NIST—the National Institute of Standards and Technology—is one of the nation’s oldest physical science laboratories. NIST programs range from the microscopic study of proteins in cells, to forecasting weather from space. NIST is part of the United States Department of Commerce, and with increasing attacks aimed at compromising and acquiring data from organizations, NIST has created a Cybersecurity Framework to manage cybersecurity-related risk.
[Related: What Is NIST Compliance?]
Value of the NIST Cybersecurity Framework
But if there are already guidelines and requirements provided by security mandates like Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley (SOX) Act, and Health Insurance Portability and Accountability Act (HIPAA), why do we need this framework?
The challenge with multiple compliance regulations and rules is that they may seem to operate in a silo. IT teams working to meet one rule may be unsure if they can leverage that work to comply with another requirement. The NIST Framework provides a common language for managing and communicating cybersecurity risk to stakeholders. It can be used to help prioritize actions for reducing cybersecurity risk, and to align technological approaches with an organization’s policies for managing that risk.
To help business use the Cybersecurity Framework to assess their risk, NIST has identified resources including special publications (SP) NIST SP 800-53 and NIST SP 800-171.
NIST Cybersecurity Framework Challenges
Yet, with the average cost of compliance estimated at $5.47 million and companies allocating 14.3% on average of their IT budget to compliance spending, aligning to the NIST Cybersecurity Framework can be a challenge. The cost and complexity of the Cybersecurity Framework, particularly for stretched IT teams in smaller organizations, has resulted in legislation that directs NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.
But having access to guidance does not address the simple fact that stretched IT is still, well stretched. Over 70 percent of cybersecurity professionals say the cybersecurity skills shortage has had some impact on their organization. And, 66 percent of cybersecurity professionals say the cybersecurity skills shortage has increased the workload on existing staff.
Achieving and Maintaining Compliance with the NIST Cybersecurity Framework
Alert Logic has recognized this mismatch between compliance and standards rules, requirements and frameworks, and the challenge facing IT organizations to leverage existing resources to achieve compliance. Alert Logic has combined their security tools with advanced analytics and 24/7 expert services. This approach recognizes that for IT organizations to leverage publications like NIST SP 800-53 and NIST SP 800-171, they must have the security tools in place to apply the necessary security controls. Equally important—IT needs access to a team of analysts, researchers and experts that can take the pressure off by helping to identify, prioritize and remediate potential vulnerabilities and attacks. Alert Logic is able to help organizations achieve compliance with a security and threat management platform and expert staff support at a lower total cost (ROI of 345%) over three years than point solutions or relying solely on internal resources.
Other security and compliance solution vendors have introduced vulnerability management, and configuration management to attempt to address compliance mandates. But without a clear understanding of the threats affecting a business’ network, efforts by IT teams will provide little or no benefit. Other solutions provide reams of log data, leaving it to an organization to analyze and figure out remediation steps, assuming the organization understands the regulations in the first place.
The Alert Logic difference is that our security experts can help filter out the noise to help businesses focus on data that is relevant to their compliance needs.
The NIST Cybersecurity Framework is a great way to assess risk and publications like NIST SP 800-53 and NIST SP 800-171 can help apply the Cybersecurity Framework. But, without access to tools and experts, leveraging the Cybersecurity Framework can prove a challenge.
You can get started today with Alert Logic to help with your NIST compliance projects.