What is NIST 7621?
The US Commerce Department’s National Institute of Standards and Technology (NIST) is a non-regulatory body responsible for investigating and developing standards for all federal agencies.
The NIST 7621 framework provides guidance on how small businesses can provide basic security for their information, systems, and networks.
This NIST uses the Framework for Improving Critical Infrastructure Cybersecurity [CSF14] as a template for organizing cybersecurity risk management processes and procedures. The Cybersecurity Framework, developed through collaboration between the public and private sectors, was initially designed specifically for “critical infrastructure organizations”, but it has proven useful to a variety of audiences and is used to organize data and cybersecurity best practices in an accepted and logical format.
The November 2016 publication of NIST 7621, Revision 1, reflects changes in technology and a reorganization of the information needed by small businesses to implement a program to help them understand and manage their information and cybersecurity risk.
What are the requirements for NIST 7621?
The framework includes the 5 core functions defined below:
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
An organization can better focus and prioritize its activities in accordance with its risk management strategy and business requirements when it is aware of the business context, the resources that support critical functions, and the associated cybersecurity risks.
Protect – Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
The Detect Function makes cybersecurity events rapidly discoverable.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
The ability to contain the impact of a potential cybersecurity event is supported by the Respond Function.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
To reduce the impact of a cybersecurity event, the Recover Function supports timely recovery to normal operations.
Why should you be compliant?
Many cybercriminals consider small firms as easy targets because they often lack the means to invest in information security in the same manner that larger businesses can. A criminal may be interested in the funds or information that your small business has.
For some small businesses, the security of their information, systems, and networks might not be their highest priority. However, an information security or cybersecurity incident can be detrimental to their business, customers, employees, business partners, and potentially their community. It is vitally important that each small business understand and manage the risk to information, systems, and networks that support their business. The NIST 7621 framework is a good starting point.
How to achieve NIST 7621 compliance?
Different businesses have different security needs. To find out where your company needs to improve and what steps need to be done to make those changes happen, you’ll need to start by developing a comprehensive profile. The next move will be to perform a risk assessment that is independent of the company.
The Centraleyes platform will provide your organizational risk score using an easy and adaptable process, based on a proprietary weighting and grading algorithm. Once scores are collected, the pre-populated Centraleyes NIST 7621 questionnaire, featuring automated workflows and alerts, will assist to remediate the areas vulnerable to risk.
Compliance is an ongoing process that requires constant updates and adjustments as the organization changes factors and attributes in its security and business. Centraleyes’s automated remediation planner identifies gaps and produces actionable remediation tickets with quantifiable risk tools that allow you to track and compare progress over time, supporting the collection and organization of required information before an audit.