NIST CSF is a voluntary framework designed to help organizations understand, assess, prioritise and communicate about their cyber-security risks. It is a comprehensive set of guidelines and best practices developed by the National Institute of Standards and Technology (NIST). It aims to help organizations manage, reduce, and communicate cyber security risks associated with their systems, networks, and assets.

The  framework offers direction derived from best practices and accepted standards. It assists businesses in evaluating their present cyber-security procedures and determining the best course of action for enhancing cyber-security and cyber resilience.

CSF 1.1 vs 2.0, what has changed?

A new function “Govern” is added to 2.0, there are multiple changes into the categories and subcategories, some of the categories are re-aligned and some are removed from the latest version.

CSF 1.1 – There are 5 functions, 23 categories and 108 subcategories.

CSF 2.0 – There are 6 functions, 22 categories and 106 subcategories.

Primary components of the NIST Cybersecurity Framework (CSF) 2.0:

• Core: The core is organised into six functions. Govern, Identify, Protect, Detect, Respond and Recover, which are further divided into 22 categories and 106 subcategories. The core functions acts like kernel of system and have detailed outcome for various levels of management.
• Tiers: Tiers help organizations assess about their current state of security and how well their current cyber-security risk management practices achieve the outcomes. There are 4 tiers Partial, Risk informed, Repeated and Adaptive.
• Profiles: Profiles provide organizations with a way of optimizing the CSF to best serve their unique needs. Profiles are divided into “current” and “target” profile.

CSF Core functions

• Govern: The function Emphasize the strategic aspects of cyber-security risk management.
• Identify: The function focuses on developing an organizational understanding to manage cyber-security risk to systems, assets, data, and capabilities. 
• Protect: The function outlines the appropriate safeguards to ensure delivery of critical infrastructure services.
• Detect: The function involves the implementation of appropriate activities to identify the occurrence of a cyber-security event.
• Respond: The  function focuses on taking action regarding a detected cyber-security incident. 
• Recover: The function outlines activities to restore any capabilities or services that were impaired due to a cyber-security incident.

Implementation Tiers

The NIST Cybersecurity Framework (CSF) implementation tiers are designed to help organizations understand the maturity of their cyber-security risk management programs. The tiers range from 1 to 4, with each tier representing a different level of cyber-security maturity:

1. Tier 1: Partial: Informal practices and limited awareness of cyber-security, having limited understanding of cyber-security risks and practices.
2. Tier 2: Risk Informed: Formal policies and Risk management processes are approved, practices are regularly updated and aligned with business requirements.
3. Tier 3: Repeatable: Formal policies are defined with organizational-wide awareness, Risk management is formally approved and   processes  are implemented.
4. Tier 4: Adaptive: Continuous improvement of cyber-security practices based on lessons learned and Cyber-security is integrated into the organization’s overall risk management processes.

Profiles

Current and target state of organization and what practices to follow to reach the target state are defined. 

1. Scope the Organizational Profile: It can be whole organization or some business unit or particular product, we have to document the high level facts.
2. Gather needed information: various process to gather the information to create a profile like, Risk management, Business impact analysis, cyber security requirements, tools and practices etc.
3. Create the organization profile: Ascertain what kinds of data the chosen CSF outcomes should have in the Profile, then record the information that is required. Plan and prioritise the Target Profile with the risk implications of the Current Profile in mind. 
4. Analyze gaps and create action plan: To determine and evaluate the discrepancies between the Current and Target Profiles, perform a gap analysis. Then, create a prioritised action plan (such as a risk registry, risk detail report, or Plan of Action and Milestones to close such gaps. 
5. Implement action plan and update profile: To reach the target profile, implement the action plan with deadlines defined.

How to implement NIST CSF 2.0 on public clouds

1. Understand the Framework: Familiarize yourself with the NIST CSF 2.0, including its core functions, categories, subcategories, tiers, and profiles. This will provide a foundational understanding of the framework’s structure and objectives.
2. Assess Current State: Evaluate your organization’s current cyber-security posture in the public cloud environment against the outcomes outlined in the CSF Core. Identify strengths, weaknesses, and areas for improvement to inform your implementation strategy.
3. Create Profiles: Develop “Current” and “Target” profiles by mapping your cyber-security requirements, objectives, methodologies, and practices to the CSF Core outcomes. Conduct a gap analysis to identify areas where enhancements are needed to align with the desired state.
4. Implement Controls: Utilize the Implementation Examples provided in the CSF 2.0 to guide the implementation of specific controls and actions within your public cloud infrastructure. These examples offer practical guidance tailored to each component of the framework.
5. Governance Focus: Given the introduction of the “Govern” function in CSF 2.0, ensure that your implementation emphasizes risk management strategy, organizational context, roles, responsibilities, policies, processes, procedures, and oversight across your public cloud environment.
6. Engage Stakeholders: Involve key stakeholders within your organization in the implementation process. Collaborate with IT teams, security professionals, compliance officers, and other relevant personnel to ensure a comprehensive and effective deployment of the framework.
7. Continuous Monitoring: Implement Continuous Controls Monitoring (CCM) solutions to continuously monitor and assess your cybersecurity posture in the public cloud environment. This will help you detect and respond to security incidents promptly.

Top Benefits of the NIST Cybersecurity Framework for public clouds

The NIST Cyber-security Framework (CSF) offers several top benefits for organizations, particularly in public cloud environments:

1. Robust Security Posture: Implementing the NIST CSF helps organizations build a strong security posture in their cloud environments, reducing the risk of cyberattacks and data breaches.
2. Risk Management: The framework provides a structured approach to risk management, enabling organizations to identify, assess, and mitigate cyber-security risks effectively.
3. Regulatory Compliance: The NIST CSF can aid in meeting various compliance requirements, such as SOC2, ISO 27001, PCI-DSS, and more, ensuring that organizations adhere to industry standards and best practices.
4. Continuous Monitoring: The framework emphasizes continuous monitoring, which helps organizations detect and respond to security incidents promptly, enhancing their overall cyber-security posture.
5. Adaptability: The NIST CSF is adaptable for various types of cloud deployment, including public, private, community, and hybrid, making it suitable for a wide range of organizations.
6. Cost-Effectiveness: The framework optimizes resource usage and cost-effectiveness in securing the cloud, making it a cost-efficient solution for organizations.
7. Bridge Between Technical and Business Stakeholders: The NIST CSF serves as a bridge between technical and business-side stakeholders, facilitating effective communication and collaboration on cyber-security matters.
8. Flexibility and Adaptability: The framework is flexible and adaptable, allowing organizations to tailor their cyber-security practices to their unique needs and circumstances.
9. Future-Proof: The NIST CSF is designed to be future-proof, ensuring that organizations can adapt to evolving cyber-security threats and regulatory requirements.
10. Industry-Recognized Best Practice: The NIST CSF is widely recognized as an industry best practice, providing organizations with a comprehensive and in-depth set of controls to manage cyber-security risks effectively.

Conclusion

NIST CSF is a powerful framework which can help organization secure their sensitive information and protect them from unwanted cyber threats and cyber crimes. 

We will be publishing a series on alignment of public clouds like AWS, GCP and Azure with NIST CSF 2.0.

I hope you found this blog post informative and engaging. I’d love to hear your thoughts on this post. Let’s connect and start a conversation on LinkedIn — OffloadSecurity.