By Ryan Johnston

The National Institute of Standards and Technology (“NIST”) is not frequently associated with telecommunications policymaking. Founded in 1901, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life. One aspect of their work is the creation and maintenance of a cybersecurity framework that evolves to keep pace with technology, and digital threats, integrating lessons learned from academia and industry. As National Cybersecurity Awareness Month draws to a close, let’s explore the newest iteration of the NIST Cybersecurity Framework (“Framework”) and how municipalities can weave it into the broader discussions about broadband deployment.

Understanding the Framework

The key to understanding the Framework is to understand that it is not a set of processes to be followed or rules to abide by, but a set of outcomes that institutions should strive to achieve. Additionally, the Framework does not describe the order in which each piece should be implemented, but an organization should determine its particular strengths and weaknesses and implement portions of the Framework accordingly. The Framework 2.0 consists of six core functions: “Govern,” “Identify,” “Protect,” “Detect,” “Respond,” and “Recover.”

• “Govern” Explores end results to inform how an organization will achieve and prioritize the outcomes of the other five functions. In other words, this core function is about establishing and maintaining an institution’s cybersecurity risk management plan, centering expectations, and developing a policy around its strategy and expectations.
• “Identify” The Identify function is intended to work with the Govern function to help determine current cybersecurity risks and organize them based on institutional priorities laid out under Govern.
• “Protect” This function supports institutional initiatives to secure those assets and lower the likelihood or impact of potential cybersecurity failures. Outcomes such as training, authentication plans, and access controls are just some of the projected results that are contemplated under this function.
• “Detect” How an institution plans to find and analyze potential cybersecurity attacks and compromises.
• “Respond” An institution’s ability to contain the impact of cybersecurity incidents.
• “Recover” The outcomes an institution can work toward to support the timely restoration of normal operations.

Each of the above functions also contains categories and subcategories that can help institutions narrow the scope of their planning process and identify and address specific challenges or concerns. As such, all functions should be considered together to determine overall goals and desired outcomes before applying categories and subcategories to find areas where similar end goals are desired.

Using the Framework

While describing the Framework’s intent  helps explain potential outcomes, applying it to real-world situations is different. By collecting and collating function information into profiles to address specific issue areas an institution can better understand, assess, and communicate current and target cybersecurity goals.

Further, the Framework is unable to independently track the achievement of cybersecurity outcomes. Meaning, that once a baseline is taken utilizing the Framework to reassess cyber policy can provide an institution with evidence of achievement, or areas to be addressed. The Framework also suggests that it can be used to manage supply chain risk. Utilizing the Framework at key intersections of the supply chain may shed light on vulnerabilities that arise from those particular interactions that may not occur elsewhere.

The intent of the Framework is not to be a rigid document relegated only to certain situations. Applying the Framework and the questions it asks to interactions and systems that may fall outside of traditional risk assessment models can lead to the identification and addressing of risks that would otherwise be unaccounted for.

Conclusion

Whether an institution is using the framework for the first time, or has used it in the past it is important to remember that it is designed to be used with other security frameworks, standards, and risk management systems. While this Framework can provide a clear and comprehensive starting point for determining where vulnerabilities may exist, it cannot provide goals or outcomes for an institution. It only helps reach them.