Cybersecurity risks affect companies’ financial figures, driving up costs and revenue. Cyber criminals accelerated these last years, impacting massive and well-known worldwide companies’, harming ability to innovate and sustain. Attackers look to steal data or take control of critical infrastructures for competitive advantage, financial profit, sabotage and espionage.

To address Cybersecurity risks, the NIST (National Institute of Standards and Technology) developed a Framework Version 1.0 under Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity” (February 2013) according to its new role updated by the Cybersecurity Enhancement Act of 2014 (CEA). The NIST Framework uses business drivers to conduct cybersecurity activities and risks as part of a company risk management process.

The Framework supports companies to:

  • Describe their cybersecurity current and desired/target state
  • Identify and prioritize opportunities for remediation within a continuous and repeatable process
  • Assess progress toward the desired/target state
  • Communicate and share about cybersecurity risk both with internal and external stakeholders
  • The Framework is organized in three parts:

  • Framework Core: cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure
  • Framework Profiles: support a company to organise and prioritize cybersecurity activities toward its business requirements, risk tolerance and resources
  • Implementation Tiers: provide a methodology for companies to view and understand the characteristics of their approach to managing cybersecurity risk, supporting in prioritizing and achieving cybersecurity goals
  • NIST CSF Compliance Program

    The NIST CSF Compliance Program is designed to answer questions raised by any company that uses NIST CSF for supporting compliance with regulatory requirements, risk management initiatives and alignment of IT strategy with organisational goals while evaluating and selecting products to support the NIST CSF components. This Compliance Program provides validated evidence about a product’s features and capabilities to support the NIST CSF components.

    NIST CSF Compliance Testing and analysis cover several aspects of the product including:

  • Compliance Effectiveness
    • Product Capabilities Support
    • Scope Impact Analysis and Coverage
    • Management and Usability
    • Compliance with Major Regulations (ISO/IEC 27001, FISMA, GDPR, HIPAA, NERC CIP)
    • Suitable for Use in and Recommended Configuration
    • Product Roadmap

    NIST CSF Compliance Testing criteria

    NIST CSF Compliance Testing is conducted by trained analysts against the NIST CSF Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. NIST CSF Compliance Program criteria rely on NIST CSF components intent from auditors’ perspective, companies’ needs, and queries from numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product evaluated.

    Continuous evaluation process

    Compliance Labs has developed the continuous testing process as a fundamental aspect of the NIST CSF Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long term.

    Learn more about NIST CSF requirements