Categories:

Why does NIST matter?

Avatar image of
Posted by Michael Sedique

What is NIST?

NIST stands for the National Institute of Standards and Technology. Established by NIST, under the United States Commerce Department, they pushed out a Cybersecurity Framework that acts as the guidelines for a private sector company to follow so that they could be well prepared in identifying, detecting, and responding to a cyber attack. The core of their framework features five key functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The five functions act as the key and primary pillars of success, for a cybersecurity program. These are meant to help an organization by enabling them to express their management of cybersecurity risk at a high level while also being able to allow for risk management decisions.

Identify

The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

https://www.nist.gov/cyberframework/online-learning/five-functions

Protect

The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.

https://www.nist.gov/cyberframework/online-learning/five-functions

Detect

The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.

https://www.nist.gov/cyberframework/online-learning/five-functions

Respond

The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.

https://www.nist.gov/cyberframework/online-learning/five-functions

Recover

The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

https://www.nist.gov/cyberframework/online-learning/five-functions

How do you know you are compliant with NIST?

The NIST guidelines are quite clear and straightforward. If you happen to operate within a business that works with the U.S. government, you are most likely aware of how vital compliance is with NIST. Since NIST outlines the expected standards for cybersecurity, any business that associates itself with the U.S. government or an agency has to be aware of the given guidelines. The reason why they pay close attention is that they are working with very sensitive data, which makes it an ideal target for a hacker(s).

Of the many goals featured in NIST’s framework, they intend to help companies follow the Federal Information Security Management Act (FISMA). NIST has an abundance of resources to aid a company to meet compliance with the suggested cybersecurity recommendations, while also being able to manage the costs of it. The IT guidelines, offered by NIST, enable a company to reach government expectations and protect their data with success.

Who is NIST for?

Let’s be honest, all companies should invest in cybersecurity. A company should always invest in means to protect themselves from any probable breach that may or may not affect their business. The NIST compliance, however, is vital for companies that work or affiliate themselves with the United States government. As of 2017, NIST was made mandatory for all U.S. federal agencies.

NIST worked with private-sector and government experts to create the Framework, which was released in early 2014. The effort went so well that Congress ratified it as a NIST responsibility in the Cybersecurity Enhancement Act of 2014.

NIST Cybersecurity Framework

Should you comply?

To make it quite brief: do you want to deal with the severe damage and ramifications that could come from a breach (check out “Examining the costs and causes of cyber incidents“)? If you are non-compliant with the expectations of NIST, you could run into a lot of issues. Below are some reasons why you should consider compliance.

Data Protection

The goal of NIST compliance is to be able to protect data; data is the most valuable asset in the world. NIST compliance emphasizes the protection of controlled unclassified information. Despite the data not being classified, it does not mean it is not sensitive. If you want to make sure your company’s data is secured, consider following the NIST guidelines. Based on a report, by CSO, it was reported that there were billions of records exposed in 2018: you do not want to be a part of that statistic.

Consequences of non-compliance

A data breach can be awful, potentially causing an individual, business, or organization to suffer from damaging consequences. Here are some examples of repercussions as a result of lack of compliance with the NIST framework:

  • Loss of Business – If your data is breached, as an entity, you would become less desirable and could potentially face severe financial losses due to vulnerabilities. Unfortunately, when it comes to people’s business, protecting their information matters a lot.
  • Tarnished Reputation – You, as a business, will not be trusted to manage sensitive data. Failure to reach compliance with the NIST frameworks could result in your reputation being tarnished, severely.
  • Lawsuits and Allegations – If you are deemed negligent (whether you knowingly put data at risk or were careless/operating without a proper plan), you can potentially be sued due to various measures, typically based on breach of contract.
  • Production decline – If you are breached, you may struggle to be productive. If you are dealing with a breach, you must be cautious and do what is necessary to remedy the dilemma and be able to conduct a report for it (I will go over some steps on what to do if you were to be dealing with a breach in a future post, as well as offer recommendations on services/products).

Advantages

If you are able to follow the NIST standards, you offer your business a massive edge over the competition while also ensuring relief for your customers/clients. As a company, you want to be confident with everyone that partners with you as well, as you want to ensure that they take every needed step to protect the data. If you can verify that you follow proper guidelines, you become more likely to land major contracts/gigs since every potential client would prefer that you know what you are doing, or at least you should.

Conclusion

In today’s day and age, you want to be compliant with something like the NIST standards: you should not disregard the importance of compliance. If you are a business or someone that is in cybersecurity (or interested in the field), you want to take actions to ensure you can prevent a data breach (or other cybersecurity attacks) so that way your business can flourish and your clients feel safe. Do not be afraid to invest resources into cybersecurity measures, it is worth it, especially if you can follow proper compliance. If you do things correctly, you can keep your data protected.

Tags: