NIST CSF for Small Business: Do What You Can With What You Have

By Rick Tracy

Regardless of the size of your organization, there is no “easy button for risk management. In order for the process to be effective and beneficial, you have to do the work.

Fortunately, the National Institute of Science and Technology (NIST) developed a risk framework that offers an easy-to-understand risk management methodology. Originally designed for the 16 critical infrastructure sectors in the United States, as defined by the Department of Homeland Security, the NIST Cybersecurity Framework (CSF) has become the framework of choice for many organizations beyond critical infrastructure, and is even being adopted by businesses and governments around the world.

While the benefits of the NIST CSF can be realized by organizations of all sizes and missions, the reality is that small and medium-sized businesses (SMBs) have additional challenges when it comes to managing cyber risk. For instance, often times SMBs don’t have the skilled people on staff to conduct self-assessments and manage risk over time. They also may not have the financial resources to outsource the function to a third party.

How the NIST CSF Can Help SMBs

The simplicity of the NIST CSF can really help resource-constrained organizations do what they can with what they have. Since its a framework, organizations can use as much or as little of the CSF as they like. It is possible to start small and scale big incrementally over time.

The NIST CSF allows you to select security objectives that are meaningful to your business. For example, if you sell products and services via your website, then your website is critical to your business. If the website goes down, you lose revenue, so you might choose to start your risk management program around your website. The CSF helps you identify critical security objectives needed to manage risk associated with your web-based business. These security objectives create what the NIST CSF refers to as a Target Profile (i.e., the security objectives that you want to meet).

The CSF also recommends a very logical gap assessment process that allows you to determine if the critical capabilities are in place for your website. This gap assessment process helps you identify critical weaknesses so that remediation plans can be developed to quickly address critical risks. An assessment of your status yields what the NIST CSF refers to as a Current Profile, which enables you to identify any security objectives you don’t satisfy. These shortcomings are called Gaps by the NIST CSF. These Gaps must be remediated in order to achieve an acceptable level of risk, as defined by the organization in the Target Profile.

Expand Your Scope When You Are Ready

Over time, you can expand the scope of your security risk management program by adding additional security objectives NIST CSF calls these Categories and Subcategories to your Target Profile. For example, you might decide to expand the scope of your program to include more than just the website. To do this you simply select additional security objectives i.e., more NIST Categories and Subcategories other aspects of the business, engage more detailed security controls e.g., CIS, 800-53, and ISO for more granular security definition, and/or add additional security objectives to your Target Profile.

The point is you decide when and how to expand your program based on risk tolerance and business need. The CSF allows you to scale your program when you like and how you like.

For companies that do business in the cloud, organizations like are aligning their cloud services (e.g., encryption, access control, audit logs, etc.) to CSF Categories and Subcategories. This further suggests that the CSF is becoming a universal standard for risk management. Such alignment activities will make it even easier for organizations to use the CSF to assess and manage risk moving forward.

The author, Rick Tracy, is the Chief Security Officer at GCA partner Telos Corporation. You can follow Rick on Twitter or connect with him on LinkedIn.

Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance.