybersecurity programs defined in NIST Special Publications 800-53 and 800-171, which required organizations to have significant technical and financial resources to implement the complex requirements.
The NIST CSF was a collaboration of public and private organizations to simplify security in a way that was effective, but also achievable and affordable. The framework has been adopted by corporations and non-profits of all sizes to better protect their intellectual property by better managing their cybersecurity risks. It is broken down into five sections – Identify, Protect, Detect, Respond, and Recover – and provides an organized structure to follow to secure data.
The CSF focuses on security concepts and allows organizations to choose the appropriate tools for their specific environment. An update to the original version includes an emphasis on cybersecurity in an organization’s supply chain, including vendors and other third-parties that process, store, or access data.
The NIST CSF can be implemented by organizations that must comply with HIPAA and other regulations. In 2021, a new federal law was passed giving incentives to HIPAA Covered Entities and Business Associates that implement the NIST CSF.
CompTIA, the IT industry association, realigned its Security Trustmark with the CSF. And many states have used the NIST CSF as the basis for their data protection requirements. Examples include:
- New York’s SHIELD Act
- South Carolina’s regulations requiring cybersecurity programs for insurance companies
- New York’s requirements for financial services organizations
- Connecticut’s affirmative defense laws protecting businesses from lawsuits if they conform to the framework
- Ohio’s affirmative defense laws protecting businesses from lawsuits if they conform to the framework
- Utah’s affirmative defense laws protecting businesses from lawsuits if they conform to the framework
Whether you’re an IT professional with many responsibilities within your department, or you manage client networks as part of an MSP, implementing a security framework requires a big investment of time and effort. By aligning your security stack with the NIST CSF, you can standardize your activities in a way that will protect your network.
The NIST Cybersecurity Framework’s stated purpose is “helping organizations to better understand and improve their management of cybersecurity risks.” In short, this framework helps you shore up internal and external vulnerabilities, as well as reduce the likelihood of them falling victim to a cybersecurity breach.
If you’re interested in implementing NIST CSF, Compliance Manager GRC allows you to use all your current IT security tools, software, and systems to meet the requirements…while you maintain compliance with any other IT requirements, regardless of source.
The built-in Standard Management Template allows you to quickly determine if you can “check the boxes” for every requirement, identifies the gaps, and automatically prepares all the documents you need to meet NIST CSF compliance.
To learn how Compliance Manager GRC can help with any or all your compliance needs, request a demo today.