In today’s IT-driven world, customers are increasingly demanding quality credentials from their service digital providers.
More and more firms are realizing the substantial benefits of achieving standard compliance: better business processes, cutting legal risk, and retaining and attracting clients are just a few.
In the technology space, there are few organizations more recognized than the U.S.-based National Institute for Standards and Technology, commonly known by its acronym, NIST.
NIST is a physical sciences laboratory that conducts research on technical innovations of interest to the federal government. What’s important to understand about NIST is that it is not a regulatory body. NIST does not enact regulation or any other binding rules. With that said, its research and reports are highly influential to government policy decisions, and more importantly, NIST recommendations have become a standard for the private business world as well.
Today it is very common for industries to speak of ‘NIST compliance’ even though strictly speaking, NIST standards are merely recommendations and not obligatory. Companies are eager to meet those standards however since that achievement communicates to their clients a particularly high standard of excellence.
There is one notable exception to this. All IT security standards of NIST are required for any company working in the federal supply chain. This includes prime contractors (a firm that has been directly hired by the government) and subcontractors supporting those prime contractors.
The key term to be aware of when considering NIST compliance for government work is Controlled Unclassified Information (CUI). CUI isn’t exactly ‘secret’ information. But it’s the type of thing that is just sensitive enough to warrant a bit more attention. Because private firms working for federal agencies will likely run into quite a bit of this form of sensitive data, most of the qualifications for obtaining contracts will revolve around this.
The bottom line being, any business with a digital information-related service looking to contract with the government, being NIST compliant is a prerequisite. But we’ll talk more about this a bit later.
Compliant with What?
NIST has been putting out reports for well over a hundred years. There’s a lot of NIST standards out there. Often there are several different reports that affect the same industry.
The NIST government website has a very easy-to-use database containing all of the organization’s published work organized by industry. This makes it easy for any firm seeking to achieve compliance to know which standards are relevant for its field.
To put this into some real-world terms, we can look at some well-known companies that have made NIST compliance a priority.
Microsoft’s well-known cloud service Azure, proudly boasts compliance with the NIST standards on cybersecurity. This is a noteworthy example. Microsoft is considered a global authority on all things IT. The fact that they took the time to comply with NIST–and promote that fact to its customers–shows just how definitive NIST standards are. In order to earn this status, the main things Microsoft had to demonstrate was its risk management policies for storing client data and submit to a federal audit on cloud security known as FedRAMP based on NIST security measures.
Retailer giant Amazon has also undergone NIST compliance. With millions of accounts worldwide and also supporting one of the biggest cloud services in the world, having the NIST checkmark is a major asset to Amazon. Amazon had to orient its operations to specific standards on risk mitigation. The NIST report relevant here is the SP 800-53 which deals primarily with privacy standards including the proper categorization of Personal Identifying Information (PII) and its storage and transfer.
Of course, NIST standards are not only relevant to big tech. The agency has recommendations for a full range of industries, from bioengineering to quantum science. Next to IT, manufacturing is the field that makes the most use of NIST recommendations. The main NIST cybersecurity framework for this field is the Manufacturing Extension Partnership or MEP. Institutions across academia, private business, and local government take part in this framework which focuses mainly on safety and efficiency. Abiding by MEP has reportedly saved companies millions in costs and has helped to solidify business partnerships across the country. Take the story of Florida Makes, for instance, the state-wide conglomerate of manufacturers. The group claims over $34 million in cost savings stemming from their MEP compliance.
Medical services and health science is also a major area of NIST’s research. Today their standards support dozens of major companies in this industry, which have not only helped these firms with their costs but helped them in their innovation and product development. North American Rescue, the world-renowned emergency and field medicine firm based in North Carolina, used NIST research to organize its business model and streamline processes.
The CSF and RMF
One of the most influential NIST reports is their Cyber Security Framework or CSF.
