Practical Application of the NIST Cybersecurity Framework

    On February 12, 2013, Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” was signed by President Obama. The goal of this Executive Order was to increase the level of core capabilities for our critical infrastructure to manage cyber risk. Executive Order 13636 has three main components:

    • Information Sharing
    • Privacy
    • Adoption of cybersecurity practices.

    The National Institute for Standards and Technology (NIST) was responsible for developing a Cybersecurity Framework to help drive better adoption of cybersecurity practices. NIST published Version 1.0 in 2014 and later made available Version 1.1 in 2018. The Framework allows businesses and other organizations to assess their risk and adopt risk controls.

    The NIST Cybersecurity Framework has five core functions, and those functions are subdivided into a total of 23 “categories.” Each category contains subcategories, for a total of 108 subcategories. The Core Functions are as follows:

    • Identify: Create the appropriate governance and identify information assets and risks.
    • Protect: Put in place the preventive controls to stop a security event from happening.
    • Detect: Putting in place the capabilities to detect a security event within an organization.
    • Respond: Having the processes in place to take the appropriate actions in a security event.
    • Recover: Having processes and procedures in place to restore services, communicate with stakeholders and make future improvements.

    Applying the NIST Cybersecurity Framework

    Most smaller to medium organizations may not have a formal Information Security program, so taking on the NIST Cybersecurity Framework can be a daunting task. The Cybersecurity Framework was intentionally created broadly so it could be adapted to many types of organizations. But this makes it challenging for some organizations to know where to start and what types of technology to use to align with the Framework.


    The Identity function is focused on developing the necessary security capabilities. The goal is to identify risk, assets, and capabilities.

    IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. Recommendation:

    • Create an asset inventory of servers and desktops.
    • Document the cybersecurity roles within your organization.

    • Microsoft Endpoint Manager (Intune) can be used to create Asset Inventories for desktops.
    • On-Prem Active Directory can also be used.


    Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.


    • Review and document all 3rd party relationships that could impact information security.
    • Develop objects for Information Security

    • For most organizations, using Microsoft Teams to organize and share this documentation is a good place to start.
    Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Recommendations:

    • Begin by developing an initial Information Security Policy that aligns to the NIST CSF
    • Focus on a policy that contains the Core CSF Components.
    • Document Roles and Responsibilities within your org.
    • Begin documenting Risk findings within your org.

    • Microsoft Teams is a good starting point for most orgs to store and share governance documentation.
    • An Excel spreadsheet can be an effective starting point for smaller organizations to track risk.
    • SimpleRisk is a good open-source product to use for GRC.
    Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Recommendations:

    • Begin by using some form of a vulnerability management system to identify vulnerabilities in your organization.
    • Get familiar with cyber threat information and know where to obtain reliable news and information.
    • Develop a process for performing regular patching and configuration hardening across the organization.

    • There are many good Threat Vulnerability solutions available.
    • Microsoft Defender for Endpoint includes a Vulnerability module in the same agent.
    • Crowdstrike Falcon also has a Vulnerability module that can be added on.
    • Qualys VMDR is an industry leading solution.
    • Rapid InsightVM is another leading solution.
    Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Recommendations:

    • Create a Risk Management Policy and document how your organization will handle risk findings.
    • Ensure all stakeholders understand and agree to the process.
    Supply Chain Risk Management (ID.SC):
    The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

    • Develop a process to assess vendor risk.
    • There are several SaaS solutions that can help automate this process.

    • SecurityScoreCard.com is a leading solution for managing vendor risk.
    • CyberGRX.com is another major solution.


    The Protect function is focused on taking proactive steps to prevent a security event from occurring.

    PROTECT (PR)availability Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. Recommendations:

    • Select a strong Identity Provider solution that aligns with your other technologies.
    • Create processes for Identity Governance, provisioning, and de-provisioning.
    • Make sure you are using a strong VPN solution with MFA enabled
    • User firewalls to segment your network
    • Ensure all access requires MFA

    • Use a robust Identity Provider like Azure AD or Okta
    • Use a NGFW based VPN like Palo Alto Global Protect or Fortinet for traditional data center access.
    • If your deployment is more cloud-oriented use a SASE like Zscaler, Perimeter81, or Netskope
    Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. Recommendations:

    • Ensure all users perform security awareness training.
    • Document roles and responsibilities

    • Use an online training service such as KnowBe4 or Hoxhunt.
    Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Recommendations:

    • Ensure that data storage is encrypted, and access is restricted.
    • Data in transit uses strong TLS encryption. Disable HTTP, FTP, Telnet in your environment.
    • Utilize an asset management system to centrally managed all desktops and servers
    • Employ a DLP solution to prevent data loss
    • Production application environments should be separated from development and testing.

