What is NIST, why should you consider their frameworks, and which of their frameworks is right for your organization?
In a recent blog post, we touched on the first steps to building a strong security compliance program by determining which specific compliance framework is right for you.
Now, we’re following up on that post to further break down NIST and their most widely used security frameworks.
What is NIST?
NIST stands for the National Institute of Standards and Technology. The non-regulatory federal agency is responsible for writing security standards and policies for the government and other organizations to follow.
There are many different individual NIST frameworks and each framework will have slightly different maturity levels, approaches, and/or priorities than the others.
What are the most common security compliance frameworks that Craft Compliance works with?
The two most common NIST frameworks that we work with at Craft Compliance are:
NIST CSF (the foundational cybersecurity framework)
NIST 800-53, Rev. 5 (main library of privacy and security controls across NIST frameworks)
Which NIST security compliance framework is right for my organization?
We recommend asking the following questions as you begin the process of choosing and implementing a NIST security compliance framework:
Is my organization contractually obligated to any specific NIST framework?
What are my organization’s goals in implementing a NIST framework?
What types of data is my organization responsible for securing?
What resources is my organization able to commit to implementing a NIST framework?
What is the timeline for an implementation?
Another critical consideration is the current and/or desired level of maturity of your organization’s security compliance program.
For example, NIST 800-53 is incrediby comprehensive with hundreds of controls and enhancements, covering every element that an extremely mature cybersecurity program may require. Large organizations or organizations handling highly sensitive data may need to employ a more sophisticated compliance program using this framework.
On the other hand, NIST CSF has only around 100 core security control concepts and is much more manageable for smaller organizations. Smaller organizations that do not formally require NIST CSF compliance can use its control concepts to pick and choose the most appropriate and impactful controls to strengthen their security posture without fully adopting the entire CSF framework.
Choosing either framework will improve trust and credibility with board members, investors, and key organizational stakeholders.
While there are several NIST security compliance frameworks to choose from, it’s important to pick one that is right for your individual organization and one that you can sustainably manage.
We often recommend NIST CSF as a great framework for organizations voluntarily adopting a security compliance framework and under no contractual obligation to another framework.
If you haven’t asked any of the above questions or you’re not entirely sure if you want to implement a NIST security compliance framework at all, we encourage you to read our blog post, 3 Steps To Identify the Right Security Compliance Framework or contact us so we can help you get on the right track.