NIST, the National Institute of Standards and Technology, is a lab and non-regulatory federal agency of the U.S. Department of Commerce. Founded in 1901 as a tool to boost the U.S.'s global competitiveness, NIST fosters efforts to create standards across technology systems. Today, NIST continues to push for innovation in a variety of industries and develops guidelines to do so. Two such guidelines are the Cybersecurity Framework (CSF) and the recently released Privacy Framework.
While most guidelines that NIST creates are unenforced, the federal government endorses this guidance as best practice across sectors.
What is the NIST Cybersecurity Framework?
The NIST Framework for Improving Critical Infrastructure, more commonly known as the NIST Cybersecurity Framework or even CSF, is a tool to help organizations manage risks to critical infrastructure more consistently. It is made up of three components:
- Implementation Tiers, or how well cybersecurity risk management is integrated into the organization’s broad risk management
- Framework Cores, a set of 5 high level missions with 3 to 6 subcategories each:
- Identify: Managing and assessing risk across environments and assets
- Protect: Everything from raising awareness and training to implementing security technology
- Detection: Creating processes to discover abnormal access and anomalies
- Response: Planning how to analyze and contain the issue, and communicating with stakeholders
- Recovery: Planning for recovery, including communicating and making improvements
- Profiles, an organization’s comparison between its requirements and goals and the Cybersecurity Framework – which can be used to find gaps and areas for improvement
Related Reading: Top Data Breaches of 2019: How You Can Minimize Your Risks
The Cybersecurity Framework can be used to uncover and prioritize cybersecurity goals to reduce risk. For detailed information about the Cybersecurity Framework, see NIST’s training modules.
What is NIST’s Privacy Framework?
Rolled out in January of 2020, the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is a means to help organizations manage privacy risks and protect individuals’ privacy while collecting and using personal data.
The Privacy Framework overlaps slightly with the Cybersecurity Framework as a risk management document, but with an eye towards individuals whose personal data is exposed. It also differentiates between cybersecurity-related data incidents and events stemming from data processing.
Related Reading: Think Your Customer Data was Exposed? Follow These Steps
Like the Cybersecurity Framework, the Privacy Framework is made up of Implementation Tiers, Profiles, and overarching Cores which encompass how to understand and mitigate the privacy risks of data processing:
- Identify: Uncovering gaps and understanding privacy risks in current processes
- Govern: Continuously reevaluating privacy risk priorities
- Control: Managing privacy risks by controlling access to data
- Communicate: Disclosing how data is processed and used for both individuals and the organization
- Protect: Developing ways to safely process and store data
Related Reading: Think like a Hacker and Secure Your Data
Version 1.0 of the NIST Privacy Framework was released in January 2020. For the most recent version, see the Privacy Framework overview on NIST’s website.
Why are NIST’s Frameworks Important?
While the Privacy and Cybersecurity Frameworks are suggestions for organizations, they offer helpful ways to adhere to new laws like GDPR and the CCPA, and federal laws like HIPAA and FISMA. Both are meant to:
- Provide standardized government-endorsed security best practices across industries
- Spark questions about and investigation into current cybersecurity and data risk management
- Offer ways to communicate throughout departments to assess and mitigate risk
- Encourage preparation for potential data breaches
- Improve how organizations think about and manage risk, including response and recovery
Related Reading: Defending Against Data Breach
Ensuring secure infrastructure can help avoid data breaches and their consequences: fines, loss of customer trust, and loss of business.
How Can You Improve Your Cybersecurity and Risk Management?
Using secure and auditable tools to transfer and process data can significantly reduce your risk of both data breaches and improper handling of personal data. Know that your file transfers are encrypted, and that only appropriate users have access to certain folders and files.
Learn More About Data Security Compliance