Companies across all industries have taken steps to protect their data and prevent cybercrime.
The use of information security frameworks grew out of a need for organizations to follow a set of steps to protect information. By selecting a cybersecurity framework, companies could adopt a set of policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment.
Common Cybersecurity Frameworks
Various frameworks were developed by volunteers, government agencies, and other organizations.
The cybersecurity frameworks most commonly used by companies today include:
Growing Adoption of the NIST CSF
In recent years, we have seen adoption of the NIST Cybersecurity Framework (CSF) escalate rapidly. One reason for this trend is some of the recent government mandates that have exposed companies to new compliance initiatives – companies that were otherwise unaffected by compliance.
For example, the need for NIST 800-171 compliance (effective as of December 31, 2017) impacts companies further down the federal supply chain than prime subcontracting companies, which were already complying with the wider-encompassing NIST 800-53 mandate. The emergence of NIST 800-171 revealed the need for security controls to a whole new group of organizations.
Because NIST is a government agency (part of the US Department of Commerce), the resources that NIST creates have become recognized by and utilized by IT security, compliance, and risk management professionals as a standard for best practice.
Particularly for those corporations that have their own in-house senior security professionals on staff, we have noticed growing adoption of the NIST CSF. It makes sense when you think of the large percentage of companies that do business directly or indirectly with the government.
Aligning with a Cybersecurity Framework
You may be wondering...
Why would I need to align with a cybersecurity framework at all?
Corserva has been asked this very question on multiple occasions, and the answer is fairly straightforward.
If you are initiating a full-featured security program, why would you rely on Google searches?
Why would you invest heavily in training or hiring staff when you don't need to?
The framework itself provides formal guidance and is provided as a resource that was directly developed within the US government to address the management of cybersecurity risks. The NIST Cybersecurity Framework has been implemented across various industry vertical markets, and regardless of the regulatory requirements, technical design, and subsequent controls in place for an organization, it has proven to be successful. NIST also provides a broad library of documents for reference.
The oversight provided by a framework assists in the implementation and ongoing management and operation of a security program.
Why Corserva Chooses the NIST Cybersecurity Framework
Corserva's cybersecurity practice is primarily aligned with the NIST Cybersecurity Framework.
Our clients need to comply with many different regulations, such as CMMC, PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-171, NIST 800-53, and GDPR. One thing you can count on is that there will continue to be more mandates in the future affecting a wide range of industries. The NIST Cybersecurity Framework can be used to comply with any security mandate to which your industry must comply.
At Corserva, we take a holistic approach to safeguarding computer systems and data.
For our clients, we believe they are best served if we use the NIST Cybersecurity Framework to provide guidance for the implementation and maintenance of a company's internal security management practices/programs.
Mandates will continue to evolve, and new ones will be introduced, depending on the industry. But aligning with the NIST Cybersecurity Framework will provide you a robust security program, regardless of any individual compliance mandate.
It's important to note that choosing one framework over another does not mean you are omitting some areas of security. Instead, think of the various frameworks as different ways to organize or order the steps to create a secure IT environment. For example, the 20 CIS Controls support the other frameworks. A company that focuses on those 20 areas is taking a good first step at preventing the most critical security threats.
For practical, step-by-step information on implementing best practices in cybersecurity, download the white paper, "20 Steps to Improve Your Cybersecurity."
NIST & CMMC
If you are a US defense or government supplier — or if you are a subcontractor selling to a government supplier — you may need to meet the NIST Special Publication (SP) 800-171 mandate or Cybersecurity Maturity Model Certification (CMMC).
The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC framework. By 2026, all new DoD contracts will require compliance with CMMC.
The contract under which you are working will tell you whether you need to meet NIST 800-171 or CMMC.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts. The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.
Get started today by requesting a quote.