The National Institute of Standards and Technology, or NIST, is a division of the U.S. Department of Commerce. NIST is a non-regulatory federal agency, whose mission is to promote U.S. innovation and industrial competitiveness by advancing technology in ways that enhance economic security and improve the quality of life. One of NIST’s functions is to help organizations to better understand and to improve their management of cybersecurity risk. NIST has created a framework that organizations can use for these purposes. The framework is revised when there are significant developments in cybersecurity. The current NIST framework is the NIST 800 Cybersecurity Framework, Version 1.1
What is the NIST 800 Cybersecurity Framework Version 1.1?
The NIST 800 Cybersecurity Framework Version 1.1, issued in 2018, provides a common organizing structure for multiple approaches to cybersecurity. The NIST 800 Cybersecurity Framework assembles cybersecurity standards, guidelines and practices that have proven to be effective. Private organizations can use NIST’s voluntary framework to develop, maintain, or modify their own cybersecurity programs.
The NIST 800 Cybersecurity Framework Version 1.1 is divided into five Framework Core Functions. NIST advises that organizations perform these functions concurrently and continuously, with a goal of forming a culture of cybersecurity risk compliance. The five NIST 800 Cybersecurity Core Functions are:
NIST 800 Cybersecurity Core Function 1: Identify
The NIST 800 Cybersecurity Identify Core Function consists of an organization’s developing an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The specific activities for this function must be performed to make effective use of the Framework. The understanding that is needed, is a business’s understanding what resources support critical functions, and the cybersecurity risks associated with these resources. This understanding allows organizations to develop an effective risk management strategy. The activities associated with this function (and the other 4 functions) are called “outcome categories.” The outcome categories for this function include asset management, identity management, access control, and detection processes.
Asset management is the process of logging and monitoring all devices used by a business. Healthcare organizations should manage assets by creating a list of devices that includes who uses the device, and what protections are in place to secure electronic protected health information (ePHI).
NIST 800 Cybersecurity Core Function 2: Protect
The “Protect” core function consists of developing and implementing appropriate safeguards to ensure delivery of critical services. This function supports an organization’s ability to limit or contain the impact of a potential cybersecurity event, such as a data breach. Outcome categories within this function include identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology. Protective technology includes software, devices, and other technology that can be used to block or limit access to ePHI. Protective technology includes measures such as encryption, passwords, and access controls.
NIST 800 Cybersecurity Core Function 3: Detect
The “Detect” core function consists of developing and implementing appropriate activities to identify the occurrence of a cybersecurity event. This function allows organizations to timely discover security events, so the impact of these events can be minimized. The outcome categories within this function include anomalies and events (that is, definitions of what constitutes anomalous, or “outside of normal” activity, and what constitutes cybersecurity events), security continuous monitoring and detection processes.
NIST 800 Cybersecurity Core Function 4: Respond
The “Respond” core function consists of developing and implementing appropriate activities to take action regarding a detected cybersecurity incident. This function supports the ability of an organization to contain or minimize the impact of Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Specific outcome categories within this function include: response planning, communications, analysis, mitigation, and improvements.
Cybersecurity response planning consists of a set of instructions (set forth in an incident response plan) designed to assist an organization prepare for, detect, respond to, and recover from a security incident. Most incident response plans address issues such as malware detection, data theft and service outages. An incident response plan should be specific and actionable, detailing who should do what, and when.
NIST 800 Cybersecurity Core Function 5: Recover
The “Recover” core function consists of developing and implementing appropriate activities to maintain plans for resilience, and to restore any capabilities or services that were impaired due to a cybersecurity incident. The recover function supports timely recovery to normal operations, to reduce the impact from a cybersecurity incident. Specific outcome categories within this function include recovery planning, improvements, and communications.
Recovery planning consists of activities such as developing incident management roles and responsibilities, developing a business continuity plan, making arrangements for alternate communication channels in the event of downtime, and identifying alternate services or facilities for data.