NIST Audit 101: Intro to the Cybersecurity Framework

NIST Audit 101: Intro to the Cybersecurity Framework

Cybersecurity’s current moment in the spotlight, propelled by numerous high-profile data breaches and cyberattacks in recent years (SolarWinds, Marriott, MGM, and more), has most industry professionals eagerly seeking guidance for their organizations. If your line of work involves information technology, one of the frameworks you’ve likely heard of in the last few years is NIST.

What Does NIST Stand for?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the US Department of Commerce with a mission to promote industrial innovation and industrial competitiveness. However, when someone refers to “the NIST framework” they may be referring to one of several different frameworks: the Cybersecurity Framework, the Security and Control Framework, or the Risk Management framework.

What Is NIST Assessment? 

A NIST Assessment usually involves two to determine adherence to a framework. The first part is a NIST Audit to establish the level of conformance to a standard. The evaluator performing the NIST Audit will work from the guidance to ensure the organization has the required controls and standards in place. The second phase of the NIST Audit is to perform a risk analysis on the outcome of the audit. 

What Is NIST Compliance? 

NIST also provides guidance organizations can use for compliance with the standards and frameworks. NIST often includes both standards and specific controls that organizations can adopt in their own IT environment to meet compliance. For example, if an organization wants to claim compliance to the NIST Cybersecurity Framework, they would generally start with a NIST Audit followed by a NIST Cybersecurity Audit. Gaps in conformance must be addressed to show that the organization meets all standards and controls.

What Is NIST Cybersecurity Framework? 

NIST’s Cybersecurity Framework (or NIST CSF), released in 2013 and updated in 2018, focuses on building cyber resiliency — shifting an organization’s stance toward cyber attacks from a reactive one to a prepared state. As internal auditors, business owners, board members, and executives alike all seek to better understand how to build cyber resilient programs, NIST is an important agency and resource to get to know. Not only do its Cybersecurity and Security and Control frameworks overlap with many existing information security control frameworks, including CIS, COBIT, ITIL, but they are among the most detailed pieces of guidance accessible to professionals and senior management.

We spoke with a handful of risk management professionals — Ben Sady of Dixon Hughes Goodman; Andrew Cheng, CRISC, CISM, CISA; and Keith Snyder, Lindsay Timcke, and Dennis Christoforatos of DLA, a management consulting firm — to get their take on NIST and its importance today.

The NIST Frameworks You Should Be Paying Attention To

The most commonly referenced NIST frameworks in our interviews were the 800-53 Security and Control framework and the Cybersecurity framework. The frameworks highlighted below are relevant to anyone making decisions about cybersecurity or implementing new IT policies in an organization.

800-53 Security and Control Framework

NIST 800-53 is a robust control framework with over 800 controls and enhancements for developing secure federal information systems. Unlike other cyber frameworks that are more general in nature, NIST 800-53 is highly granular in its coverage of topics — from settings to physical security to asset management, HR, and legal. This framework works hand in hand with the 800-37 Risk Management Framework.

Cybersecurity Framework

The NIST Cybersecurity Framework is “voluntary guidance” for all industries considered critical infrastructure, including transportation, banking, healthcare, state, and local government. Developed in a collaboration between the government, academia, and the private sector and nested under the 800-53 Security and Control framework, it is its own risk management and control framework.

800-37 Risk Management Framework

The NIST 800-37 risk management framework lays out a standard process for performing a risk assessment; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring processes. Its purpose is to provide management and leadership the information to make cost-effective, risk management decisions. The Risk Management framework works hand-in-hand with the 800-53 Security and Control framework to ensure you have proper risk management and security around your system. It is the basic framework upon which other NIST publications are bolted onto.

How Are Organizations Using NIST?

Government agencies

States like New York, Virginia, and Massachusetts are already pushing out mandatory security standards and regulations, choosing to align closely with NIST when customizing their frameworks.

Foundation for cybersecurity audits

Because NIST is so detailed, it gives a CAE with little IT knowledge the opportunity to properly scope different security reviews, as opposed to performing a high-level cybersecurity audit. And due to its comprehensive guidance, firms that consult on cybersecurity may choose to use the Cybersecurity Framework as a central spine for building out a tailored cybersecurity program for clients.

“NIST is what we usually use as our base framework,” says Dennis Christoforatos, who works in the Internal Audit practice at DLA, a management consulting firm. “But while we focus on NIST, we take all the best components out of other frameworks as well. For instance, the New York State Department of Finance just released a set of regulations that focuses on such things as third-party service provider security policies and multi-factor authentication, so those are pieces we add in. When assisting clients we try to look into more than just the framework, but what the industry is really heading towards.”

Public companies

If a CIO or CISO has prior working knowledge of NIST, they may be inclined to implement NIST in their organization. But while NIST represents the desired state for cyber resilience, it may not always be practical to achieve it completely. Instead, companies can leverage NIST by implementing a selection of its controls and bypassing those that aren’t as applicable or practical to employ.

“We’re probably not going to live up to NIST fully, but it’s the desired state and it would be good to reach it,” says Andrew Cheng, a risk and compliance professional working at a public company. His company decided to implement NIST 800-53 after having a cybersecurity review to strengthen its stature. “We compared it to other standards like CIS and general security controls and found that NIST 800-53 has so many guidelines and covers such a broad spectrum that it was good for us to see what high-level expectations are and what our goal should be.”

Conversely, a company may have such complex information security systems that it will not only want to comply with NIST, but incorporate its adoption along with other information security compliance requirements found in regulations such as PCI, SOX, IT, HIPAA, and GDPR. In this case, the company could build out its own common control framework that meets many of those requirements and frameworks, including NIST.

“They can use a system like AuditBoard’s compliance management software to map their common controls to all of the other frameworks’ standard required controls – and then they can evaluate a control one time and apply the results to many requirements,” says Ben Sady, Director of Advisory Services at Dixon Hughes Goodman, a public accounting firm serving government contractors and public companies. “This ‘test once, apply to many’ approach can make their compliance program much more efficient.”

The InfoSec Survival Guide: Achieving Continuous Compliance

What Does the Future Hold for NIST?

As boards and audit committees increasingly come to view cybersecurity as an investment that protects their bottom line as opposed to a cost center, NIST will only continue to grow in relevance.  “Cybersecurity is likely one of the top risks most organizations are facing,” says Sady. “It should be on everybody’s internal audit plan as an audit to be performed on a regular cycle.”

Just as SOX was one of the original regulations that led to the widespread adoption of COBIT and COSO and helped transform the way the industry thinks about security compliance, NIST is predicted to have a similar impact. “Even if it’s not the NIST framework that becomes mandatory, they’re going to be pulling out components of NIST to put into other frameworks that become mandatory,” says Keith Snyder, a partner at DLA. “It will probably be a backbone to a lot of smaller or specific frameworks that may be specific to states, industries, etc.”

Learn four initiatives that can help you adopt the NIST Cybersecurity Framework to protect your organization’s information technology infrastructure and sensitive assets — and get started with AuditBoard’s compliance management solution today!