nist cybersecurity framework
March 10, 2020

What Is NIST Cybersecurity Framework?

Security & Compliance
Static Analysis

By

The NIST Cybersecurity Framework protects critical infrastructure. Here, we discuss what is the NIST Cybersecurity Framework, important CIS controls for NIST, and how to enforce these cybersecurity measures.

Read along or jump ahead to the section that interests you the most:

Table of Contents

  1. What Is the NIST Cybersecurity Framework?
  2. Why Is the NIST Cybersecurity Framework Important?
  3. What are the Elements of the NIST Cybersecurity Framework?
  4. NIST Cybersecurity Framework: 3 Components
  5. CIS Controls for NIST Cybersecurity Framework
  6. How to Enforce the NIST Cybersecurity Framework and CIS Controls

➡️ easily enforce nist with Klocwork

Back to top

What Is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology — or NIST — is part of the U.S. Department of Commerce. The NIST Cybersecurity Framework helps organizations understand and manage cybersecurity risk.

Back to top

Why Is the NIST Cybersecurity Framework Important?

The framework was initially designed to protect critical infrastructure. This refers to systems vital to the United States. The loss of these systems would compromise cybersecurity, national economic security, and national public health or safety.

Today, the cybersecurity framework can be used as voluntary guidance by any organization. You can apply the principles and best practices of risk management to improve security and resilience.

But satisfying cybersecurity framework requirements is difficult and time-consuming. 

Back to top

What are the Elements of the NIST Cybersecurity Framework?

The five elements of the framework are:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover
Back to top

NIST Cybersecurity Framework: 3 Components

There are three components of the framework.

Framework Core

Framework  Core  provides a set of activities to achieve specific cybersecurity outcomes. It also gives you examples of how to achieve these outcomes.

Implementation Tiers

Implementation Tiers outline increasing sophistication in cybersecurity risk management.

Your tier ensures that:

  • The selected level meets the organizational goals.
  • The selected level is feasible to implement.
  • The selected level reduces cybersecurity risk to an acceptable level.

Framework Profiles

Framework Profiles shows your cybersecurity activities based on:

  • The current state.
  • The desired target state.

The current profile shows the cybersecurity outcomes that are currently being achieved. The target profile shows the outcomes needed to get to your desired state.

Summary

Here's what you need to do to use the cybersecurity framework:

  • Determine the appropriate implementation tier.
  • Understand the gap between its current and target profiles.
  • Put plans in place to implement the activities from the framework core in order to move towards the target profile.
Back to top

CIS Controls for NIST Cybersecurity Framework

The Center for Internet Security (CIS) publishes CIS Critical Security Controls. These map to the framework.

The most relevant section of CIS Controls is CIS Control 18, Application Software Security. This section recommends the following activities.

📕 Related Resource: Learn more about Why Use CIS Benchmarks? How to Enforce CIS Benchmarks

Establish Secure Coding Practices (18.1)

Here's how to establish secure coding practices.

  1. Adopt a written coding standard for your programming language. Examples include CERT and CWE.
  2. Use a static code analyzer — like Klocwork — to apply and enforce the coding standard. 

By doing this, you'll protect your devices and software against cyberthreats.

Ensure Software Development Personnel Are Trained in Secure Coding (18.6)

Here's how to ensure your software developers are trained in secure coding: Use a static analyzer.

The best static analyzers provide developers with guidance on how to fix security issues. Klocwork gives your developers a unique ‘connected desktop’ technology. They'll get secure coding advice as they work. This essentially provides continuous on-the-job training.

Apply Static and Dynamic Code Analysis Tools (18.7)

Here's how to apply static analysis tools: Choose the right SAST tool.

Klocwork performs static analysis on pre-compiled source code. Plus, Klocwork has sophisticated dataflow analysis. This can predict run-time failures even before the application is run. This means many issues are fixed at the earliest opportunity, even before the first dynamic test. This reduces rework cycle times and ultimately saves time and money.

Back to top

How to Enforce the NIST Cybersecurity Framework and CIS Controls

The best way to enforce the NIST Cybersecurity Framework and CIS Controls is to prioritize security from the start.

Two-thirds of security vulnerabilities are the result of ordinary coding errors. You can prevent these security vulnerabilities, adopt CIS controls, and follow the guidance of the cybersecurity framework. And that's by selecting the right SAST tool.

Register for the Klocwork free trial to see how the SAST tool can help enforce NIST Cybersecurity Framework and other software security standards.

➡️ Klocwork free trial

Back to top
Stuart Foster headshot.

Stuart Foster

Klocwork and Helix QAC Product Manager, Perforce

Stuart Foster has over 17 years of experience in mobile and software development. He has managed product development of consumer apps and enterprise software. Currently, he manages Klocwork and Helix QAC, Perforce’s market-leading code quality management solutions. He believes in developing products, features, and functionality that fit customer business needs and helps developers produce secure, reliable, and defect-free code. Stuart holds a bachelor’s degree in information technology, interactive multimedia and design from Carleton University, and an advanced diploma in multimedia design from the Algonquin College of Applied Arts and Technology.