How the New NIST Cybersecurity Framework Keeps SMBs Safe

The updated NIST framework provides actionable security advice for businesses of all sizes.

April 5, 2019Manhattan Tech Support

IT Consulting & StrategySecurityConstructionEducationFinanceHealthcareLegalReal Estate

The National Institute of Standards and Technology (NIST) is a government agency that promotes innovation by providing metrics and standards for the science and technology industry. While the agency has produced many standards over its 100-year history, the most commonly discussed in the IT industry is the NIST Cybersecurity Framework – a system of controls and guidelines that are being adopted by a growing number of businesses in order to strengthen their cybersecurity protections.

NIST Blog image 2

While in the past NIST was mainly used by larger organizations who had the resources to pursue strong cybersecurity, that’s now changing. In August of 2018, the Federal Government signed the Small Business Cybersecurity Act – a revision of the NIST framework that provides small and midsized companies with a consistent set of guidelines and resources they can use to protect themselves against cyberattack.

A New Era for NIST and SMBs

The law, which passed with strong bipartisan support, was drafted in response to the growing cybersecurity threat that SMBs are facing. Hackers see SMBs as the “low hanging fruit” on the security pecking order. These businesses, while relatively unprotected, still possess a great deal of valuable data that hackers can hold for ransom, or sell on the dark web.

While the expanded NIST framework isn’t a mandatory regulation, and won’t do much to deter cybercrime by itself, it does help SMBs counter cyber threats by making resources and best practices more easily accessible.

For example, in the past, experts had criticized the NIST framework for being too costly to implement, even at large business. To solve this, the updated framework has been designed to work with commonly used off-the-shelf products and technologies, so that businesses of all sizes can improve their security in a reasonable timeframe while also controlling costs.

The Key Components of the NIST Cybersecurity Framework

The NIST framework is organized around five high-level core functions, Identify, Protect, Detect, Respond, and Recover. These core functions can be thought of as organizing principles that give shape to the framework’s implementation. Here’s what each of them means.

Identify – Gain full visibility of your physical and digital assets, and their vulnerabilities
Protect – Control access to those assets with appropriate safeguards
Detect – Possess visibility over your network and identify threats quickly
Respond – Contain cybersecurity events with a response plan and clear lines of communication
Recover – Effectively recover any damaged services with clear action points

Another useful feature of the NIST framework is the tiered stages of implementation. These tiers provide businesses with a clear guideline to understand their progress and a means of improving internal communication. They’re designed to be pursued in ascending order.

  • Tier 1 – Begin to cultivate a cybersecurity consciousness across your organization
  • Tier 2 – Implement NIST frameworks and risk management policies
  • Tier 3 – Maintenance of cybersecurity policies and controls
  • Tier 4 – Advanced staff training and implementation of cybersecurity tools.

Want more information about what each of these tiers involves? You can view the NIST cybersecurity roadmap, located here.

NIST blog image 1

Steps to NIST Implementation

While there are general guidelines for the implementation of the NIST cybersecurity framework, the process is very flexible, especially since the advent of the small business cybersecurity act. None of the steps in the framework are a one-sized fits all approach. Instead, take the time to customize each step to the needs of your business.

Step 1 – Evaluate and Set Goals

The earliest stages of NIST cybersecurity framework implementation involve setting organizational goals. The reason it’s important to start by setting goals is that many businesses have difficulty agreeing internally on an acceptable level of risk. Clarifying those needs across your organization first, by getting IT and other departments on the same page will help ensure the NIST framework is implemented efficiently and effectively.

Step 2 – Develop Profiles

Besides the two concepts mention above, another important part of the NIST cybersecurity framework is the notion of a profile. There are two common types of profiles. The Current Profile, which is where your organization currently stands with regards to the NIST guidelines, and the Target Profile, which represents your desired level of cybersecurity readiness after the framework is successfully implemented.

Once you’ve clarified your goals, you can begin developing a Current Profile. This process should include a thorough risk assessment of your company’s IT systems, while simultaneously referencing the five main categories and the 23 subcategories of the NIST Framework to locate areas of weakness. Here are some topics that this will likely include:

  • Determining what valuable data your company is storing and the exact value of that information
  • Mapping which components and sub-systems of your network interact with that valuable data
  • Analyzing the potential risks to those systems and gaps in your current cyber defenses

Step 3 – Execute a Plan of Action

With a clear sense of where your company currently stands, where you’d like to end up, and the issues that are separating you from your goal, it is time to begin taking steps to close those gaps. As with the early planning stages, make sure that the work of NIST framework implementation is done by an educated staff who understand its importance, and are given clear responsibilities at each stage.

Step 4 – Maintenance

As with any cybersecurity project, it is important to look at NIST adoption not as a one-time event, but as an ongoing program that needs maintenance to provide maximum benefit. Do you have an internal team dedicated to cybersecurity? If not, it may be time to either form one or enlist the help of an external security partner who can perform regular audits and ensure that your protections reflect changes in your network and organization.

NYC’s NIST Expert for Small and Midsized Businesses

We understand that not every small or midsized business is going to have the internal resources to make sure that the NIST cybersecurity framework gets properly implemented every time. If you’d like help implementing NIST, or with any other aspect of your cybersecurity strategy, then we urge you to contact the experts at Manhattan Tech Support. For over 20 years, we’ve been helping businesses in NYC strengthen their cybersecurity protections with global best practices, including the NIST cybersecurity framework.

Have a cybersecurity question? Get in touch anytime at 212-299-7673!



Kaytuso – the cybersecurity & regulatory compliance division of LLC.

Exceed Digital – the custom software development and business intelligence solutions division of LLC

Related Articles

What you should know about password management

calendar September 7, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

What you should know about password management

For a lot of people, passwords are one of the worst parts of dealing with technology. It’s not that we don’t want things to be secure, we do, but password management is hard. Making sure that you not only have

Read More
Microsoft’s New Commerce Experience

calendar August 24, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Microsoft’s New Commerce Experience

As some may have noticed, Microsoft has been changing the way they handle cloud licensing for products like Microsoft 365 or Dynamics 365. Called the New Commerce Experience (NCE), the changes aren’t dramatic, but there are enough differences that taking

Read More
Retiring legacy physical servers and moving to the cloud

calendar August 17, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Retiring legacy physical servers and moving to the cloud

Digital transformation is a big part of enterprise businesses these days. The process involves modernizing systems and replacing legacy systems, like bare metal servers, with present-day solutions, like the cloud. As much of a hassle as it is, these legacy

Read More