Implementation
Creating policies alone will have limited impact on improving organizational cybersecurity unless they are properly implemented. A well-structured policy implementation plan is essential for effective enforcement and adherence. This process typically follows 5 key steps:
Assess Current Policies: Begin by reviewing existing policies to identify outdated, unclear, or incomplete procedures. Involve department heads and management to ensure the review addresses practical needs and aligns with current business goals and regulatory requirements.
Develop and Revise Policies: Based on the assessment, develop new policies or revise existing ones to fill gaps. Ensure they align with strategic goals and comply with legal and industry standards. Collaborate with legal experts and key stakeholders to ensure policies are comprehensive, practical, and enforceable.
Communicate and Train: Once policies are developed, communicate them clearly to all employees through various channels—meetings, emails, and chat groups. Tailor messaging to specific departments as needed to ensure clarity and relevance. Follow up with targeted training to reinforce key policy details and ensure understanding, offering additional sessions as needed.
Monitor, Evaluate, and Garner Feedback: Monitor policy implementation to track compliance and evaluate its effectiveness. Assess how the policies impact company operations and regulatory compliance. Regularly collect feedback from employees to identify challenges and make sure the policies are practical and effective in real-world scenarios.
Adjust and Continuously Improve: Be prepared to make adjustments based on feedback and performance data. Keep employees informed about any changes, maintaining transparency and fostering a culture of continuous improvement. This ensures policies stay relevant and effective as the organization evolves.
While this five-step process is effective for general policy implementation, NIST has also developed an implementation plan specific to the CSF 2.0. This plan uses Organizational Profiles to implement the 6 Core Functions.
NIST CSF Organizational Profiles
An Organizational Profile outlines an organization's current and/or target cybersecurity posture based on the CSF Core outcomes. It helps tailor, assess, and prioritize cybersecurity efforts in line with the organization’s mission, stakeholder needs, threat landscape, and requirements. Profiles guide strategic actions, track progress, and communicate relevant information to stakeholders. There are two types of Organizational Profiles:
Current Profile: Describes the cybersecurity outcomes currently being achieved and how they are being met.
Target Profile: Specifies desired outcomes to be prioritized, considering factors like new requirements, technology, and evolving threats.
Creating and using Organizational Profiles involves a 5 step process:
Step 1: Scope the Organizational Profile
The scope defines the purpose, boundaries, and focus of the Organizational Profile. Decide whether it will cover the entire organization or specific divisions, assets, or partners, and determine which cybersecurity threats and defenses it will address. Identify the teams responsible for developing, reviewing, and implementing the profile, and who will set expectations for achieving the target outcomes.
Step 2: Gather Information
Gather relevant information based on your organization's needs, such as policies, risk management priorities, cybersecurity requirements, and standards. Information sources will vary depending on the profile's use case and level of detail. Common sources include Community Profiles, which provide sector-specific baseline CSF outcomes. The NIST Organizational Profile Template is another helpful resources, which is a downloadable Excel tool for creating and comparing Current and Target Profiles, helping identify gaps.
Step 3: Create the Organizational Profile
First download and customize the CSF template. Include relevant cybersecurity outcomes for your use case, documenting rationales as needed. In the Current Profile, list existing cybersecurity practices with as much detail as possible, while in the Target Profile, document cybersecurity goals and plans based on CSF references, new requirements, technologies, and threat intelligence trends. Prioritize each goal and adjust the template as necessary, adding or removing columns to suit your needs. You can also include Informative References to highlight differences between current practices and target goals.
Step 4: Analyze Gaps and Create Action Plan
Analyzing the differences between the Current and Target Profiles helps identify gaps and develop a prioritized action plan to improve cybersecurity risk management. This process enables informed decisions on how to close gaps efficiently and cost-effectively.
Analyze Gaps: Compare current practices across people, processes, and technology with CSF best practices, outcome descriptions, and Informative References. Document the differences as potential areas for improvement.
Create Action Plans: Develop an action plan that prioritizes improvements, considering mission drivers, benefits, risks, and required resources (e.g., staffing, funding). The plan should be based on gap analysis, incorporating tools and references from the NIST CSF 2.0 Reference Tool, such as NIST SP 800-53 controls, and implementation examples to help guide actions.
