If you manufacture one little part for a piece of military equipment for the US government, very soon - if not already - you’re going to be required to verify that you’re compliant with the NIST Cyber Security Framework. It might not be surprising to learn that the government is tightening up cyber security throughout their supply chain, but organizations that aren’t part of a government supply chain are also adopting the framework. The reasons may be a little different for each organization but the outcome is similar - they become better managers of cyber risk.
Origins of the NIST Cyber Security Framework
NIST (National Institute of Standards and Technology) created the framework in 2014 by executive order with the goal of securing critical infrastructure. In 2017, it became mandatory for all US Federal Agencies, and now the standards are being passed down the government supply chain.
Who Uses the Framework?
The Framework isn’t just beneficial for government and government-related entities, and it’s not just for US organizations. It’s been translated into Spanish, Hebrew, Italian and Japanese, and adopted internationally by organizations that want to improve the way they manage cyber risk.
Companies of any size and in any industry can follow the NIST framework which is customized to fit any situation, whether the organization is already quite mature in how they manage risk, or just getting started to bump up their level of cyber defenses.
Why Use the Framework?
1. Secure Your Supply Chain
What’s happening in the government supply chain is a big reason why any company would want to use the framework. The framework gives companies a way to communicate their cyber security requirements to their vendors, and provides a common language to communicate about cyber security issues.
2. Improve Communication About Cyber Security
Not only does adoption of the framework help organizations communicate about cyber security externally, it helps them to become better communicators internally. This is important when you realize that cyber security isn’t just an IT issue. It’s a business risk issue, and the success of any cyber security initiative is dependent upon leadership supporting it and including it in their customer retention and business continuity strategy.
3. Meet Compliance Goals
Since the framework is about guidance and improvement, you can use it to create a roadmap that will help you to comply with other security regulations, enabling you to identify gaps in your security practices.
If you are a vendor to the US Department of Defense, you will in the near future be required to verify your security level with the Cyber Security Maturity Model Certification (CMMC). Adopting the NIST cyber security framework can be the means you use to prepare for certification.
4. Demonstrate Cyber Security Level
If you have cyber security insurance, your rate is going to be dependent upon how much risk exposure you have. Using the NIST cyber security framework can be a tool to verify your processes and give your insurance carrier more confidence that you’re making good choices in your data protection.
5. Cost-Effective Approach to Cyber Security
The framework is meant to complement your organization’s cyber security program, not replace it. Using it will help you to set goals and priorities, and to communicate those internally and externally.
What Outcomes Can Be Expected?
One of the biggest benefits that organizations experience from using the NIST cyber security framework is that everyone gains a better understanding of their risks. This helps people to adopt a mindset that security isn’t just an annoyance, but a requirement for meeting organizational goals.
What might be an even more important outcome from using the NIST framework is that leadership and employees gain the understanding that cyber security is a shared responsibility.
What’s Involved with Implementation of the Framework?
Adoption of the NIST cyber security framework begins with an assessment of your current level of cyber risk management. The next step is to set a goal for where you want to be. Then you create a roadmap that lays out how you’ll get to that goal and includes priorities for your activities.