With the increasing use of artificial intelligence (AI), emphasis on cloud-first strategies and rising reliance on third-party services and technologies, organizations must have a defense plan in place to respond to third-party risk. In response to these expected trends, over half (65%) of CISOs have increased their third-party risk management budget this year. The majority have allocated it for a specific solution to third-party threats. But before CISOs jump to invest in these resource-draining tools, they should take a step back and ensure they have done all they can to implement best cybersecurity practices using recommended and trusted frameworks. One of the most popular ones, adopted by organizations of all sizes and across industries, is the NIST Cybersecurity Framework.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework, or the National Institute of Standards and Technology Cybersecurity Framework, is the most common set of standards and guidelines organizations use to manage cybersecurity risk. A set of voluntary standards, the NIST CSF simplifies the steps organizations should take to deliver a process that everyone can use to develop best cyber practices. It was instituted in 2013 by Barack Obama as part of an initiative to strengthen the resilience of critical infrastructure to cybersecurity attacks under Executive Order 13636 and developed by NIST with collaborative workshops, requests for information (RFI), and drafts of both the public and private sectors. The first version was released in February 2014. A NIST CF 2.0 is scheduled to be finalized in early 2024.
Although it was first used explicitly by critical infrastructures such as healthcare, manufacturing and utilities, the framework has now been voluntarily adopted by leading global organizations of all sizes and industries.
The Foundation: NIST Cybersecurity Framework 800-53
The NIST Cybersecurity Framework is based on the NIST 800-53, a set of comprehensive standards that includes 800 controls developed for U.S. governmental agencies or those doing business with them. With its goal of reducing the risk of cybersecurity attacks to critical infrastructure by safeguarding information systems and improving the confidentiality, integrity and availability of their data, it has become a foundational document for cybersecurity best practices.
The NIST 800-53 was developed in 2002 as part of the E-Government Act, a response to the increasing numbers of high-profile data breaches and the recognition that more needed to be done to protect government services. It is also known as the NIST Special Publications 800-53, Security and Privacy Controls for Federal Information Systems and Organizations aimed to help meet the Federal Information Security Management Act (FISMA) requirements that were a part of the E-Government Act.
How the NIST Cybersecurity Framework Facilitates TPRM
The NIST Cybersecurity Framework includes controls for third-party risk management and the role of each manager across the organization. Not only would managers in the risk and compliance, IT, third-party risk and information security departments better understand their daily role in terms of third-party risk management, but they would also know what they would do in the event of a cybersecurity incident. It does this by offering a structured approach to third-party risk management, with functions, categories and subcategories for organizations to follow with respect to each supplier, contractor, external service, agency or third party.
The 5 Functions of the NIST Cybersecurity Framework
The NIST CF is composed of five functions called the Framework Core. Together they make up 21 categories and more than 100 subcategories referring to controls in other frameworks. The goal of the Framework Core is to identify the steps organizations need to take to meet different cybersecurity standards and put the required steps into language that can be understood throughout the organization, including non-technical teams.
1. Identify
Organizations must develop a broad approach to cybersecurity that includes asset management, risk assessment, governance and supply chain risk management. This is done with an understanding of the business environment and its risk management strategy.
2. Protect
Organizations must ensure that critical infrastructure is protected through various internal controls such as identity management and access control, awareness and training and data security. In addition, information security policies should be put in place to protect systems and assets, and they should enforce regular maintenance and the improvement of these controls when necessary. Finally, organizations should integrate protective technology to properly secure systems and assets and facilitate better resilience according to internal processes and agreements.
3. Detect
Organizations must identify security incidents as quickly as possible, whether due to anomalous behavior, investigating events, continuous monitoring and/or other detection processes.
4. Respond
After your organization has been attacked, you’ll need to have a plan and process in place to act quickly and mitigate any impact. This should include response planning, communications, analysis of response and support for recovery, mitigation, and the incorporation of any changes in best practices to improve the process for any future incidents.
5. Recover
Organizations should have a plan in place to recover from any security incidents or data breaches as quickly as possible and ensure business operations. This should include a documented recovery plan and process, continuous improvement and effective communications between the organization and third-party vendors.
The Main Tiers of the NIST Cybersecurity Framework
Not all organizations have the same approach to their cybersecurity. This can be due to resources, education and awareness, and the lack of integration between cybersecurity risk management and operational risk management. Having a standardized approach to cybersecurity for organizations in different stages can help you determine which one you should implement.
The tiers of the NIST CF function as benchmarks to demonstrate how well organizations are following the framework in order from lowest to highest (1 being the lowest and 4 being the highest).
Tier 1: Partial
Tier 1 organizations perform cybersecurity risk management in an ad-hoc manner, without a system or process for prioritizing risks. As a result, the risks are challenging to manage and communicate to stakeholders and other managers within the organization. These organizations need to better understand where they fit into the supply chain, digital ecosystem and third-party dependencies so that they can develop a process to prevent these risks from posing a threat to both their organization and all other parties in their supply chain.
Tier 2: Risk Informed
In contrast, Tier 2 organizations have a risk management program in place but are not standardized across the organization. While they may partially understand where they fit into the larger supply chain, digital ecosystem or third-party dependencies, they don’t fully comprehend it enough to share the information they have or act on it.
Tier 3: Repeatable
Tier 3 organizations have both a risk management program in place and have integrated it across the organization. They both understand where their organization fits into the broader security – the digital supply chain, ecosystem and third-party dependencies – and are aware of the risks posed to both their organization and external parties and have a plan to act on them.
Tier 4: Adaptive
Tier 4 organizations continuously improve their risk management program based on past cybersecurity successes and failures. In addition, they share information with both internal and external and has a standardized process in place so that it can act in real-time on supply chain risks. For these organizations, cybersecurity risk is seen as one part of their approach to integrated risk management.
The NIST Cybersecurity Framework Profiles
The NIST Cybersecurity Framework profiles align the functions, categories and subcategories of the NIST CF based on your organization’s specific needs and risk assessments. Organizations first identify the current profile to understand the controls currently put in place. After analyzing any security gaps in the security posture, they determine a target profile, or what needs to happen to close that gap in order of priority. After the changes are implemented, the profiles are continuously monitored and updated accordingly.
The NIST Cybersecurity Framework 2.0
Since the NIST CSF is a framework that is continuously improved and updated to meet evolving cybersecurity risks, it is open to constant feedback from stakeholders. After more than a decade of the original NIST CSF framework, a sixth function has been added: Govern.
This new function helps to ensure that an organization is reducing cybersecurity risk at the operational, management and strategic levels. It does this by specifying the roles and responsibilities necessary to execute the various controls and tasks as well as policies and procedures governing them. The new function also helps organizations align their cybersecurity best practices with legal requirements and risks.
The final version of the NIST CF 2.0 is scheduled to be published in early 2024.
How Panorays Helps Manage Third-Party Risk
While the NIST CF is a comprehensive framework for organizations to start building a cybersecurity strategy that includes third-party risk management, it has limitations. It does not adequately address newly evolving threats or technologies, prioritize different risks, threats and vulnerabilities, or identify the necessary controls to mitigate or remediate them. As organizations increasingly rely on SaaS applications for various technologies and services, assessing third party risks has become more complex, and organizations rely on various tools to help them. When it comes to third-party risk management tools, there is no magic bullet. But using combinations of tools makes cyber risk management far more effective.
Panorays combines these tools such as cybersecurity questionnaires with an external attack surface assessment to deliver a 360-degree cyber rating of your supplier risk. The questionnaires are auto-generated and customized for each supplier based on your organization’s risk appetite, relevant regulations, and each company’s internal policies. Answers are AI-validated and a series of remediation steps are given so that you can easily work with your third party to close any security gaps. The external attack surface assessment scans thousands of digital assets to reveal Shadow IT along with fourth and fifth parties in your digital supply chain. It includes an assessment of social media presence, mentions of your vendor on dark web forums or marketplaces, and comprehensive analysis across network and applications, IT and human factors.
Together the cybersecurity questionnaire and external attack surface assessment provide comprehensive visibility into your third-party risk and a quick and simple method for remediation.
Want to learn more about how you can manage third-party risk across your extended attack surface? Get a demo today.
FAQs
The NIST Cybersecurity Framework is a voluntary set of guidelines, standards and best practices related to cybersecurity for the private sector. Although originally established for organizations working with critical infrastructure and mandatory for U.S. government agencies, it is now used across organizations of all sizes and industries. The original framework includes five core functions: identify, protect, detect, respond and recover and the latest version includes a sixth: govern.
1. Identify. Understanding the broad range of cybersecurity risks to the organization, including to its assets, system, people, data and capabilities in order to put the proper cybersecurity best practices in place to defend against them.
2. Protect. Implements the necessary controls needed to deliver critical infrastructure services.
3. Detect. Identify security incidents as quickly as possible through anomalous behavior, investigating events, continuous monitoring and/or other detection processes.
4. Respond. Implement a plan and process to quickly respond when an incident does occur and mitigate impact as much as possible.
5. Recover. Ensure the business continues its operations through recovery planning, continuous improvement and communications between internal and external parties.
The detect function of the NIST Cybersecurity Framework includes:
1. Anomalies and events. Check for unusual activity or patterns that might indicate a potential cybersecurity attack.
2. Security continuous monitoring. Organizations must continuously monitor information systems and assets to evaluate the effectiveness of current security measures.
3. Detection processes. Ensure detection processes are properly maintained and implemented to detect security incidents quickly and effectively.