Agencies Continue to Benefit from the NIST Cyber Security Framework

The National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) recently celebrated its fifth birthday. By the end of next year, Gartner estimates that 50% of organizations will have implemented the NIST Framework.

This is a long way from the early days when technology leaders instituted the CSF to provide cover and defend their actions. Back then, the belief was that if a breach happened, technology leaders could deflect blame by pointing out they followed the federal government’s recommendation, almost as a way to avoid getting in trouble.

However, as these organizations adopted the CSF an interesting thing happened. They began to find its utility, even if their original goal for using the CSF was perhaps not what the framework’s authors imagined. As I discussed on a recent GovLoop webinar with Matt Barrett, who was the NIST Program Manager, Cyber Security Framework (access it on-demand), there are many lessons learned from the first five years of implementing the CSF that can be used going forward.

Full Organizational Buy-In

More than anything, the data shows that organizations – no matter what industry or sector they operate within – must have complete buy-in from all stakeholders. That can be difficult but remains a key aspect of a successful implementation. In the government sector, this can be especially challenging.

Take the National Institutes of Health (NIH) for example. There are 21 institutes that make up the NIH, which itself is part of the much larger Department of Health and Human Services (DHHS). Not only will the 21 institutes need to support the CSF, but they must align their cyber security efforts upstream with DHHS in order to provide a comprehensive view of their cyber security posture.

Organizations must also contend with multiple compliance requirements, budgetary constraints, a “one and done” mentality where the CSF is used once and then forgotten, and a lack of understanding from leadership about the importance of following the CSF.

One way Symantec helps customers understand and adopt the CSF is to host what we call a Cyber DNA Workshop. The workshop gathers all the key stakeholders in an organization and walks them through a process to help them define their “Current” Profile. We ask them a series of questions based on the Subcategories of the CSF – to determine desired outcomes, and the priority of each outcome – which we use to generate a report the customer can use to prioritize steps to get to their “Target” Profile.

Properly Managing Risk

The CSF itself does not tell you how to improve cyber security. It is intended to help organizations manage their cyber security risk. By using the CSF, organizations can determine what part of their cyber operations are working and what areas need improvement. They can then prioritize improvements and upgrades, mapping out a multi-year plan to improve their cyber security posture.

That said, similar to all cyber initiatives, the CSF is designed to be a continuous process versus a “one and done.” Organizations will need to reassess themselves against the CSF when new risks emerge as technologies, threats and priorities change.

It is hard to believe the CSF just passed the five-year mark. In many ways, it seems like a “tried and true” pillar of cyber we’ve always had, while at the same time feeling new and innovative. While the Gartner numbers show great progress (I believe their 50% adoption prediction will prove to be low), there are still a lot of organizations that yet to benefit from the approach the CSF lays out.

Please download our infographic, watch the webinar and let Symantec know how we can help your organization take advantage of the CSF. Also, make sure to join us for a GovLoop nano-course on the CSF. This course features three lessons on the CSF with a quick quiz at the end to test your skills.