Help! We Need NIST Cyber Security Compliance
It’s not uncommon for your customers to give you specifications about how they want to do business with you. These specs increasingly include cyber security expectations, specifically compliance with the NIST(1) Cyber Security Framework. What should you do if someone with whom you do business places this requirement on you? Here’s what you need to know.
What is the NIST Cyber Security Framework?
The Framework was initially designed in response to a Presidential Executive Order in 2013 to help government entities meet the growing threat of cyber attack with dual goals of protection and resilience. The Cybersecurity Enhancement Act was then passed in 2014.
While the Framework was originally designed to address security needs for critical US infrastructure, organizations of any size in any industry can utilize these guidelines and best practices to improve security and manage cyber risk.
A very important aspect of the Framework is its intent to improve communication about cyber security within and between organizations. NIST even suggests that organizations use the Framework to secure their supply chains, so this is one reason why your customers are presenting you with this requirement.
What’s involved with compliance?
There are three main components of the Framework, starting with Tiers which addresses an organization’s level of cyber risk management and awareness from a high level; Cores which address cyber security functions; and Profiles which address how an organization is aligned with outcomes identified in Cores.
The Framework is not a one-size-fits-all formula for ensuring cyber security. It starts with in-depth conversations about risk at the executive level. Analysis of your current cyber security status is conducted and compared to the desired status. A roadmap is created to determine where improvements and investments need to be made.
It’s beyond the scope of this article to completely explain the NIST Cyber Security Framework. Most companies need some help to interpret the standards, as well as manage the process, but here are some important points to keep in mind:
Compliance is Based on Outcomes
You’re not going to find a list of technologies and solutions in the Framework. Because organizations have different situations and risk tolerances, how you get to your desired outcome will be unique to your organization.
Compliance is an Ongoing Process
Cyber security is a process that needs to be continually managed and improved. The changing threat landscape will affect your tactics, but much of your cyber security plan should include ongoing processes like staying up-to-date with asset management, and training employees how to recognize and respond to social engineering tactics.
It’s Not Just About Technology
Helping your people to become savvy about cyber threats includes training, but organizations also need to set policies and procedures to determine how people will access your systems and data.
Compliance Starts with Risk Management
If you’re being asked by your customer to meet their standards for cyber security, then essentially you’re taking on the same risk level that they have. Other regulations may come into play depending on your business and your industry, such as HIPAA, ITAR or ISO.
Get Help With NIST Compliance
At Accent, we help companies walk through the process of becoming compliant with NIST cyber security standards. Whether you’re our managed IT services client or not, we can partner with you to create cyber security processes that keep your company - and your customers - safe in an increasingly dangerous digital world.
- NIST is the National Institute of Standards and Technology, a federal agency within the US Department of Commerce.
About Courtney Casey
In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.