On February 12, 2013, President Obama signed an executive order named “Improving Critical Infrastructure Cybersecurity”. From this directive, the National Institute of Standards and Technology was tasked with the development of what has become the granddaddy of cybersecurity frameworks. The government may have its challenges in many areas, but I’ll give credit where credit is due. NIST did a pretty darn good job organizing the massively broad topic of cybersecurity.
Mention the term “cybersecurity framework” with most business folks and you’re likely to see their eyes glaze over. I get it. That topic has three ingredients that make for a pretty dry discussion: cybersecurity, framework, and government-made. I was not born a fan of compliance frameworks and, in fact, it took many years of dealing with security as a function of my responsibilities to develop the appreciation I now have. Yes, I’m a cyber-geek.
NIST 800-171, the framework suggested for non-governmental organizations, consists of 110 controls, which are basically requirements organizations should meet. That’s a lot of controls, right? So now I’m getting to my point. With so many controls, NIST knew it would make sense to categorize these controls into groups that they call Functions. These five functions are the highest level of abstraction of the framework and represent the five pillars that every organization should use to build their cybersecurity program.