Randori named leader in Attack Surface Management in GigaOm ASM Radar Report

February 17, 2023

Using ASM to Unlock the Benefits of the NIST CSF

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

There are many benefits of NIST CSF. 

The National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) is one of the most widely used security frameworks. 

At least 50% of U.S. enterprises are estimated to use the NIST CSF within their security programs. 

Designed to help users understand and reduce their cyber risk, the NIST CSF divides an organization’s cyber security program into five functional areas: identify, protect, detect, respond, and recover.  

Within these areas, NIST outlines 23 categories and 108 subcategories. These span everything from data security and preventing cyber threats to incident response. 

Government agencies and companies contracting with federal organizations must comply with the NIST CSF. Private sector organizations of all kinds also voluntarily use the NIST CSF as part of their organization’s risk management process. 

As NIST is a voluntary framework, there is no centrally run audit program, but many organizations choose to contract third parties to prove their level of compliance.

Read on to learn how to comply with a NIST audit. 

Background of the NIST CSF

Since its launch over 10 years ago, tens of thousands of organizations have used the NIST CSF to map and reduce their cybersecurity risk. 

First developed in 2013, the NIST CSF was created as a response to a 2013 executive order that called for “a set of industry standards and best practices to help organizations manage cybersecurity risks.”

One year later, following consultation with over 3,000 security professionals with a focus on critical infrastructure sectors, version 1.0 of the NIST CSF was launched as a downloadable pdf or excel document.  

Free, relatively simple to use, and easily accessible, the NIST CSF was rapidly adopted by various industries. By May 2017, the U.S. chamber of commerce stated that the NIST CSF had “proved itself through broad use by the business community.” 

In 2018, NIST updated the CSF to version 1.1, adding a new category (identify) and 10 new subcategories.  

Today, NIST is developing the next generation of the CSF (CSF 2.0) and has produced a concept paper for public consultation. The NIST Cybersecurity Framework 2.0 is scheduled for release in the winter of 2024. 

The Benefits of the NIST Cybersecurity Framework

The NIST CSF is a scalable security framework that helps teams understand their information security maturity level, prioritize investments, and learn from a constantly evolving knowledge base.

Here are some key benefits of NIST CSF. 

Customizable cyber security risk management

Every business has a different tolerance for risk and a different level of resources available for mitigation. A significant benefit of the NIST CSF is that it recognizes this fact and gives security teams the ability to customize their approach.

The NIST CSF does not dictate how much risk an organization should tolerate in any part of their environment or what level of security measures they need to implement. 

Instead, the NIST CSF offers two layers of customization. 

Framework profiles

Organizations can create a target profile to help security teams understand how the NIST CSF might fit their organization’s real-life operations. 

This profile outlines which of the framework’s 108 controls apply. It is also customizable based on what happens within the organization’s environment and its business needs.

Implementation tiers

The CSF is not a binary framework like HIPAA, i.e., you are either compliant or not. Instead, the CSF details four tiers of risk management. 

The NIST CSF can identify an organization’s risk management approach as partial, risk-informed, repeatable, or adaptive. The last of these, adaptive, is the gold standard.

This gives scope for organizations ranging from small businesses to enterprises to find and achieve realistic goals. 

For example, a security team at an SME with limited security resources can plot a path to tier 2 (informed) risk management with a focus on protecting sensitive information rather than having to adopt a plan designed for a Fortune 500 company.

A better way to communicate risk 

By plotting security controls against business risks, the NIST CSF creates a common language that both technical security teams and non-technical business stakeholders can understand. 

Conducting a CSF Gap Analysis (difference between their target and current profile) gives security teams a quantified score of their security performance. 

It also shows the sources of risk, i.e., missing controls across core functions or poor access control, within an environment in a language that can be understood by business-focused executives.

With a 2022 Harvard Business Review study showing that only 23% of board members think that the risk of a cyber attack on their organization is very likely, the NIST CSF can be an essential lever for advocating for security budgets and requirements. 

Easier to build trust

Even when compliance with a framework is not a procurement requirement, third-party supply chain risk is still a major concern for contracting companies. 

A recent World Economic Forum study shows that 58% of organizations think their suppliers and partners have a weaker cybersecurity posture than their own.

The most effective way for organizations to dispel this opinion is to comply with a trusted framework like the NIST CSF. Being able to point to a third-party audit CSF and say, “we are at tier 3 across this profile,” demonstrates a risk-based approach and shows that an organization’s cybersecurity practices are trustworthy. 

Creates a proactive culture

The NIST CSF is not a “one-and-done” framework. For organizations that take it seriously, the CSF is a continuous cycle of improvement that uses business risk as a guiding principle. 

Using the NIST CSF as a roadmap for cybersecurity risk management means approaching security as a dynamic process. Within this process, no security posture exists in a fixed state but is constantly being tested against evolving attack techniques and changing defensive environments. 

Makes compliance with other frameworks easier

The NIST CSF can be used alone and/or in addition to other voluntary or mandatory cybersecurity frameworks.

For example, in the healthcare industry, the NIST CSF is often used alongside HIPAA. In this environment, the relatively granular controls within the CSF can be used to demonstrate compliance requirements with the less well-defined controls detailed by HIPPA.

When a framework like HIPAA requires users to “demonstrate a mechanism to do x,” NIST can be defaulted to as a methodology for what that mechanism is and how well it performs its job.

The NIST CSF also uses a similar risk-based approach to other frameworks, like  ISO 27001.

How Randori Helps Unlock NIST CSF Benefits

The NIST CSF is built around making continuous compliance part of your organization’s cybersecurity. 

Randori’s attack surface management (ASM) platform is uniquely designed to help you proactively monitor and improve your security posture in the same way.

Using Randori allows organizations to discover vulnerabilities within their environment and prioritize them for remediation and triage based on how likely attackers are to exploit them.

Randori is a powerful tool, helping organizations meet NIST CSF controls such as:

  • NIST CSF Control ID.AM-5 Resources (E.G., Hardware, Devices, Data, and Software) Are Prioritized Based on their Classification, Criticality, and Business Value.
  • NIST CSF Control DE.CM-8: Vulnerability Scans Are Performed.

Watch a demo to see how Randori can help you leverage NIST CSF benefits.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.