NIST Cybersecurity framework was designed to be a guide for how companies and their stakeholders could manage and reduce cyber-related risks across different professional domains and industries. The first version of CSF was published in 2014 and has since gone through a few iterations. The latest report was published in April 2018. The Framework is quite literally the baseline for all NIST standards related to cyber and IT in general. For this reason, it is very much worthwhile to gain a basic understanding of this document if becoming NIST compliant is your goal.
CSF deals with five distinct categories or “functions” of security management. Let’s do a quick overview:
Identification is all about understanding and managing the current risks to a system. This includes knowing the vulnerabilities within a network’s infrastructure as well as those presented by user practices. It also means staying updated on threat trends in the cybersphere–ie, which entities are being targeted by which tools.
According to NIST’s definition, protection is not limited to the more ‘passive’ methods of defense such as firewalls, but also includes the measures needed to “ensure delivery of critical infrastructure services.” In plain English, Protection consists of the tools, policies, and best practices for a given organization to move and store sensitive data in a safe and secure way. This will include authentication strategy, user policies (remote vs. on-premises, access privileges etc), and policies on personal data security, storage and transfer.
This function involves implementing tools to identify cyber events when they occur. This includes developing a plan on active monitoring for anomalies and suspicious events occurring within the network.
Response is essentially on the continuum of Detection, but is its own distinct function as well. When a cyber event occurs (and it almost certainly will happen), the organization must have in place plans for responding, whatever the event might be. Within a response strategy, IT must have security measures for: analyzing and assessing damage, communicating the occurrence to all necessary stakeholders–which includes company executives, clients, and relevant partners–and steps to contain a breach and prevent it from spreading.
The final function is the postmortem stage of cybersecurity. The CSF defines Recovery as the strategies needed to “restore any capabilities or services that were impaired due to a cybersecurity incident.” This means plans for data recovery and rendering improvements on the system to prevent similar incidents in the future.
The five functions are broken down in the CSF into 23 subcategories replete with specific recommendations, resources, and best practices.
This may seem like a lot. But don’t fret. As the CFS itself makes clear, these five groups are not an all-or-nothing package. If a company is interested in developing a cyber strategy based on NIST, it can review all of the Categories and Subcategories and, based on “business/mission drivers and a risk assessment, determine which are most important.” What this means is a company can be ‘compliant’ with the CFS in as many categories as it wants. If some categories aren’t relevant to your organization (or are already optimized) you can leave them out.
The CSF is often compared and contrasted with another related NIST guideline, the Risk Management Framework, or RMF. These two frameworks are indeed similar as both of them are designed to secure information systems. There are some key differences, however, most of which evolve on the distinct purposes of the two standards. RMF is in its essence a process of cooperating with government agencies to attain a certain security level. For this reason, it is geared more toward the use of federal agencies. CSF on the other hand was designed for the private sector. In theory, a company can independently go through the 40-some pages of the CSF independently with little to no government cooperation.
While there are some technical differences between RMF and SCF government that are not exactly negligible, the important thing to remember is this: if you’re a private company looking to achieve NIST-level IT compliance, the CSF is where you’ll want to begin.
Advantages of NIST Compliance
So let’s get practical.
What are the actual advantages of being NIST compliant?
The first point to consider is the brand value. Being able to tell your customers you’re compliant with NIST standards can be extremely beneficial. As we’ve already mentioned, even companies that are themselves authorities on IT best practices make a point of telling potential clients which third party standards they’re compliant with.
Number two on this list is the legal protection it can afford you. Data security has been firmly established as an area of company responsibility. Many governmental bodies, from the local to international level, have already codified the legal responsibility firms have to protect the data they handle–and what consequences they will suffer if they don’t. Most of these laws do not require specific actions on the part of data holders but rather require companies to implement “reasonable” measures to protect their clients’ data. This is the approach taken by Europe’s GDPR, the California Consumer Privacy Act (CCPA), and others. Since its publication in 2014, courts and regulators have repeatedly held that compliance with the NIST CSF demonstrates a reasonable level of cybersecurity. This is also the stated opinion of the Federal Trade Commission. This becomes particularly important in the event of a legal dispute or investigation.
