The National Institute of Standards and Technology (NIST) has been setting standards for weights, measurements, material composition, and other standards in science, technology, and industry since the outset of the 20th century. Today, some of the most important work NIST is engaged in is for artificial intelligence, cryptography, and cybersecurity.
NIST recently published version 2.0 of its Cybersecurity Framework (CSF). Originally released in 2014 and intended primarily for critical infrastructure facilities like airports, dams, and nuclear power plants, the CSF has been updated to be more generally applicable to organizations of all sizes and functions.
The main goals of NIST’s CSF 2.0 are:
- To give organizations a framework for reviewing their appetite and tolerance for risk, and for managing risk in the context of cybersecurity.
- To provide examples of best practices so that organizations can evaluate their current cybersecurity controls and establish a target for improvement.
- To promote the continuous improvement of cybersecurity practices by encouraging organizations to regularly assess their cybersecurity risks and update their cybersecurity plans.
How to use the Cybersecurity Framework
The framework can help any organization understand its own cybersecurity resources and goals. Macktez uses it as a foundation for our cybersecurity assessment and to guide our security recommendations for clients.
We are also using the framework to measure the managed services tools we use to support many of our clients, and to bundle new services that can fulfill specific cybersecurity goals.
For example, the most important CSF categories can be covered by our Core Suite of tools, including Identity Management and Workstation Management. Others are addressed by projects we regularly recommend and manage, such as Password Management, Disaster Recovery Plan Development, and Access Control Solutions. More generally, engaging Macktez as a Virtual CIO/CTO provides any organization with the experience to evaluate individual cybersecurity metrics and address them as needed.
Macktez’s Cybersecurity Assessment
We’ve boiled down NIST’s framework to a series of yes / no questions that our clients can answer themselves to start the process of assessing risk tolerance and reviewing current cybersecurity controls. There are no right or wrong answers on our questionnaire — in fact, we expect most organizations going through this process for the first time to answer “no” or “I don’t know” to many or even most questions. That’s absolutely fine. These answers start an important process: highlighting an organization’s current cybersecurity profile, identifying cybersecurity goals, and prompting Macktez for recommendations to meet those goals.