Cybersecurity Framework & NIST: What You Need to Know

Robert MacDonald

While NIST’s Cybersecurity Framework is probably the most well-known, there are other cybersecurity frameworks your organization should be aware of.

What is a cybersecurity framework? A cybersecurity framework is a way to reduce the risk of cybersecurity incidents by creating guidelines, standards, protocols and best practices on how employees should go about their job while using the internet.

What Is a Cybersecurity Framework?

A cybersecurity framework is a set of practices, policies, and considerations organizations might take to better support their cybersecurity efforts. Cybersecurity has, by and large, moved away from checklist-based compliance standards where a governing body dictated specific technologies that required constant and often ineffective updating to stay ahead of threats.

Instead, frameworks provide more generalized strategies and guidance on cybersecurity, focusing on implementing a security-first posture for administrative, technical, and physical security.

Frameworks often share similar traits, including the following:

  • Best Practices: Cybersecurity frameworks will focus on how an organization can shore up security in a broad sense. These best practices will cover the critical security areas and how the organization should address them.

These areas usually include Identity and Access Management (IAM), authentication, encryption and privacy, security and physical spaces, training, education, and governance.

  • Control Catalogs: Frameworks rarely define specific standards, algorithms, or technologies, emphasizing best practices built around the latest security technologies. However, these frameworks will either explicitly point to supplementary control catalogs or have supporting catalogs created for them by standards-creating bodies.

The reason for these general approaches is to help frameworks stay flexible and relevant in the face of a rapidly evolving security landscape. Since they focus on best practices and a culture of security, any attempt to ground a framework in a specific technology could render them difficult to implement, if not immediately irrelevant.

  • Risk Management: More frameworks are turning to risk management as a foundation for security. Assessing risk forces organizations to take inventory of their vulnerable systems and to understand those systems in a business and industry context. You’ll often find cybersecurity frameworks including or referencing guidelines for risk management.

The strength of a cybersecurity framework is its applicability to modern threats and security contexts, and such a framework benefits from speaking to good security practices rather than chasing the latest technology.

What Is the NIST Cybersecurity Framework (CSF)?

One more open and established framework is the aptly named Cybersecurity Framework (CSF). Published and maintained by the National Institute for Standards and Technology (NIST), CSF is a broad initiative to promote good cybersecurity health for federal agencies and their vendors.

However, because NIST standards are open to public scrutiny and consumption, the CSF is also well-suited for any business looking to drive good cybersecurity from the country’s top computer scientists and engineers.

The Five Categories of the Cybersecurity Framework

The CSF divides cybersecurity into five overarching categories:

  • Identify: An organization should have the capacity to identify and inventory all affected infrastructure (networks, devices, servers, data, etc.) as well as the potential vulnerabilities in that inventory. The idea here is to promote a comprehensive understanding of system security rather than the piecemeal implementation of security measures.
  • Protect: An organization must be able to protect resources identified as relevant to security. This includes utilizing perimeter security, anti-malware, identity and authentication, sufficient cryptography, training and education programs, backup and recovery strategies, and ongoing monitoring and logging for mitigation and auditing purposes.
  • Detect: An organization must be able to detect unauthorized access to the system through network connections or physical devices.
  • Respond: An organization must be able to respond to unauthorized access to protected resources with a combination of security mitigation efforts, backup recovery measures, auditing and forensic investigation capabilities, and more generalized resilience strategies (in cases of emergency system failure or natural disasters).
  • Recover: In cases of attack or disaster, a company must have measures to quickly restore system functionality while mitigating security vulnerabilities and closing gaps that led to the attack. Furthermore, the organization must have policies to dictate how they communicate these security issues with their relevant stakeholders.

While the NIST Cybersecurity Framework doesn’t outline specific technologies organizations should use, it is closely tied to several other NIST publications. Organizations adopting the CSF can therefore leverage the expertise of the NIST system to bolster their security.

What Are Some Other Cybersecurity Frameworks?

While NIST is a significant factor in the realm of security frameworks, it’s not the only one. Many industry-specific frameworks exist to address the specific needs of relevant organizations, with slightly different approaches depending on the market.

Some well-known frameworks include:

  • International Organization for Standardization (ISO) 27001: The International Organization for Standardization releases technical specifications across many categories, including cybersecurity.

The ISO 27001 standard details how an organization can create and maintain an Information Security Management System (ISMS), a comprehensive approach to security. ISO standards are internationally known and respected, but a private organization requires organizations to pay for the latest revisions and audits.

  • Service Organization Control (SOC) 2: The SOC 2 standard, maintained by the American Institute of Certified Public Accountants (AICPA), is an in-depth framework for financial institutions geared toward helping them implement security, privacy, and accessibility controls for personal customers and financial data.

While there are several types of SOC 2 reports (called Trust Service Criteria), the only required report for an audit is the security report.

  • The Health Insurance Portability and Accountability Act (HIPAA) provides a security framework for healthcare providers and their business associates (vendors and third-party providers).

This framework, maintained by the Department of Health and Human Services in conjunction with NIST, addresses the proper practices a provider must have when handling patient health and payment information (called Protected Health Information, or PHI).

  • General Data Protection Regulation (GDPR): This framework, specific to the European Union, defines the rights of data subjects and consumers regarding their data’s privacy and security. It defines best practices and requirements for companies handling consumer data, including how they may or may not process, store, or sell that information.

Meet the Needs of Regulations and Cybersecurity Frameworks Using 1Kosmos

There isn’t a cybersecurity framework on the market that doesn’t address access control and authentication. Verifying user identities and ensuring that access to system resources is protected with sufficient security measures is a crucial aspect of any framework, regardless of industry.

With 1Kosmos BlockID, you can rest assured that you have a solution that can meet the stringent demands of even the most strict cybersecurity frameworks. From strong biometrics for multi-factor authentication to passwordless authentication, decentralized identity management, and regulation-compliant identity assurance, 1Kosmos supports strong authentication for nearly any cybersecurity framework.

With 1Kosmos, you get the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Sign up for a free trial to give our Identity-Based Authentication a try!

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.