Why is NIST so essential in cyber security?
With a world-class measurement and testing laboratory encompassing a good range of areas of computing, mathematics, statistics, and systems engineering, NIST’s cyber security program supports its overall mission to market U.S. innovation and industrial competitiveness by advancing measurement science, standards, and related technology through research and development in ways in which enhance economic security and improve our quality of life.
The need for cyber security standards and best practices that address interoperability, usability, and privacy continues to be critical for the state. NIST cyber security programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to deal with current and future computer and knowledge security challenges.
NIST develops cyber security standards, guidelines, best practices, and resources to satisfy the requirements of U.S. industry, federal agencies, and therefore the broader public. We feature out cyber security assignments defined by federal statutes, executive orders, and policies—including developing cyber security standards and guidelines for federal agencies. We also work closely with organizations within the public and personal sectors to make sure that our information is often readily leveraged to deal with specific issues that they face.
The NIST Framework: Core, tiers, and profiles explained
The framework is formed of three parts – the core, the tiers, and therefore the profiles.
The core of the framework is formed from 4 components:
- Functions: There are five functions: identity, protect, detect, respond, and recover. These functions are the inspiration that will be wont to organize the organization’s cybersecurity efforts.
- Categories: Within each of the five functions, there are three to 5 categories. These categories identify tasks or challenges related to each function.
- Subcategories: Within each of the categories, there are subcategories that break down the task or challenge even further. for instance, within the category named Risk Management Strategy, there are three subcategories that cover the areas of risk management processes and organizational risk tolerance.
- Informative references: includes any resources, documents, and steps for execution of tasks or challenges.
The tiers are the cyber security outcomes that are supported the organization’s business needs that they’ve selected from the core categories and subcategories which will range from partial (tier 1) to adaptive (tier 4) for instance, a more mature, or adaptive, the organization would have a risk management approach that’s informed by business needs and works in tandem with the general risk management program. Having a tiered approach to the NIST framework has allowed organizations to live their individual level of cyber security maturity and share this with senior management or a board of directors, essentially enabling them to benchmark performance. Once the performance is measured and benchmarked, the board can understand how the organization adheres to the NIST security controls.