Regardless of your organization’s security posture, a NIST cyber risk assessment can add immense value to your business. The National Institute of Standards and Technology, or more commonly known as NIST, is a non-regulatory federal agency that develops standards for a plethora of commonly relied on services and products.
What sets NIST cybersecurity risk assessments apart from other risk assessments is NIST's overarching mission is to promote U.S. innovation and industrial competitiveness by advancing technology with the intention to enhance economic prosperity and improve the quality of life. In other words, something like a NIST gap analysis or NIST cybersecurity audit serves to bolster an organization’s competitiveness without just checking boxes on a controls list. In addition, NIST Cybersecurity Frameworks are routinely updated to ensure they are relevant to today’s rapidly evolving threat landscape.
Common Use Cases for Risk Assessments
U.S. Government organizations as well as many companies that do business with the U.S. Government, are required to adopt NIST standards in order to comply with Federal law. They and their subsidiaries must also be Cybersecurity Maturity Model Certification (CMMC) certified. The CMMC comes in different flavors but is leveraged by the US government to audit a contractor’s NIST compliance based on the 5 CMMC tiers. Regardless of whether a vendor engagement is pursued, contractors must adhere to at least a Level 1 CMMC certification, or the minimum security 72 controls. This makes it incredibly sought after as it is conservatively estimated that between 200,000-300,000 organizations fall under the eligibility requirement for a CMMC certification.
The intersection between a CMMC and NIST certification is that CMMC focuses on Controlled Unclassified Information (CUI) while NIST focuses on Non-Federal Organization (NFO) controls that aim to be a mandatory minimum of controls to address growing security threats. Attaining both a CMMC and NIST certification can greatly increase the trust of an organization’s current and prospective clients, while also establishing a cybersecurity aware reputation.
NIST cybersecurity controls are open to all non-federal organizations. That being said, frameworks such as NIST Cybersecurity Framework (NIST CSF), provide a central methodology for managing cyber risk towards a specific industry. NIST CSF is designed to benefit critical infrastructure organizations the most as it helps guide decisions about risk management actions at every level of the business. This is in contrast to other frameworks like NIST Cybersecurity Framework Financial Services (NIST FFS), which are tailored to align the financial services sector with cybersecurity practices. NIST FFS is able to merge security with compliance through having financial institutions complete a NIST gap assessment; which is uncommon.
The gap assessment can then be used to create a risk profile by identifying control gaps and thus eliminate risk inviting vectors. Similarly, this profile can then be used to develop a plan to close the gaps and reach a tolerable level of residual risk that aligns with the organization’s mission. Banks and credit unions are on higher alert for fraud than they are for Operational Technology (OT) misconfiguration. Moreover, the threats and risks that apply to a financial institution may be irrelevant and even inapplicable for a company whose mission is oriented around manufacturing. Hence, the NIST frameworks offer a spectrum of risk assessments.
Organizations with a lower risk tolerance may benefit more from implementing a framework like NIST Special Publication (NIST SP). NIST SP takes a rather granular approach to cybersecurity. That is to say, all of the NIST risk assessments take a low-level approach, but NIST SP in particular has very thorough sub frameworks.
Preparing for a NIST Risk Assessment
Once your organization has decided to move forward with a specific framework, the ensuing months will mandate you spend time customizing the framework for your specific industry or adjust the level of details that are the most complementary to your objectives. Think of it as a repeatable scientific process in which you implement and test that the controls are behaving as intended.
Since each NIST cyber risk assessment touches on various domains, some audits may be more rewarding for you to pursue than others. For instance, because NIST FFS is highly favored for financial oriented institutions because there is already a substantial overlap with existing legal regulations like SOX. Adopting NIST FFS grants financial institutions the ability to more skillfully address security in the boardroom and better articulate needs based on their NIST FFS profile. On the other hand, organizations that frequently handle sensitive data for government or private entities may benefit more from NIST 800-171A, which focuses on information security.
The below graphic highlights how a CMMC Level 1 audit covers about 15% of the NIST SP 800-171A CUI controls. It is worth noting that organizations that handle top security clearance data may benefit more from NIST SP 800-53 compliance which is significantly more rigorous to attain. Nevertheless, it demonstrates a higher level of security attentiveness. A NIST 800-53 certification is also the equivalent of a CMMC Level 4-5 certification which to put into perspective mandates 156 or 171 controls.
Image via Compliance Forge
Acronyms for readability
AC – Access Control
AT – Awareness Training
AU – Audit and Accountability
CM – Configuration Management
IA – Identification and Authentication
IR – Incident Response
MT – Maintenance of Information Systems
MP – Media Protection
PS – Personnel Security Policy and Procedures
PE – Physical and Environmental Protection
RA – Risk Assessment Policy and Procedures
CA – Security Assessment and Authorization Policy and Procedures
SC – System and Communications Protection Policy and Procedures
SI – System and Information Integrity Policy and Procedures
Moving Beyond Risk Assessments
When browsing for a NIST framework it is critical businesses understand their specific needs and clientele. Regardless of the NIST cybersecurity controls picked, organizations and the regulatory community stand to benefit. As the regulatory sector is better able to understand an institution’s baseline in comparison to industry state, national, and global risks. This ability to scope an organization’s cyber posture enhances US economic welfare at all levels. NIST cybersecurity audits, also enable institutions to focus more on core risk management missions through prioritizing NIST gap analysis elements and thereby freeing resources that can be applied to cybersecurity.
At the end of the day, the various NIST frameworks overlap in that they encourage organizations “Identify, Protect, Detect, and Respond” to events before they become incidents. NIST’s developers, of which is compiled by long standing security devotees and information security professionals, believe these are key to a sound security program. No longer are implementing controls enough. Instead, the shift must be focused to bridge controls and the risks that organizations today face.
Interested to hear how your organization can leverage a NIST cybersecurity framework to better manage your cybersecurity risk? Call Silent Sector today to connect with one of our security experts who will not only work with you to identify which framework is best for your business mission and operating landscape, but also help you conduct a “readiness” audit that will point out observations of high-risk areas you can address so that you can achieve certification.