By Lisa Mitchell, NetGain Technologies
For MSPs and MSSPs, honing the expertise and tools to provide cybersecurity within the requirements of the U.S. government’s NIST Cybersecurity Framework is an effective path for winning new clients, including those for which NIST regulations don’t technically apply. NIST offers such comprehensive guidance for cybersecurity best practices, processes, and technologies that the framework has become a recognized standard for organizations regardless of their industry. We’ve seen this firsthand, with more prospects asking how our security stack stands up to the NIST guidelines.
NIST compliance is required for any organization doing business with the government, and Confidential Unclassified Information (CUI) must be fully protected and secure. Any SMB subcontracting for these organizations must also adhere to these requirements. In many cases that means completing self-assessment questionnaires around the SMB’s security processes and capabilities, which more often than not requires the expertise of an MSP to complete. But perhaps the more important takeaway for MSPs right now: due to the broad trust that NIST now commands, MSPs offering NIST-compliance-as-a-service today can earn new clients beyond just businesses where compliance is mandatory. To that point, most supply chain questionnaires around security are now being modeled around the NIST Cybersecurity Framework. It is quickly becoming the de facto standard, whether you or your clients work with government agencies or not.
MSPs ready to introduce NIST compliance as part of their security services should ask their existing vendors for detailed assessments of how their solutions help them achieve NIST’s requirements. For example, we use BeachheadSecure, a cl-based data and device security platform that was objectively assessed to fully or partially satisfy 76% of NIST requirements (69 of 90 subcategories). Similarly, we use Zix (part of OpenText) as an encrypted email solution partner for further strengthening our NIST-adhering capabilities. Armed with a clear understanding of vendor solution capabilities, an MSP can assemble a service offering that delivers protections adhering to the complete NIST Cybersecurity Framework.
Understanding The NIST Cybersecurity Framework
There is one significant stumbling block MSPs encounter when building NIST compliance offerings: the NIST Framework’s presentation is quite confusing. NIST includes five core functions—Identify, Protect, Detect, Respond, and Recover—broken down into 23 categories and over 100 subcategories featuring specific technology and best practice guidance. As read, NIST subcategories frequently feel redundant or miscategorized. NIST’s vast scope and broad team explain these organizational challenges.
To hopefully address this difficulty for MSPs, here’s an approachable overview to help practices navigate NIST and assemble security services that deliver compliant best practices:
NIST’s first core function focuses on identifying and managing cybersecurity risks that threaten systems, data, and assets. Specific guidance covers best practices for:
- Asset management – NIST requires consistent security best practices safeguarding crucial personnel, data, facilities, and systems. All assets and activities essential to business viability – key sites, databases, and applications – must be identified and protected.
- Business environment – Key stakeholders must have close awareness of how security intersects with their business mission and objectives.
- Governance – Organizations must practice risk management and ensure legal and regulatory compliance with effective procedures, policies, and processes.
- Risk assessment – Organizations must maintain comprehensive awareness of cybersecurity risks.
- Supply chain risk management – Organizations must identify and prepare processes to mitigate and prioritize supply chain risks.
NIST’s second core function guides organizations in safeguarding critical infrastructure services through methods including:
- Access controls – Organizations must limit access to authorized users, processes, and devices, and make assets and facilities available for legitimate activities only.
- Awareness and training – Employees and partners must undergo regular cybersecurity training to recognize risks and adhere to mitigation policies and procedures.
- Data security – Organizations must protect data confidentiality, integrity, and availability with effective policies and procedures.
- Information protection – Information systems must also be secured with appropriate policies, procedures, and processes.
- Maintenance – Organizations must keep security controls and information systems functioning well and compliant with existing policies and procedures.
- Protective technology – Organizations’ information systems must be protected by appropriate and effective security technologies.
NIST’s third core function ensures that organizations can detect cybersecurity attacks, addressing:
- Anomalies and events – Organizations must have the cybersecurity solutions necessary to rapidly identify anomalous activities and deliver insights enabling quick remediation.
- Continuous security monitoring – Detection technologies must enable continuous threat monitoring.
- Detection process assessments –To maintain ongoing effectiveness, regular testing is required for all detection processes and procedures.
NIST’s fourth core function covers best practices for responding to cybersecurity threats, including:
- Response planning – When a cybersecurity event occurs, organizations must have plans, processes, and procedures ready for action.
- Communications – Organizations must closely coordinate internal cyber threat response activities and coordinate with external parties such as law enforcement when necessary.
- Analysis – Organizations must inform response and recovery approaches with insightful cyber threat analysis.
- Mitigation – Organizations must prevent threat expansion while mitigating existing threats and any lasting effects.
- Improvements – Organizations must continuously improve their cybersecurity practices, incorporating lessons learned.
NIST’s fifth core function guides how organizations should prepare to restore functionality, capabilities, or services following security incidents, including:
- Recovery planning – Organizations must implement processes and procedures enabling fast and complete recovery from cybersecurity events.
- Communications – Recovery activities must include close coordination with stakeholders and all affected parties, internal or external.
- Improvements – Organizations must continually improve recovery planning and processes, leveraging learnings from threat event recovery experiences.
MSPs: Expand Your Business With NIST-Compliance-as-a-Service
The powerful cybersecurity preparations outlined by the NIST Cybersecurity Framework offer your clients superior threat prevention and security incident outcomes—whether or not the client directly falls under NIST’s purview. MSPs will be wise to deliver NIST’s advantageous protections to win over new clients and to ensure their security protections meet the highest standards.
About The Author
Lisa Mitchell is the General Manager of the North Carolina branch NetGain Technologies, a Kentucky-based provider of managed IT and security services.