While it initially focused on engagement with the federal government, the framework, because of its comprehensive approach to security, is being adopted across all industries. Organizations not adhering to it should quickly consider it as a way to develop their own security best practices.
Financial institutions, utilities companies, transportation organizations and others like them contribute to the smooth functioning of our government, and by extension, our society. For many reasons, visibility and stature among them, they could become targets for cyber exploitation. If their data and internal operations are exploited, the collateral effect could be potentially disastrous to the smooth functioning of daily business operations and national security. The NIST Framework safeguards against this type of disruption with a codified set of security requirements that aims to avoid vulnerabilities.
The concept of protecting organizations that participate in critical infrastructure paints a picture of the impact of what the framework attempts to cover: namely, the operations of our entire country. Yet NIST provides the framework publicly, which means that a roadmap of this gravity in its approach can also be used by any organization conducting any type of digital business. In fact, the introductory remarks of the published framework recommend using “business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.” It’s like being handed a manual that is based on the thinking and practical usage of some of the world’s most secure organizations.
Adhering to the framework means that an organization has built their own security around a single reference that uses the comprehensive knowledge of hundreds of governmental agencies, all of which are required to use demanding security best practices. While it requires considerable effort to be compliant with the framework, once achieved, the organization can tout compliance with the myriad standards, governance policies, audit checklists and other aspects of critical security necessary for working with almost any organization that mandates strict security adherence. Organizations that use the framework benefit by being prepared for almost any security requirements demanded by their industries, the government or by their own customers.
It’s a no-brainer for government contractors, universities and research organizations, health care companies, and energy, utility, transportation and similar companies to adopt the framework. They are doing the daily work that constitutes “critical infrastructure.” Their work provides material and intellectual progress that operates and advances our society. But every organization that seeks to innovate and deliver solutions, irrespective of the field, should quickly add NIST Cybersecurity Framework adherence to their list of priorities. Cloud service and application vendors will want to extend to their customers the benefits of the framework as it’s a marketable advantage for them and provides an important measure of risk management.
Perhaps not all companies and organizations fall into the category of being critical to our nation’s infrastructure, but nearly all conduct some form of digital business, and ultimately this is what the Cybersecurity Framework addresses. Especially for organizations that operate their IT and application framework in the cloud, maintaining allegiance with a validated and accepted security framework not only provides a model for how to be secure now, but as NIST updates the framework, it will continue to provide usable guidance for how to ensure continuous compliance as security measures change and as organizations evolve.
Sebastian Taphanel is a principal solutions architect for Evident.io. Taphanel blends a 20-plus year DoD Special Ops / Intelligence career with 15-plus years of sound security engineering practices focused on implementing “Defense in Depth” through the use innovative technologies and common sense business practices.