Expanded Definition: NIST Cybersecurity Framework

As MSPs, providing the best service possible to your clients is your primary focus, and as cybersecurity becomes a greater concern, best practices in this area are essential. One of the key challenges here for end users and MSPs alike is that cybersecurity changes over time as new threats develop or evolve. To this end, the National Institute of Standards and Technology (NIST) created the NIST Cybersecurity Framework (NIST CSF). Here are some fundamental insights and explanations for your team to start putting this framework into practice.

What is the NIST Cybersecurity Framework?

Established by the NIST and developed in collaboration across the private and public sectors, the NIST Cybersecurity Framework is a comprehensive tool that was designed to help organizations adhere to cybersecurity best practices. The NIST framework was released in February 2014 in response to an executive order that called for “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

Today, the NIST CSF serves as a benchmark for suitable cybersecurity preparedness across many different regions and industries: More than 20 states currently use the NIST risk management framework to manage cybersecurity risks, and usage is highly encouraged across the 16 critical infrastructure sectors defined by the U.S. government. These critical sectors include:

• Financial services
• Food and agriculture
• Healthcare
• Emergency services
• Information technology.

There is no mandate today for private sector NIST compliance, which means organizations are free to adopt the framework on a voluntary basis. However, NIST framework compliance is required for federal agencies and most government contractors. The NIST Cybersecurity Framework includes five pillars that form the foundation of an effective cybersecurity program. They are:

• Identify – Pinpoint the organization's critical functions and the cybersecurity risks that could disrupt them.
• Protect – Determine the potential impact of a cybersecurity breach and develop a plan to minimize the damage done.
• Detect – Enable timely discovery of cybersecurity incidents and how to determine that a breach has occurred.
• Respond – Prepare for rapid response to any cybersecurity incidents to keep them from spreading.
• Recover – Restore any data or capabilities that were affected by a cybersecurity incident so that the organization can return to business as usual.

The MSP's role in using the NIST Cybersecurity Framework

While implementation of the NIST CSF is optional for private organizations, MSPs still have a duty to: 

1) Protect their own systems and data, 

2) Serve as a trusted IT partner and advisor for their clients. 

This can mean leveraging the NIST CSF as a tool to improve cybersecurity awareness and management. Here are some of the key elements MSPs need to focus on while implementing this framework.

Adhere to cybersecurity best practices

Before MSPs can start offering cybersecurity support and making recommendations to clients, they should first look inward to gauge the health of their own cybersecurity program. We recommend that MSPs start with a self-assessment to determine where they fall on the cybersecurity spectrum and what steps could be taken to remedy any weak spots.

For those that are ready to commit to becoming a security-first MSP, the NIST framework is incorporated as part of the risk assessments.

Conduct risk assessments

Once an MSP has an approximate idea of their own level of cybersecurity maturity, it’s smart to get a professional evaluation in the form of a cybersecurity risk assessment. For example, ConnectWise’s risk assessment tool leverages the NIST framework to provide actionable recommendations that MSPs can use to identify, detect, and respond to security risks within their own businesses.

That same tool can also be used to conduct risk assessments for clients, which is often one of the first steps involved in having the “security conversation” that can lead to opportunities for increased business value and revenue. Customer-friendly risk assessment reports use easy-to-understand language for increased clarity — this allows key stakeholders to comprehend the principles and takeaways of concepts like the NIST framework without having to learn all the technical terminology.

Offer cybersecurity training

Another way that MSPs can make sure everyone is on the same page when it comes to cybersecurity is by offering training to clients. After all, over half of SMBs do not have specific cybersecurity experts to provide guidance within their organization. MSPs might consider offering multiple training sessions covering topics such as phishing awareness, mobile device security, and effective password protection. If a client has a specific pain point or recurring issue, such as cyber threat response, they might require more in-depth training to help them understand the topic and move toward a higher level of cybersecurity maturity.

What is the NIST security framework?

The NIST Cybersecurity Framework is a comprehensive set of guidelines to help organizations stay ahead of cybersecurity risks. This was created in 2014 by the National Institute of Standards and Technology (NIST) in response to an executive order, calling for “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

How do you implement the NIST security framework?

The NIST framework is built around five core pillars:

• Identify: Understanding essential functions of the organization and potential cybersecurity risks in each.
• Protect: Figuring out what issues can stem from a potential cybersecurity breach and creating a mitigation plan. 
• Detect: Creating a system that will enable quick discovery and diagnosis of any cybersecurity issues. 
• Respond: Establishing a rapid response plan to cybersecurity incidents in order to minimize the spread. 
• Recover: Restoring data and capabilities impacted by a cybersecurity incident to restore normal company operations.

Creating plans for each of these core pillars is the heart of the NIST security framework, but it’s also important to make sure all stakeholders in your organization are working towards common goals. Begin by making sure that all teams are fully educated on what the NIST framework is and its benefits. Second, have everyone agree on how you’ll measure the company's progress in NIST framework execution. Finally, be sure that you have a recurring monitoring and reporting plan to make sure implementation stays on track while addressing roadblocks as they arise.

What is NIST compliance?

NIST compliance is acting in accordance with one or all of the NIST Cybersecurity Framework’s standards. All government agencies must comply with the framework, while compliance is optional for private sector organizations. With this said, there are many benefits to private companies to comply, including:

• Having a long-term, flexible framework in place to address cybersecurity needs.
• Better confidence in your team’s ability to mitigate cybersecurity risks.
• Being able to bid for government contracts.
• Stronger alignment between team members inside and outside cybersecurity on goals and needs.