November 11, 2020

Last Updated on January 15, 2024

The US National Institute of Standards and Technology (NIST) develops standards and guidelines for both the US federal government and US private sector companies. NIST has created a number of cybersecurity documents. Some of these (e.g., NIST SP 800-53Security and Privacy Controls for Information Systems and Organizations) are mandatory for US government agencies. Others, like the NIST Cybersecurity Framework (NCSF), were created to help private sector enterprises improve their information security postures. 
During a recent episode of The Virtual CISO Podcast, our special guest Dr. Ron Ross, who directs development of NIST’s cybersecurity and privacy publications, talked about the “why” behind the NCSF, and how it is designed to be used voluntarily in the private sector—especially in critical infrastructure.
The NCSF began with an executive order during the Obama administration in 2013. Its initial purpose was to offer non-government organizations a comprehensive and usable cybersecurity framework that, when properly implemented, could protect sensitive data and even reduce the risk from attacks targeting US critical infrastructure like electricity grids, water control structures and chemical plants.  

“There was a big concern with all of our critical infrastructure sectors, including things like the electric sector, the financial services sector, the defense industrial base and the communications electronics sector,” Dr. Ross says. “There are so many critical things going on today, where computers are at the heart of these operations. And those computers—the software, the firmware, the hardware—have to be trustworthy because you’re supporting critical missions and business operations.” 

If you fail at the wrong time, not only does the system go south and your operations suck, but people can die,” notes Dr. RossAnd so at that time, the executive order tasked NIST to go out and work with the critical infrastructure sectors to develop a cybersecurity framework. And it took NIST about a year to do that. … They crisscrossed the USA having, I think it was five workshops, and they produced several drafts of the document.  
The NCSF was finalized in 2014 as a result of this intensive collaborative effort between government and industryThis voluntary framework is made up of standards, guidelines and practices to reduce cyber risk for critical infrastructure. It is designed to be cost-effective, flexible and prioritized for phased/incremental implementation.

The NCSF has three main components: 

  1. The Framework Core describes “a set of desired cybersecurity activities and outcomes using common language that is easy to understand.”  
  2. The Framework Implementation Tiers offer guidance to help organizations choose the appropriate level (tier) of rigor and maturity for their cybersecurity program, and serve as a foundational tool to discuss risk, risk appetite, mission priorities and budget issues. 
  3. An organization’s Framework Profile describes its unique requirements, objectives, risk appetite and cybersecurity resources in relation to the “desired outcomes” described in the Framework Core. The purpose of a profile is to help companies identify and prioritize “opportunities for improvement,” aka vulnerabilities in their information security controls.  

A key value proposition of the NCSF compared to many other cybersecurity standards is that it is relatively straightforward for non security geeks to understand and discuss, especially with management. The NCSF is also heavily cross-referenced against other widely used information security control frameworks (e.g., the Center for Internet Security’s CIS Controls) that organizations may be working with 
To make the NCSF even more usable and digestible by industry, NIST has created online learning modules as well as other learning content. Further, NIST’s NCSF Framework team is available to answer questions at [email protected] 
If your business supports critical infrastructure or otherwise needs to amp up its security controls to more effectively manage riskdon’t miss this show with Dr. Ron Ross at NIST.  
To listen to this show, and also accessour other information security podcasts, you can subscribe to The Virtual CISO Podcast here. 
If you prefer not to use Apple Podcasts, you can access all our episodes here.