4 Critical Elements of the NIST Risk Management Framework

4 Critical Elements of the NIST Risk Management Framework

The world has become heavily dependent on technology. To deal with the challenges, the NIST risk management framework from the National Institute of Standards and Technology was developed. As the NIST explains, their risk management framework (RMF) incorporates concepts of their cybersecurity framework, systems security engineering, and privacy risk management concepts. In this article, we’ll cover the most pertinent things that you should know about the NIST framework.

Understanding the Most Recent Updates

The most recent update to the framework was produced in December 2018 and addressed many shortcomings that the NIST framework’s initial publication lacked. The latest iteration deals with helping departments assess and manage risk by focusing on protecting personal data. The responsibility for protecting this personal data is shared between information security and privacy programs. The NIST Cybersecurity Framework is already an accepted standard, which we covered in detail in a previous post. The new NIST Risk Management Framework ties itself heavily to the standards conceptualized by the cybersecurity framework.

Additionally, the NIST Risk Management Framework adds preparation before instituting its changes. The first step organizations are asked to pursue is addressing the most critical organizational and system-level activities. Organizational activities include understanding current threats to the information systems, developing and implementing the company’s risk management strategy, and understanding the vital stakeholders in the process. System-level prep also deals with identifying stakeholders, but specifically those that directly influence the system. Preparation at the system level also includes conducting a risk assessment on the existing system and terminating the security and privacy requirements necessary for the system to operate safely.

Supply Chain Risk Management (SCRM)

Within a supply chain, businesses are likely to interact with suppliers that may or may not have the same stringent security protocols introduced by their own risk management framework. To ensure that the system continues to perform as expected, personnel must verify that suppliers further up the supply chain conform to the NIST standards. Formal agreements or contracts should govern supplier operations such as storage, processing, and federal information transmission. The responsibility for ensuring that these standards are met falls to the organization through the authorizing personnel assigned to the supply chain.

Cloud and Shared System Authorization to Use

Authorization to Use (ATU) applies to all cloud and shared applications, systems, and services. Typically, it should be implemented if the information contained within a packet doesn’t originate within the organization itself. The stipulation is that the organization must review the incoming packet for risk following their risk management strategy. Since this authorization happens internally within the organization, it saves costs to the supplier who doesn’t need to get the data verified by an external investigating committee. Facility authorization extends this consideration, allowing systems existing within a particular environment to inherit the parent organization’s controls and privacy plans.

A Holistic Approach to Security and Privacy

Organizations that depend on technology to perform their functions don’t have the luxury of ignoring the institution’s cybersecurity needs. The latest iteration of the NIST Risk Management Framework seeks to integrate the existing risk management framework that the business has already developed. Additionally, senior management feels more connected to the operations needed to ensure security across the organization. Governance-level decisions can then be informed by the practices and implementations done on the risk management framework. The current framework also keeps all the most pertinent developments that the NIST cybersecurity framework already uses, giving it a basis to build on. If you’re interested in finding out how the Risk management Framework works within an organization, contact our offices today! We can assist you with your business’ NIST risk management framework strategy.

What is NIST Security Framework?

What is NIST Security Framework?

Established in 2014, the NIST security framework came about in response to a IS governmental mandate to secure the country’s critical IT infrastructure. Columbia Business School informs us that the NIST framework’s most recent iteration was released in April 2018. The NIST framework was a game-changer for several reasons. It set in place a generic framework that could be adapted by any business requiring cybersecurity. Organizations ranging from IT departments to IoT manufacturers have utilized their guidelines and practices. Despite this, many companies still ask what is NIST security framework, and should their organization use it? This article will explore what the NIST framework is and how it can help a business manage its cybersecurity risk.

The Functions of the NIST Framework

The framework is divided up into a series of five functions, namely:

  • Identify: Businesses understand the risk to their systems in the context of their entire organization.
  • Protect: The organization develops and implements safeguards to ensure that its critical infrastructure remains safe from cyber attacks.
  • Detect: Departments set up monitoring to ensure that, if a threat becomes present on the network, they can detect its presence and deal with it.
  • Respond: If a threat has been detected, the organization implements countermeasures the ensure that the risk is dealt with.
  • Recover: After the attack, the organization’s systems must return to working order. These measures ensure that the time needed for recovery is minimal and that all data can be retrieved.

These functions are broad and can be further subdivided into categories and subcategories. An in-depth exploration of these comes with implementing the NIST framework within an organization’s IT infrastructure.

The Tier System

The framework divides up organizations into tiers, depending on how well they implement the suggestions put forward by the NIST. These tiers can be used as benchmarks to compare one institution’s compliance against another. They are similar to the levels that you would find in an ISO standards implementation. We covered the process for ISO certification in a previous post. The Tier system in the NIST security framework is as follows:

  • Tier 1 Partial: The organization demonstrates a limited awareness of cybersecurity risk. Management of this risk is usually ad hoc and reactive. 
  • Tier 2 Risk-Informed: The institution is aware of the potential risk that cybersecurity breaches can have on their organization. Management adopts a just-in0time approach, handling threats as they happen.
  • Tier 3 Repeatable: organizations at this tier demonstrate a well-defined and repeatable cybersecurity policy. This policy informs all risk management.
  • Tier 4: Adaptable: At this stage, organizations will adapt their risk management policies based on experience and analytics of both their and other comparable approaches. This adaptability usually requires the organization to be part of a network that also implements the NIST security framework.

How Can These Tiers be Useful?

The tier system, as established by the NIST, allows companies to compare themselves to the rest of the industry. It removes the guesswork in what needs to be improved and will enable companies to forge their own path forward. Because of the framework’s open-ended nature, these tiers can be applied to any industry that needs to be concerned about cybersecurity. Using a nationally defined and accepted standard, organizations can conform to industry best practices and learn from others’ implementation.

Cybersecurity is a crucial part of your business. It’s about time you ensured that you understood the threats to your data and how to deal with them. While a business’s final adoption is ultimately their decision, having a consultant explain “what is NIST security framework” can be crucial to achieving compliance. Sync Resource has years of experience in supporting our clients through compliance testing and certification. Let us help you to meet the standards of the NIST framework and rise up the tier ranks.