About the author
Roland Thomas
Associate Director | Corporate Development
Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.
The US’s National Institute of Standards and Technology created a voluntary cyber security framework. The aim was to strengthen the cyber security of critical infrastructure in the private sector.
Since it was created in 2014, the NIST framework has become internationally significant, either adopted as-is or forming the basis for regulatory approaches in other jurisdictions. It is used in Israel and Japan, for example, and its influence can be seen in the EU’s Digital Operational Resilience Act (DORA).
The practices, standards and guidelines that form the NIST framework were last updated in 2018. Another update was promised for 2022, but is still pending. Revisions will be based on public feedback in three main areas:
- What changes are needed to the framework itself;
- How the framework interacts with other resources; and
- The aspects of cyber security in the supply chain that need strengthening.
NIST’s Chief Cybersecurity Advisor, Kevin Stine, had this to say of the review:
“There is no single issue driving this change. This is a planned update to keep the [framework] current and ensure that it is aligned with other tools that are commonly used.”
The NIST framework’s five core functions
The single, overarching aim of what the NIST describes as the framework’s ‘five core functions’ is to give an organisation a strategic overview of its cyber security risks:
- Identify –understand how to manage cyber security risks (to data, systems, assets, etc).
- Protect – safeguarding measures are in place to ensure the delivery of critical infrastructure services.
- Detect – an organisation can clearly define how it identifies cyber security incidents.
- Respond – an organisation has a plan for dealing with various cyber security incidents.
- Recover – an organisation has a plan for operational resilience, including a prioritised list of functions/services and a course of action for repairing affected systems.
A voluntary approach
The NIST framework does not impose any regulatory compliance standards – the NIST talks about organisations “choosing to leverage” the framework, rather than being “required to comply” with it.
At a basic level, the NIST framework can be seen as an attempt to nudge businesses towards treating their cyber security risks as seriously as they do their other operational risks (e.g. financial, supply chain or personnel).
For more information, please get in touch with me and the team.