4 Critical Elements of the NIST Risk Management Framework

4 Critical Elements of the NIST Risk Management Framework

The world has become heavily dependent on technology. To deal with the challenges, the NIST risk management framework from the National Institute of Standards and Technology was developed. As the NIST explains, their risk management framework (RMF) incorporates concepts of their cybersecurity framework, systems security engineering, and privacy risk management concepts. In this article, we’ll cover the most pertinent things that you should know about the NIST framework.

Understanding the Most Recent Updates

The most recent update to the framework was produced in December 2018 and addressed many shortcomings that the NIST framework’s initial publication lacked. The latest iteration deals with helping departments assess and manage risk by focusing on protecting personal data. The responsibility for protecting this personal data is shared between information security and privacy programs. The NIST Cybersecurity Framework is already an accepted standard, which we covered in detail in a previous post. The new NIST Risk Management Framework ties itself heavily to the standards conceptualized by the cybersecurity framework.

Additionally, the NIST Risk Management Framework adds preparation before instituting its changes. The first step organizations are asked to pursue is addressing the most critical organizational and system-level activities. Organizational activities include understanding current threats to the information systems, developing and implementing the company’s risk management strategy, and understanding the vital stakeholders in the process. System-level prep also deals with identifying stakeholders, but specifically those that directly influence the system. Preparation at the system level also includes conducting a risk assessment on the existing system and terminating the security and privacy requirements necessary for the system to operate safely.

Supply Chain Risk Management (SCRM)

Within a supply chain, businesses are likely to interact with suppliers that may or may not have the same stringent security protocols introduced by their own risk management framework. To ensure that the system continues to perform as expected, personnel must verify that suppliers further up the supply chain conform to the NIST standards. Formal agreements or contracts should govern supplier operations such as storage, processing, and federal information transmission. The responsibility for ensuring that these standards are met falls to the organization through the authorizing personnel assigned to the supply chain.

Cloud and Shared System Authorization to Use

Authorization to Use (ATU) applies to all cloud and shared applications, systems, and services. Typically, it should be implemented if the information contained within a packet doesn’t originate within the organization itself. The stipulation is that the organization must review the incoming packet for risk following their risk management strategy. Since this authorization happens internally within the organization, it saves costs to the supplier who doesn’t need to get the data verified by an external investigating committee. Facility authorization extends this consideration, allowing systems existing within a particular environment to inherit the parent organization’s controls and privacy plans.

A Holistic Approach to Security and Privacy

Organizations that depend on technology to perform their functions don’t have the luxury of ignoring the institution’s cybersecurity needs. The latest iteration of the NIST Risk Management Framework seeks to integrate the existing risk management framework that the business has already developed. Additionally, senior management feels more connected to the operations needed to ensure security across the organization. Governance-level decisions can then be informed by the practices and implementations done on the risk management framework. The current framework also keeps all the most pertinent developments that the NIST cybersecurity framework already uses, giving it a basis to build on. If you’re interested in finding out how the Risk management Framework works within an organization, contact our offices today! We can assist you with your business’ NIST risk management framework strategy.

Comparing ISO 27001 Standard and NIST Security Framework

Comparing ISO 27001 Standard and NIST Security Framework

Both the NIST security framework and the ISO 27001 standard deal with information security controls. The International Organization for Standardization (ISO) mentions that ISO 27001 provides guidelines for the establishment of an information security management system (ISMS). Digital Guardian informs us that the NIST security framework is designed to shore up inefficiencies in a business’s information security plans. 

It’s immediately apparent that both of these methodologies share a common goal. However, they’re not interchangeable. This article delves into the similarities and differences between the NIST’s framework and ISO 27001.

The Structure of the ISO 27001

The ISO 27001 standard has ten (10) clauses that outline the critical information for applicants. The first three (3) clauses go over references, terms, and a basic understanding of the standard. The seven that follow are instrumental in helping businesses develop and finalize their ISMS. They define the business’s organizational context and probe whether the company’s leadership is committed to ensuring the standard’s success. 

Other steps ask about the business’s ability to anticipate information  security threats (cybersecurity and IT security) and manage its information security risk. The ISO standard examines the company’s established support network and suggests ways to improve and develop it. It then makes suggestions on the operation of the business’s ISMS. 

