It’s not uncommon for your customers to give you specifications about how they want to do business with you. These specs increasingly include cyber security expectations, specifically compliance with the NIST(1) Cyber Security Framework.
What should you do if someone with whom you do business places this requirement on you? Here’s what you need to know...
- What is the NIST Cyber Security Framework?
- What’s Involved with NIST Compliance?
- Get Help With NIST Compliance Consulting
What is the NIST Cyber Security Framework?
The Framework was initially designed in response to a Presidential Executive Order in 2013 to help government entities meet the growing threat of cyber attack with dual goals of protection and resilience. The Cybersecurity Enhancement Act was then passed in 2014.
While the Framework was originally designed to address security needs for critical US infrastructure, organizations of any size in any industry can utilize these guidelines and best practices to improve security and manage cyber risk.
A very important aspect of the Framework is its intent to improve communication about cyber security within and between organizations. NIST even suggests that organizations use the Framework to secure their supply chains, so this is one reason why your customers are presenting you with this requirement.
What’s Involved with NIST Compliance?
There are three main components of the Framework, starting with Tiers which addresses an organization’s level of cyber risk management and awareness from a high level; Cores which address cyber security functions; and Profiles which address how an organization is aligned with outcomes identified in Cores.
The Framework is not a one-size-fits-all formula for ensuring cyber security. It starts with in-depth conversations about risk at the executive level. Analysis of your current cyber security status is conducted and compared to the desired status. A roadmap is created to determine where improvements and investments need to be made.
It’s beyond the scope of this article to completely explain the NIST Cyber Security Framework. Most companies need some help to interpret the standards, as well as manage the process, but here are some important points to keep in mind:
Compliance is Based on Outcomes
You’re not going to find a list of technologies and solutions in the Framework. Because organizations have different situations and risk tolerances, how you get to your desired outcome will be unique to your organization.
Compliance is an Ongoing Process
Cyber security is a process that needs to be continually managed and improved, especially as it relates to compliance. The changing threat landscape will affect your tactics, but much of your cyber security plan should include ongoing processes like staying up-to-date with asset management, and training employees how to recognize and respond to social engineering tactics.
Related: The baseline for foundational cyber security standards have changed. Basic cyber security standards just aren't enough to protect you anymore. Learn what business leaders need to know in this Executive Guide to Cyber Security.
It’s Not Just About Technology
Helping your people to become savvy about cyber threats includes training, but organizations also need to set policies and procedures to determine how people will access your systems and data.
Compliance Starts with Risk Management
If you’re being asked by your customer to meet their standards for cyber security, then essentially you’re taking on the same risk level that they have. Other regulations may come into play depending on your business and your industry, such as HIPAA, ITAR or ISO.
Get Help With NIST Compliance Consulting
At VC3, we help companies walk through the process of becoming compliant with NIST cyber security standards through NIST consulting. Whether you’re our managed IT services client or not, we can partner with you to create cyber security processes that keep your company - and your customers - safe in an increasingly dangerous digital world.
Feel like you could use some guidance? Learn more about our NIST consulting and NIST gap analysis services here.
- NIST is the National Institute of Standards and Technology, a federal agency within the US Department of Commerce.