Skip to content
NIST cybersecurity framework
Sean McCloat, CISSP August 14, 2018 4 min read

Why We Align Our Practice with the NIST Cybersecurity Framework

Companies across all industries have taken steps to protect their data and prevent cybercrime.

The use of information security frameworks grew out of a need for organizations to follow a set of steps to protect information. By selecting a cybersecurity framework, companies could adopt a set of policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment.

Common Cybersecurity Frameworks

Various frameworks were developed by volunteers, government agencies, and other organizations.

The cybersecurity frameworks most commonly used by companies today include:

 

Growing Adoption of the NIST CSF

In recent years, we have seen adoption of the NIST Cybersecurity Framework (CSF) escalate rapidly. One reason for this trend is some of the recent government mandates that have exposed companies to new compliance initiatives – companies that were otherwise unaffected by compliance.

For example, the need for NIST 800-171 compliance (effective as of December 31, 2017) impacts companies further down the federal supply chain than prime subcontracting companies, which were already complying with the wider-encompassing NIST 800-53 mandate. The emergence of NIST 800-171 revealed the need for security controls to a whole new group of organizations.

NIST and CMMC

Because NIST is a government agency (part of the US Department of Commerce), the resources that NIST creates have become recognized by and utilized by IT security, compliance, and risk management professionals as a standard for best practice.

Particularly for those corporations that have their own in-house senior security professionals on staff, we have noticed growing adoption of the NIST CSF. It makes sense when you think of the large percentage of companies that do business directly or indirectly with the government.

 

Aligning with a Cybersecurity Framework

You may be wondering...

straight

Why would I need to align with a cybersecurity framework at all?

straight

Corserva has been asked this very question on multiple occasions, and the answer is fairly straightforward.

If you are initiating a full-featured security program, why would you rely on Google searches?

Why would you invest heavily in training or hiring staff when you don't need to?

The framework itself provides formal guidance and is provided as a resource that was directly developed within the US government to address the management of cybersecurity risks. The NIST Cybersecurity Framework has been implemented across various industry vertical markets, and regardless of the regulatory requirements, technical design, and subsequent controls in place for an organization, it has proven to be successful. NIST also provides a broad library of documents for reference.

The oversight provided by a framework assists in the implementation and ongoing management and operation of a security program.

 

Why Corserva Chooses the NIST Cybersecurity Framework

Corserva's cybersecurity practice is primarily aligned with the NIST Cybersecurity Framework.

Our clients need to comply with many different regulations, such as CMMC, PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-171, NIST 800-53, and GDPR. One thing you can count on is that there will continue to be more mandates in the future affecting a wide range of industries. The NIST Cybersecurity Framework can be used to comply with any security mandate to which your industry must comply.

straight

At Corserva, we take a holistic approach to safeguarding computer systems and data.

straight

For our clients, we believe they are best served if we use the NIST Cybersecurity Framework to provide guidance for the implementation and maintenance of a company's internal security management practices/programs.

Mandates will continue to evolve, and new ones will be introduced, depending on the industry. But aligning with the NIST Cybersecurity Framework will provide you a robust security program, regardless of any individual compliance mandate.

Cybersecurity white paperIt's important to note that choosing one framework over another does not mean you are omitting some areas of security. Instead, think of the various frameworks as different ways to organize or order the steps to create a secure IT environment. For example, the 20 CIS Controls support the other frameworks. A company that focuses on those 20 areas is taking a good first step at preventing the most critical security threats.

For practical, step-by-step information on implementing best practices in cybersecurity, download the white paper, "20 Steps to Improve Your Cybersecurity."

 

NIST & CMMC

rpo-1If you are a US defense or government supplier — or if you are a subcontractor selling to a government supplier — you may need to meet the NIST Special Publication (SP) 800-171 mandate or Cybersecurity Maturity Model Certification (CMMC). 

The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC framework. By 2026, all new DoD contracts will require compliance with CMMC.

The contract under which you are working will tell you whether you need to meet NIST 800-171 or CMMC.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).

Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts. The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.

Get started today by requesting a quote.

GET A QUOTE

avatar

Sean McCloat, CISSP

Sean is responsible for Corserva’s network and security operations centers, field services, sales engineering, data center operations, and professional services. He has an intense focus on delivering exceptional customer service across a wide array of client engagements. With 25+ years of national and global experience in the IT industry, Sean has real world experience at the corporate and enterprise levels of healthcare, advertising, and logistics organizations. In addition to his CISSP certification, Sean is a CMMC-AB Registered Practitioner (RP). He leads Corserva’s assessment and compliance team, guiding companies in meeting business objectives with NIST 800-171 and CMMC.