As with all ISO standards, there is a built-in system for self-improvement. The final clauses of the ISO 27001 document focus on evaluating the established system’s performance and how to improve those processes. Implementing this standard can bring benefits to businesses in several ways. We covered previously how the ISO 27001 standard can work in concert with project management.

ISO 27001 Annex A has 14 Domains with 114 controls. NIST covers 110 of these controls. 

Understanding the NIST Security Framework

Since both the ISO 27001 standard and the NIST framework have similar goals, it’s evident that there will be overlap between their implementations. However, while the ISO 27001 standard was designed for a specific purpose, the NIST framework is more open-ended. As such, any business that uses information technology stands to benefit from this framework. The NIST security framework relies on five overarching principles:

  • Identify: This step determines the risks that exist within the organization from a cybersecurity perspective. It’s similar to the fourth clause of ISO 27001.
  • Protect: Businesses that have cybersecurity risks need to protect the organization’s data and infrastructure from them. This protection either stops threats from occurring or minimizes the impact of those threats if they enter the system.
  • Detect: The longer a threat remains undetected on a system, the more havoc it can cause. This step allows businesses to find threats faster and neutralize them.
  • Respond: This step creates an organized response so that all parties know what they have to do. In a cybersecurity breach, time is crucial to success. Having everything planned out beforehand speeds up deployment and engagement.
  • Recover: This stage focuses on getting the business’s systems back online and working as usual. It addresses factors such as backup and restore times, and allows the company some recovery time to get back on track after an attack.

Similar Yet Different

There are distinct similarities in how these methodologies approach the problem of information security. The NIST framework is heavily flexible, which gives it a lot of room for application. However, this flexibility leaves the interpretation of the framework to the business implementing it. The ISO standard, on the other hand, is more focused on what it provides to companies. The defined, cyclical nature of the standard makes it ideal for a specific situation. Unfortunately, it’s not very flexible in application. Despite this, we’ve covered several ways how the ISO 27001 standard can benefit businesses.

If you’ve got questions about ISO 27001 or the NIST security framework, Contact Sync Resource. Let our experts help you to understand what each offers your business and which one is right for you.


How the DOD Cyber Security Program Impacts Contractors

How the DOD Cyber Security Program Impacts Contractors

Military contractors are usually poised at the cutting edge of DOD cybersecurity programs. Their contributions help the US maintain the most impressive standing army in the world. Because of their position, they have always needed to have top-notch cybersecurity.

Before now, the US Government hasn’t had to put guidelines in place to enforce robust cybersecurity. That changed in June 2020, with the Cyber Security Maturity Model Certification (CMMC). According to the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), the CMMC combined several security standards and industry best practices to reduce the risk of threats to contractor systems.

The implementation of this certification has changed the way contractors do business. In this article, we’ll look at the measures that the DOD has implemented to ensure governmental data safety when working with contractors. We’ll also delve into how contractors can figure out if they comply with current standards.

No Longer an Honor-Based System

In the past, contractors needed to sign a document that stated that they followed industry best-practices regarding their Cyber Security. Unfortunately, recent events have forced the government to reconsider its stance. In March 2019, NBC News reported that Iranian-backed hackers gained access to contractor systems, acquiring sensitive data on government-funded projects. Because of the potential fallout associated with sensitive information, the Pentagon decided to take action. The CMMC resulted from consultation, which was designed to ensure that contractors complied with the security standards the government has come to expect from its contractors.

The Cyber Security Obligations for Contractors

The DOD Cyber Security program focuses on one specific clause. The Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-70122, also known as the “7012 clause.” It has also been referred to as the Safeguarding Covered Defense Information and Cyber Incident Reporting clause. It’s an addition that puts the onus for identifying sensitive information on the contractor. Additionally, the contractor is responsible for ensuring the data they’ve deemed as sensitive remains secure.

Contractors need to be aware of the information they will receive. Typically, the 7012 clause deals with “covered defense information” (CDI). CDIs include unclassified controlled technical data and any information inside the controlled classified information registry. If interaction with a CDI is contained within the contract, the company needs to verify that its practices meet the demands of the DOD Cyber Security program recommendations.

DOD Cyber Security Program Guidelines

Among the guidelines that the DOD suggests for contractors are:

  • Security Standards: At a minimum, contractors should implement the National Institute of Standards and Technology Special Publication 800-171 (“NIST SP 800-171”). This implementation includes putting together a system security plan and an action plan. Both of these plans must be approved by DOD personnel.
  • Rapid Incident Reporting: After an incident occurs, contractors have up to seventy-two (72) hours to submit a report. Reportable incidents have an expansive definition. All accounts must be made to the Defense Industrial Base (DIB) portal and require contractors to have a DOD-approved Medium Assurance Certificate. Because of how tiny the reporting window is, contractors should apply for this certificate in advance.
  • Cloud Computing Standards: The DOD Cyber Security program has its own recommendations for cloud-based solutions. If the business has its own in-house cloud solution, it must implement the NIST SP 800-171. For those using third-party cloud suppliers, the vendors must align with the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. Vendors must also comply with all obligations related to forensic analysis, media preservation, malicious software, and incident reporting, and damage assessment.

Relying On Your Business Practices

Contractors already have their own standards for operation regarding their cybersecurity departments. However, it doesn’t hurt to have a fallback position. Sync Resource has an understanding of the NIST cybersecurity framework that both the CMMC and the standard DOD cyber security program obligations require. If you’d like a third-party audit of your systems or just advice on how to improve them, give us a call. We’ll be glad to ensure that you’re fully compliant with the DOD Cyber Security standards.

How-the-DOD-Cyber-Security-Program-Impacts-Contractors 2 logo

What is NIST Security Framework?

What is NIST Security Framework?

Established in 2014, the NIST security framework came about in response to a IS governmental mandate to secure the country’s critical IT infrastructure. Columbia Business School informs us that the NIST framework’s most recent iteration was released in April 2018. The NIST framework was a game-changer for several reasons. It set in place a generic framework that could be adapted by any business requiring cybersecurity. Organizations ranging from IT departments to IoT manufacturers have utilized their guidelines and practices. Despite this, many companies still ask what is NIST security framework, and should their organization use it? This article will explore what the NIST framework is and how it can help a business manage its cybersecurity risk.

The Functions of the NIST Framework

The framework is divided up into a series of five functions, namely:

  • Identify: Businesses understand the risk to their systems in the context of their entire organization.
  • Protect: The organization develops and implements safeguards to ensure that its critical infrastructure remains safe from cyber attacks.
  • Detect: Departments set up monitoring to ensure that, if a threat becomes present on the network, they can detect its presence and deal with it.
  • Respond: If a threat has been detected, the organization implements countermeasures the ensure that the risk is dealt with.
  • Recover: After the attack, the organization’s systems must return to working order. These measures ensure that the time needed for recovery is minimal and that all data can be retrieved.

These functions are broad and can be further subdivided into categories and subcategories. An in-depth exploration of these comes with implementing the NIST framework within an organization’s IT infrastructure.

The Tier System

The framework divides up organizations into tiers, depending on how well they implement the suggestions put forward by the NIST. These tiers can be used as benchmarks to compare one institution’s compliance against another. They are similar to the levels that you would find in an ISO standards implementation. We covered the process for ISO certification in a previous post. The Tier system in the NIST security framework is as follows:

  • Tier 1 Partial: The organization demonstrates a limited awareness of cybersecurity risk. Management of this risk is usually ad hoc and reactive. 
  • Tier 2 Risk-Informed: The institution is aware of the potential risk that cybersecurity breaches can have on their organization. Management adopts a just-in0time approach, handling threats as they happen.
  • Tier 3 Repeatable: organizations at this tier demonstrate a well-defined and repeatable cybersecurity policy. This policy informs all risk management.
  • Tier 4: Adaptable: At this stage, organizations will adapt their risk management policies based on experience and analytics of both their and other comparable approaches. This adaptability usually requires the organization to be part of a network that also implements the NIST security framework.

How Can These Tiers be Useful?

The tier system, as established by the NIST, allows companies to compare themselves to the rest of the industry. It removes the guesswork in what needs to be improved and will enable companies to forge their own path forward. Because of the framework’s open-ended nature, these tiers can be applied to any industry that needs to be concerned about cybersecurity. Using a nationally defined and accepted standard, organizations can conform to industry best practices and learn from others’ implementation.

Cybersecurity is a crucial part of your business. It’s about time you ensured that you understood the threats to your data and how to deal with them. While a business’s final adoption is ultimately their decision, having a consultant explain “what is NIST security framework” can be crucial to achieving compliance. Sync Resource has years of experience in supporting our clients through compliance testing and certification. Let us help you to meet the standards of the NIST framework and rise up the tier ranks.