NIST Cybersecurity Framework Standards

 Author: Karen Crumbley, karenc@gladtech.net

The Latin phrase E Pluribus Unum or “Out of many, one” printed on coins could summarize the National Institute of Standards and Technology (NIST) document released last month titled, Cybersecurity Framework Standards.  The message is easy to understand; businesses must take an active role in protecting their assets through cybersecurity awareness thereby “increasing the cybersecurity posture of the Nation’s critical infrastructure as a whole.”  The document further explains, “This approach is necessary regardless of an organization’s size, threat exposure, or cybersecurity sophistication today.”

There is little guessing as to why NIST was compelled to publish these standards.  Major retail store breaches involving card security fraud have brought this topic to the forefront.  Financial Institutions (FIs) want federal legislation in place to protect them from costly incidents due to retailer insufficient security standards.  Card brands are also under heavy scrutiny regarding their security controls and technology.  Retail customers have had their financial information compromised.  There are clearly multiple stakeholders when it comes to cybersecurity breaches.  The FI cannot mitigate all of the risks on their own.  Everybody must get involved to defend against cybersecurity.

Another positive aspect for FIs is that the NIST Standards genuinely complement business customer educational efforts FIs are providing to raise awareness regarding cybersecurity and online banking transactions.  For example, the framework enables organizations of all “size, degree of cybersecurity risk, or cybersecurity sophistication- to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” 

The document breaks down five Framework Core Functions. 

1. Identify cybersecurity risks to systems, data, and capabilities. 
2. Protect by developing the appropriate safeguards to ensure delivery of critical infrastructure services. 
3. Detect by implementing appropriate activities to identify the occurrence of a cybersecurity event. 
4. Respond by taking action regarding a cybersecurity event. 
5. Recover by maintaining plans for resilience and moving back to normal operations as promptly as possible. 

In line with the previous list of five core functions, there have been continual efforts by Congress and the Senate regarding federal breach notification laws in recent years.  If passed, the federal legislation would provide uniform procedures for all businesses that experience significant data breaches.  However, the question that continues to resurface for this initiative is, “Do we need security regulation as well?”  Interestingly, FIs are no stranger to standards in security when it comes to their own network environment.  They have had regulatory requirements and guidance in place to advance this initiative for eons.  Now, FI business customers may begin to experience some of those same regulatory realizations.  Although the NIST document provides a “framework for improving critical infrastructure cybersecurity”, ultimately there is no push to require businesses to implement any of these standards.  However, the publication signifies something important - cybersecurity as a standard business function.  Regardless of the outcome of this voluntary NIST framework, FIs, government, consumers, and businesses all need to put forth the effort to improve the existing security gaps and work as one, not in opposition.

E pluribus Unum…