Skip to content
Twinstate NIST Risk Assessment blog header
Ashton MomotJun 25, 2020 3:04:17 PM2 min read

The NIST Cybersecurity Framework: An Introduction to Risk Assessment

In the world of cybersecurity, the only constant is the quickly-changing environment. With this rapid pace, threat vectors change, and so too must the industry best practices that are used to protect against them. Documentation in the world of cybersecurity is often behind and outdated, as trends usually change quicker than documents are able to be drafted.

Setting Standards: The NIST Framework

Fortunately, there are organizations that specialize in forming standards, best practices and publications that are regularly updated to ensure resources aren’t being wasted on outdated practices. A commonly referenced organization in this regard is the National Institute of Standards and Technology, or NIST. NIST provides a plethora of information available to both the public and private sectors, mostly in the form of Special Publications. These publications are chock full of information relating to various cybersecurity practices, and are often updated through drafts with public comment taken into consideration. This constant updating of documents keeps NIST at the forefront of usability as organizations continue to harden their security posture.

Risk Assessment With The NIST Cyber Security Framework

One of the most popularly referenced materials from NIST is their Cybersecurity Framework, which according to NIST, “…provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally. The NIST Cybersecurity Framework can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business and technological approaches to managing that risk,” (NIST. 2017.); this document is currently undergoing a revision process, with the latest updates occurring on December 5, 2017. Many organizations have successfully utilized this framework to scope their activities around a cybersecurity operation. The Cybersecurity Framework works to develop activities around specific functions. These are Identify, Protect, Detect, Respond and Recover.

NIST also champions another well-referenced publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, which is currently on revision four. This lengthy document provides controls listed in groups of families, such as Access Control and Incident Response. Many NIST documents reference these controls as a baseline for a wide variety of information systems, business missions and functions.

Over the upcoming months, we will take an in-depth look at many of the most popular NIST publications, as well as dissecting the link between many of these documents. More importantly, we will also discuss how compliance requirements will utilize some of these documents to meet legal requirements.

Further Reading: 

Ashton Momot

Ashton joined Twinstate Technologies as a Cybersecurity Analyst in July 2016 after acquiring his Masters in Information Systems Security from the University of Denver. Still based in Colorado, Ashton enjoys keeping up with trends in the cybersecurity industry and helping adapt security policies to meet the specific needs of Twinstate customers. As third-generation Twinstate family member, Ashton not only loves to working alongside family, but enjoys seeing how Twinstate continues to grow. Continuing to grow his knowledge-base, he is currently working towards his CISM certification.