NIST Framework and NIST Compliance
The National Institute of Standards and Technology (NIST) instituted created NIST 800-53 to create a cybersecurity risk management system for private sector partners. NIST 800-53 describes how federal agencies select security controls, including how they select appropriate baselines, tailor the baselines, document the selection process, and apply the process to new development and legacy operations. The NIST Cybersecurity Framework distills 800-53 so public companies committed to improving critical infrastructure can manage cybersecurity risk.
The NIST Cybersecurity Framework lists Five Core Functions: Identify, Protect, Detect, Respond, and Recover. The Framework starts with organizations establishing a risk tolerance which individualizes the compliance for each organization’s needs.
This then leads to the implementation tiers. Implementation tiers are note related to maturity level but to how the cybersecurity risk management moves from informal to formal based on risk. In 2017, an Executive Order required that all federal agencies use the Framework for Improving Critical Infrastructure Cybersecurity, moving more organizations toward continuous monitoring.
Since CISOs have to ensure compliance across multiple standards and regulations, controls repeat often. Depending on the business function applying the standard, the multiplicity of standards means that different areas may be enacting different processes for the same control. This creates a burden for auditors who need to request and review different processes for different audits, potentially leading to disparate outcomes. Automation distills the frameworks so that users can map the same control to each of the different standards based on commonalities.
Why manage NIST with ZenGRC?
NIST compliance is all about keeping the company’s internal house in order.
Because of constant changes in the regulatory and IT landscapes, handling a NIST audit correctly has become infinitely more important to customers as they manage their own compliance and that of their suppliers. Without fast access to proofs of compliance and demonstrated risk management processes, closing big deals becomes more difficult and your company will lose to the competition that pass better inspection by customers.