Step 5: Implement Action Plan and Update Profile
Implement the action plan using a combination of management, programmatic, and technical controls, tracking progress through the Organizational Profile. Monitor risks using key performance indicators and key risk indicators, and update the plan or profile when risks exceed the organization's risk tolerance or when gaps require longer remediation (via a plan of action and milestones). As risk factors change, update the profile to reflect evolving risks, ensuring the action plan remains effective and aligned with the organization's cybersecurity goals.
Specific Core Function Tasks
Consider these actions and resources when implementing the NIST CSF 2.0 Core Function Categories in the 5th step of the Organizational Profile process.
Govern Implementation Tasks
The Govern Function helps an organization establish and monitor your business’s cybersecurity risk management strategy, expectations, and policy. This includes understanding the impact on business objectives, legal requirements, and accountability for cybersecurity strategy. Organizations should assess the impact of losing critical assets, evaluate cybersecurity insurance needs, and assess third-party risks. Cybersecurity risks should be prioritized with other business risks, and leadership must communicate support for a risk-aware culture, enforce policies, and drive continuous improvement.
Specific implementation resources include:
Identify Implementation Tasks
The Identify Function helps determine the current cybersecurity risk to the business. Start by maintaining an inventory of critical assets (hardware, software, systems, and services), assessing vulnerabilities, and evaluating the cybersecurity program’s effectiveness. Prioritize classifying business data, documenting threats, and maintaining a risk register. Communicate cybersecurity plans and best practices to staff and relevant third parties, stressing the need for ongoing improvements in risk management processes. This helps determine the appropriate protection level for each asset based on its importance to the business.
Specific implementation resources include:
Protect Implementation Tasks
The Protect Function supports the ability to use safeguards to prevent or reduce cybersecurity risks. Start by restricting access to sensitive information based on job roles, ensuring employees only have access to what they need. Regularly assess cybersecurity training quality and frequency for staff. Prioritize multi-factor authentication, changing default passwords, updating and patching software, and enabling full-disk encryption on devices. Consistently back up data and test backups. Communicate to staff how to recognize and report attacks, perform basic cyber hygiene, and maintain secure practices. This helps establish a proactive security posture by reducing vulnerabilities and ensuring staff are equipped to handle security threats.
Specific implementation resources include:
Detect Implementation Tasks
The Detect Function provides outcomes that help identify and analyze possible cybersecurity attacks and compromises. Start by understanding common indicators of incidents, such as unusual network behavior, failed login attempts, or malware alerts. Regularly assess both computing technologies and physical environments for deviations from normal activity or signs of tampering. Prioritize installing and maintaining antivirus and anti-malware software across all devices, and consider engaging a service provider to monitor for suspicious activity if internal resources are limited. Communicate relevant incident details with authorized responders to aid in effective mitigation. This proactive approach helps to quickly identify and respond to potential cybersecurity threats.
Specific implementation resources include:
Respond Implementation Tasks
The Respond Function supports the ability to take action regarding a detected cybersecurity incident. Understand your incident response plan, including who is responsible for executing different aspects. Regularly assess your response capabilities and evaluate the severity, cause, and impact of the incident. Prioritize containment and eradication to prevent further damage. Communicate the incident to internal and external stakeholders, such as customers, regulators, and law enforcement, as required by legal or contractual obligations. Having a well-prepared incident response plan and clear communication channels ensures an effective and coordinated response to minimize the impact of cybersecurity incidents.
Specific implementation resources include:
Recover Implementation Tasks
The Recover Function involves activities necessary to restore assets and operations that were impacted by a cybersecurity incident. First, understand who has recovery responsibilities both internally and externally. After the incident, assess the situation through an after-action report that includes lessons learned, and evaluate the integrity of backup data before using it for restoration. Prioritize recovery actions based on critical business needs, available resources, and impacted assets. Communicate regularly with stakeholders during the recovery process, and ensure that you document and communicate when normal operations resume. A well-prepared recovery playbook, outlining formal processes, asset priorities, and communication plans, is essential for efficient recovery and minimizing future risks.
Specific implementation resources include:
References
“Backup and Recover.” GCA Cybersecurity Toolkit | Tools and Resources to Improve Your Cyber Defenses, 20 Mar. 2023, https://gcatoolkit.org/smallbusiness/backup-and-recover.
Bartock, Michael, et al. “Guide for Cybersecurity Event Recovery.” National Institute of Standards and Technology, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf.
