AN INTEGRATED OVERVIEW OF KEY NIST FRAMEWORKS

Introduction

Established in 1901, the National Institute of Standards and Technology (NIST) is currently a part of the U.S. Department of Commerce. As one of the nation's oldest physical science laboratories, NIST plays a crucial role in developing standards that contribute to the advancement of innovation, competitiveness, and security across diverse industries.

Therefore, considering the importance of NIST, this article offers a comprehensive overview of the essential NIST frameworks, with a specific focus on their significance in tackling contemporary challenges in cybersecurity, risk, privacy, AI risk management, and workforce development.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) was introduced in 2014 in response to the Executive Order 13636. The framework was developed to improve critical infrastructure in cybersecurity and offer organisations a voluntary, risk-based approach to managing cybersecurity threats and improving cybersecurity practices.

The Cybersecurity Framework (CSF) is organised around five fundamental functions which are Identify, Protect, Detect, Respond, and Recover. These functions provide a comprehensive approach for organisations to manage cybersecurity risks, encompassing the identification of vulnerabilities and the recovery from incidents. As summarised in the image below, each function is characterised by specific actions that are interrelated in order to achieve desired outcomes.

 Photo Credit: Kanini

Considering the robust and effective nature of the framework, the NIST Cybersecurity Framework (CSF) has been widely embraced across various sectors, including healthcare, finance, and critical infrastructure. Its adaptable nature enables organisations of diverse sizes and industries to tailor its utilisation, aligning cybersecurity protocols with organisational risk tolerance and available resources.

For further reading, the complete NIST cybersecurity framework can be downloaded here. 

NIST Risk Management Framework

The Risk Management Framework (RMF) integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. It employs a risk-based approach to control selection, considering effectiveness, efficiency, and legal constraints. The RMF methodology is applicable to new and legacy systems, various technologies, and organisations of any size or sector. The main objective is to offer a standardised yet adaptable and personalised method for managing risk.

The Risk Management Framework (RMF) has five key components namely Identification, Measurement and Assessment, Mitigation, Reporting and Monitoring, Governance. These steps are designed to assist organisations in identifying the necessary security controls for the protection of information systems and in ensuring continuous monitoring and improvement. Each phase underscores the importance of both technical and managerial aspects, thereby promoting a comprehensive approach to risk management.

Meanwhile, although the Risk Management Framework (RMF) was created for federal agencies, it has now become increasingly utilised across various sectors including healthcare, defence, and financial services. Its flexibility positions it as an essential resource for organisations aiming to harmonise their risk management endeavours with the continuously evolving cybersecurity protocols.

For further reading, the complete NIST risk management framework can be downloaded here

NIST Privacy Framework

The NIST Privacy Framework is a voluntary tool developed to help organisations identify and manage privacy risks. This is important because it ensures that organisations are able to build innovative products and services while protecting individuals’ privacy. The framework, which was released in January 2020, aims to serve as a supplement to the NIST Cybersecurity Framework. 

Therefore, It must be noted that while the Privacy Framework is separate from cybersecurity, it complements the Cybersecurity Framework by offering a comprehensive approach to risk management. As depicted in the image below, organisations have the opportunity to combine both frameworks to tackle privacy and security issues concurrently. 

 Photo Credit: NIST

The Privacy Framework is based on four fundamental functions which are Identify-P, Govern-P, Control-P, and Communicate-P. These functions assist organisations in recognizing privacy-related risks, establishing governance structures to manage those risks, and implementing measures to safeguard personal data. Each function is further categorised into specific areas, allowing organisations to customise the framework according to their unique privacy requirements. The complete NIST privacy framework can be downloaded here. 

NIST AI Risk Management Framework

On the 26th of July 2024, NIST released NIST-AI-600-1, an artificial intelligence risk management framework developed to fulfil the 2023 Executive Order of a safe, secure, and trustworthy artificial intelligence. The profile  can help organisations identify unique risks posed by generative AI and propose actions for generative AI risk management that best aligns with their goals and priorities.

 Photo Credit: NIST

The AI RMF is built upon four fundamental principles which are to Govern, Map, Measure, and Manage as a way of providing organisations with a structured approach to evaluate and mitigate risks linked to the use of AI systems. Therefore, it encompasses aspects such as bias, privacy, and security vulnerabilities.

Download the full NIST AI Risk Management Framework here

NICE Workforce Framework for Cybersecurity

The NICE Workforce Framework for Cybersecurity, developed by NIST, serves as a comprehensive guide for defining roles, responsibilities, and competencies in the cybersecurity workforce. Its goal is to help organisations standardise the qualifications and skills required for cybersecurity professionals, ensuring consistency across industries. 

Therefore, it is a guidance framework developed to help employers develop their cybersecurity workforce. It establishes a common lexicon that describes cybersecurity work and workers regardless of where or for whom the work is performed. The complete NICE Workforce Framework for Cybersecurity can be downloaded here. 

Conclusion

The NIST Cybersecurity, RMF, Privacy, AI RMF, and NICE Workforce Frameworks, provide organisations with robust tools to manage cybersecurity, risk, privacy, and AI risks while ensuring workforce preparedness. By adopting these frameworks, organisations can align their risk management strategies with best practices, addressing threats in a structured and effective manner. As technology evolves, these frameworks will continue to guide organisations in managing emerging risks, ensuring long-term resilience against cybersecurity and privacy challenges.