But beyond demonstrating to others what your security standards are, compliance is also a direct benefit to your own operations.
Studies into business ROI on privacy policies and other security protocols have repeatedly shown how implementing these measures helps ensure a smooth flow of business and a healthy, effective network. Think about it. Cyber events don’t only target your clients’ data. They can also harm or hinder your very own IT assets. Another facet of this is reducing costs. NIST protocols aren’t just the most protective, they also tend to be the most efficient. By following NIST recommendations, you could be saving substantially on your cybersecurity program.
Finally, there is the added benefit of opening up your business to customers that require NIST compliance, namely, the federal government.
As we discussed earlier, any federal organization or agency must confirm a contractor’s NIST compliance before hiring them. If you’re looking to land any government contracts or working with organizations that are themselves government contractors, NIST compliance will be indispensable.
Are There Compliance Audits?
This brings us to another point: Audits.
If a company is looking into NIST compliance in order to contract with federal agencies, just declaring you’re compliant isn’t going to cut it.
Such a company will have to gain certification and requalify for it regularly.
There are basically two approaches to demonstrate compliance:
First, there is an approved self-assessment. This involved going through a checklist of requirements and submitting proof of their completion. This assessment must be submitted to the government’s registrar upon completing a proposal. Hiring such work comes with a big price tag, usually around $30,000. But in the big picture, having this assessment done well can be very profitable when it comes to winning contracts.
Once you’ve succeeded in your initial compliance review, you’ll be eligible to work with restricted companies. But your firm will be subjected to periodical reviews and regular monitoring will have to be conducted by your IT team. The frequency of these reviews vary depending on the industry, but most are initiated on an annual basis.
Who Should Manage Your Compliance with NIST?
Managing your compliance process–whether for legally required compliance or just for achieving the coveted status–will require a collaborative effort between your IT team and whichever executive is in charge of cyber security. Typically that will be the Chief Security Officer (CSO) but some firms often lay that responsibility on the Operations department.
The reason for this is pretty straightforward. Auditing for NIST compliance focuses on both the controls within a network and defining and categorizing the data you deal with. For this you will need the full cooperation of the technical team familiar with how your network operates as well as someone with a solid grasp of all the data you handle.
This holds true for both a self-audit and one being conducted by an outside vendor. One of the advantages of hiring an auditor is they’ll know exactly which questions and tasks to pose to which members of your team. Doing it yourself, while probably much cheaper, will ultimately require a lot of time and effort to just orient your staff to the various tasks.
How Long Should NIST Compliance Take?
You should not have any illusions about going into NIST compliance. It is a major undertaking.
The process can easily take six months and more in some cases, spending on the size and complexity of the company. The cost of altering company protocols and controls in order to be in line with NIST guidelines varies substantially depending on the firm, but can easily run into the tens of thousands of dollars for a medium-size business.
It is for this reason that NIST compliance should be on the agenda already in the planning stages when a system is being built or whenever new elements are being added to the network. “Compliance by design” will be much easier and less costly than revamping an existing system.
Compliance Into the Future
To end on a positive note.
While meeting NIST guidelines could be a daunting task, it is, at least in many aspects, a one-time long-term investment. NIST does make updates to its reports and alters its standards overtime. But the organization does its best to make sure any new recommendations are mostly in line with earlier versions.
Take the CSF for instance. There have been only two distinct versions of this report published in a seven-year period and even the differences between those two are not earth-shattering.
Cybersecurity is far from a set-and-forget task and requires constant work and vigilance. But bringing your firm into NIST compliance can be a tremendous asset to your firm on many fronts which, once the initial effort has been done, can be maintained with relatively low effort over