    • Use Microsoft Bitlocker and Intune to ensure all disks are encrypted.
    • Intune and Azure AD can be good solutions for asset management.
    • Deploy a DLP solution like Forcepoint or DigitalGuardian.
    Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. Recommendations:

    • Create baseline configuration policies using automation, scripting, or vulnerability management tools.
    • Application development should follow a formal SDLC
    • Changes to production systems should align with a Change Control process that is auditable.
    • Information assets are backed up with offline or immutable copies of data.
    • Create a policy for security physical assets
    • Create a data destruction policy and process
    • Develop a clear Incident Response plan
    • Create a DR plan that contains clear steps to recover your environment
    • Perform testing of IR and DR plans
    • Development of a vulnerability management plan.

    • Utilize a leading backup solution that can perform immutable backups.
      • Veeam Backup & Replication
      • Zerto Data Protection
    • Utilize Microsoft Teams/SharePoint to store and collaborate on Policies and Procedures
    Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. Recommendations:

    • Ensure changes and maintenance activities are properly logged.
    Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Recommendations:

    • Ensure security tools are properly maintained and managed.
    • Limit the use of USB and Flash drives, if used only use encrypted USB
    • Ensure user access follows the principle of least functionality
    • Where possible ensure systems have high availability


    The Detection Function is centered around developing the capabilities to detect a cyber security event.

    DETECT (DE) Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. Recommendations:

    • Collect security events from the environment. Ensure you’re collecting from the following sources:
      • Network/firewalls
      • Desktops and servers
      • Physical sources like doors
      • End-user sources like Internet browsing, file access, VPN, and email
      • Mobile device activity
      • Antimalware events
      • Cloud Provider management logs like Azure, AWS, GCP
    • Prioritize the detection of unauthorized access attempts
    • Perform routine vulnerability scans on the environment.
    • Understand what normal activity is, and what would potentially be malicious
    • Setup automated analysis of security events using a SIEM
    • Create processes for handling alerts and classifying them

    • Make use of a SIEM solution to collect events and perform analysis.
      • Splunk
      • Securonix
      • Exabeam
      • Microsoft Sentinel
    Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. Recommendations:

    • Ensure the roles are defined for responding to detection events.
    • Perform testing on detection rules.
    • Setup alerting using Email, SMS, or push notifications.
    • Continuously make updates to the detection process adding rules to detect new attacks or vulnerabilities, or using new technology.

    • Use solutions like Teams or Slack to automate notifications and track detections.
    • DevOps tools like PagerDuty or OpsGenie are also effective and alerting responders.


    The Respond function is focused on containing, analyzing, and communicating the security incident.

    RESPOND (RS) Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. Recommendations:

    • Have the Incident Response plan ready to be used in the event of a cyber incident.
    Communications (RS.CO): Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies). Recommendations:

    • All responsible parties know their roles.
    • Incidents are documented and communicated with stakeholders according to the established policy.
    • Where appropriate, information sharing occurs with external parties.
    Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities. Recommendations:

    • Ensure that all detected security events are investigated
    • Perform deep forensics on any event
    • Any reported vulnerability should be analyzed to determine if it affects the organization.
    Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. Recommendations:

    • Ensure that security events are quickly contained.
    • Determine the presence of vulnerabilities in your environment and mitigate them.

    • Make use of an EDR solution that has the ability to network isolate an endpoint to mitigate the impact of an event.
    • Use next-generation firewalls to limit lateral movement in the network.
    • Use CSPM solutions like Azure Security Defender, Wiz, or Palo Alto Prisma Cloud to identify cloud vulnerabilities
    Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Recommendations:

    • Make updates to IR plans using lessons learned from cyber incidents.
    • Where applicable, change your security strategies based on IR events.


    The Recovery function is focused on maintaining and improving normal operations, as well as improving incident response plans.

    RECOVER (RC) Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. Recommendations:

    • Ensure your Recovery plan is available and can be used during an incident.
    Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. Recommendations:

    • After an incident, update your recovery plans to include any lessons learned.
    Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). Recommendations:

    • Ensure all internal and external stakeholders are communicated with during and after an incident.

    Recent Articles

    Security Trends – Q2 2024

    Small businesses are under increasing cyberattack threat. The global cost of cybercrime is predicted to skyrocket, reaching a staggering $23.84 trillion by...

    Basic Microsoft 365 Security Improvements

    Overview Securing Microsoft 365 tenants involves implementing various measures to protect data, prevent unauthorized access, and mitigate potential...

    Cyber Security Trends for 2024

    Summary The state of cybersecurity in 2024 reflects a dynamic and complex landscape shaped by technological advancements,...

    Content Filtering with Microsoft Defender for Endpoint

    Why is Content Filtering Important? Web content filtering is a critical element of a comprehensive information security strategy.

    Migrating to Azure AD Authentication Methods

    Azure AD Authentication Changes On September 30th, 2024, the legacy multifactor authentication and...

    Related Stories

    0 0 vote
    Article Rating
    Notify of
    Inline Feedbacks
    View all comments

    Stay on op - Ge the daily news in your inbox

    Would love your thoughts, please comment.x