866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Should You Implement the NIST Cybersecurity Framework? Blog Feature

By: JEFF SCHIESS

Print/Save as PDF

Should You Implement the NIST Cybersecurity Framework?

Federal Assessments

Anyone who has ever chosen a workout program likely started with the same goal—to improve their physical health or strength. But in exercise, different people will choose to address different things—some may opt for a comprehensive workout like CrossFit, some may choose martial arts, and others may choose Olympic weightlifting. No matter what approach you choose, you’ll improve your well-being. 

In today's digital age, the “well-being” of your cybersecurity is more important than ever. Just like beginning an exercise program indicates proactive steps to improve individual health, organizations must also take proactive steps to protect their information and assets against an increasing number of cyber-attacks and data breaches. 

In this, you have several options to choose from, and while you won’t be choosing between kickboxing and Pilates, you will need to choose the best and most effective approach to cybersecurity for your organization. As cybersecurity assessors for over two decades now, we are well-versed in many of your choices in security standards, and, in this article, we’re going to explain the benefits of one in particular—the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). 

This may or may not be the right approach for your organization, but after we explain what this framework does and how it can help, you’ll know for sure. 

What is the NIST CSF?

 

Developed by NIST in response to Executive Order 13636, the NIST CSF provides a set of guidelines, best practices, and standards to improve your critical infrastructure so that you can better manage and reduce cybersecurity risk. 

Taking a risk-based approach, the NIST CSF relies on five core functions—each function includes a set of categories and subcategories that provide more specific guidance on how to implement the function: 

NIST CSF
Core Function

Details

Identify
  • Intended as groundwork, e.g., creating baselines
  • Meant to provide you with a deeper and more complete understanding of your systems, assets, and data, as well as the associated risks.
  • Components of this function include:

o Defining the current and desired states of your controls

o Creating a plan to achieve that desired state of your security.

Protect
  • Intended to help you take steps to reduce risk
  • With the plan in place from the Identify phase, you can then take action to develop and implement appropriate controls to protect your critical infrastructure and service delivery.
  • Example controls to examine for potential implementation include:

o Access management

o Personnel awareness and training

o Information security protection processes and procedures

o Maintenance

Detect

Intended to help you better recognize the occurrence of a cybersecurity event through the implementation of appropriate procedures—the faster you detect a breach or other cyber event, the faster you can move to limit the fallout.

· Necessary activities to implement include:

o Continuous monitoring

o Disclosure procedures

o Event analysis for future prevention

Respond
  • Intended to help you bolster your comprehensive response to a cyber event through the implementation of necessary procedures, including:

o Incident response planning

o Reporting and communications process

o Mitigation plan for revealed vulnerabilities after a breach

Recover
  • Intended to help you bounce back quickly from a cyber event, including the restoration of any impaired services or systems.
  • The necessary activities for a swift recovery include:

o Recovery planning

o Improvement of recovery procedures

o Table-top exercises for communication with relevant resources

 You may have noticed a certain lack of specificity regarding controls—that’s because the NIST CSF is based on outcomes rather than controls. By addressing the functions in this completely voluntary framework, you can create a solid foundation for your cybersecurity that achieves the results you want. 

5 Benefits of Implementing the NIST CSF at Your Organization

 

If the NIST CSF is voluntary, then why should you choose to implement it and use its guidelines? 

In fact, as a standard for security, it can help your organization—no matter its size or your business—in several important ways: 

Comprehensive Approach to Cybersecurity

Because the NIST CSF covers all aspects of cybersecurity from identifying assets and assessing risk to responding to incidents and recovering from them, you can ensure that you have a well-rounded and effective cybersecurity strategy in place if you follow the framework.

Moreover, the NIST CSF’s approach to managing and reducing cybersecurity risk is presented in a helpful way that guides strategic decision-making from key members of your executive management team.

Flexible and Scalable

As it provides a common language and framework for cybersecurity that can be customized to your specific organizational requirements, the NIST CSF can be adapted to meet the needs of organizations of all sizes and in all industries.

Easier Compliance with Regulations and Standards

 

Many other cybersecurity regulations and standards, such as HIPAA, PCI DSS, Systems and Organization Controls (SOC) 2, and International Organization for Standardization (ISO) 27001, are aligned with the NIST CSF.

By implementing the framework, you will better position yourself to meet any of those specific relevant requirements that may apply to your organization and better demonstrate your compliance to regulators, auditors, and other stakeholders.

Improved Risk Management

The NIST CSF’s risk management approach allows organizations to prioritize their cybersecurity efforts based on risks and vulnerabilities specific to your organization, helping you to allocate resources more effectively and make more informed decisions about cybersecurity investments.

Enhanced Reputation and Competitive Advantage

By implementing the NIST CSF and creating a solid cybersecurity foundation, you can demonstrate to customers, partners, and stakeholders that you take the growing cybersecurity threat landscape seriously—this can enhance their reputation and increase trust in their products, services, and brand.

Once you implement the NIST CSF, you also have the option to have your efforts assessed by an outside third party. Investing further in this evaluation has its own benefits:

Can Help You Become More Cost-Effective

Because you’ll also receive guidance and feedback from experienced cybersecurity professionals, a NIST CSF assessment can help you:

  • Maximize the returns on the investment that is bringing your organization up to NIST CSF standards
  • Further minimize the impact of a potential breach

Weightier Objective Assessment

Third-party assessments provide an objective evaluation of an organization's cybersecurity posture—as the assessor is not biased by internal company politics or other pressures, you, your customers, and your other stakeholders will feel further reassured.
 

Getting Started with the NIST CSF

 

Choosing a cybersecurity framework can be like choosing a workout—you have to go for the one that is going to serve your needs best, and that may mean using the NIST CSF. With its five-function approach, the NIST CSF provides a valuable resource for organizations looking to improve their cybersecurity posture. By following its guidelines and best practices, you can reduce your cybersecurity risk, more easily comply with other relevant regulations and standards, and enhance your reputation. 

If you are interested in getting started with the NIST CSF, you first need to self-assess your current cybersecurity posture using the framework—that will help you identify areas for improvement and prioritize your efforts as you develop a cybersecurity plan that incorporates the framework's five core functions and relevant categories and subcategories. 

In the meantime, our other resources can also help you strengthen your cybersecurity practices in different specific ways: 

About JEFF SCHIESS

Jeff Schiess is a Managing Director with Schellman. Jeff is focused on governance, risk and compliance (GRC) assessments, including performing System Organization Controls (SOC 1 and 2) reporting, Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) 27001, and NIST CSF. Jeff has worked with Fortune 1000 and publicly traded companies across a wide range of industries, including Software-as-a-Service providers, cybersecurity services, data center hosting providers, financial services, insurance claims processing, and information technology.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.