“Best Practices for Victim Response and Reporting of Cyber Incidents.” Prosecuting Computer Crimes, https://www.justice.gov/criminal-ccips/file/1096971/download.
“Choosing a Vendor/Service Provider.” National Institute for Standards and Technology, 2 Aug. 2024, https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/choosing-vendorservice-provider.
Cichonski, Paul, et al. “Computer Security Incident Handling Guide.” National Institute of Standards and Technology, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
“Cyber Resilience Review (CRR): CISA.” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/resources-tools/services/cyber-resilience-review-crr.
“Digital Identity Guidelines.” NIST SP 800-63, https://pages.nist.gov/800-63-3.
“Incident Response Plan (IRP) Basics.” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf.
“Internet Crime Complaint Center.” Internet Crime Complaint Center Home Page, https://www.ic3.gov.
“IT Disaster Recovery Plan.” IT Disaster Recovery Plan | Ready.Gov, https://www.ready.gov/business/emergency-plans/recovery-plan.
Kallman, Teresa. “Enforcing Company Policies: Why It’s Important & How To Enforce Them.” Paychex WORX Blog, Paychex, 31 Oct. 2023, https://www.paychex.com/articles/human-resources/importance-of-enforcing-workplace-policies.
Liu, Henry, and Staff at the FTC. “Protecting Personal Information: A Guide for Business.” Federal Trade Commission, 2 Apr. 2024, https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business#takestock.
Liu, Henry. “Data Breach Response: A Guide for Business.” Federal Trade Commission, 3 Apr. 2024, https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business.
“Multi-Factor Authentication.” National Institute of Standards and Technology, 12 Mar. 2024, https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication.
“NIST CSF 2.0 Profiles.” National Institute of Standards and Technology, 22 Aug. 2024, https://www.nist.gov/cyberframework/profiles.
“NIST Cybersecurity Framework (CSF) 2.0 Reference Tool.” Computer Security Resource Center, https://csrc.nist.gov/Projects/Cybersecurity-Framework/Filters#/csf/filters.
Pascoe, Cherilyn, et al. “NIST Cybersecurity Framework 2.0: A Guide to Creating Community Profiles.” NIST Cybersecurity White Paper, 26 Feb. 2024, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.32.ipd.pdf.
“Phishing.” Small Business Cybersecurity Corner, 14 Mar. 2024, https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/phishing.
“Policy Template Guide.” National Institute of Standards and Technology Cybersecurity Framework, https://www.cisecurity.org/-/jssmedia/Project/cisecurity/cisecurity/data/media/img/uploads/2021/11/NIST-Cybersecurity-Framework-Policy-Template-Guide-v2111Online.pdf.
“Quick-Start Guide for Creating and Using Organizational Profiles.” NIST Cybersecurity Framework 2.0:, Feb. 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1301.pdf.
Quinn, Stephen, et al. “Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight.” Computer Security Resource Center, 6 Mar. 2024, https://csrc.nist.gov/pubs/ir/8286/c/upd1/final.
“Ransomware Protection and Response.” Computer Security Resource Center, https://csrc.nist.gov/Projects/ransomware-protection-and-response.
“Securing Small and Medium-Sized Business Supply Chains.” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/sites/default/files/2023-01/Securing-SMB-Supply-Chains_Resource-Handbook_508.pdf.
“Shields Up: Guidance for Organizations.” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/shields-guidance-organizations.
“Small Business Quick-Start Guide.” National Institute of Standards and Technology, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf.
Stine, Kevin, et al. “Integrating Cybersecurity and Enterprise Risk Management (ERM).” Computer Security Resource Center, 13 Oct. 2020, https://csrc.nist.gov/pubs/ir/8286/final.
“Structuring a Successful Policy Implementation Plan in 5 Steps.” ComplianceBridge, ComplianceBridge, 12 Dec. 2023, https://compliancebridge.com/policy-implementation-plan.
“The NIST Cybersecurity Framework (CSF) 2.0.” National Institute of Standards and Technology, 26 Feb. 2024, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
“The NIST Cybersecurity Framework (CSF) 2.0 Template Guide.” National Institute of Standards and Technology, 26 Feb. 2024, https://www.cisecurity.org/wp-content/uploads/2019/08/NIST-CSF-Policy-Template-Guide.pdf.
“Training.” Small Business Cybersecurity Corner, 13 Sept. 2024, https://www.nist.gov/itl/smallbusinesscyber/training.
Last updated