In modern cybersecurity, standards and acronyms are abundant: ISO 27001, CIST, COBIT, GDPR... In the US, National Institute of Standards and Technology (NIST) standards are the go-to for organizations wanting to protect against phishing, ransomware, and other cyberattacks. (Read The Cyber Threat Landscape for 2022 Darkens.) For many organizations, passing a cybersecurity compliance audit based on a NIST cybersecurity framework is also a business requirement, particularly for companies in a federal agency's supply chain.
Adherence to the NIST Cybersecurity Framework (CSF) and all other NIST security frameworks, such as the NIST SP 800-171 and NIST SP 800-53, relies on self-certification. So passing a third-party audit is essential for proving compliance. In this blog post, we examine a NIST cybersecurity audit and offer three actionable tips for passing it. We also show how Morphisec can shorten the compliance journey and make passing a NIST audit easier.
NIST Cybersecurity Frameworks
Defining a clear path to better risk assessment and cybersecurity in any organization can be complicated. Cybersecurity frameworks are designed to make it easier to understand how to improve your organization’s security posture. They outline a set of policies and controls that, when enacted, improve your security and make it easier to prevent, detect, and remediate attacks.
Published in 2014 and updated in 2018, the NIST CSF is the most commonly used NIST framework. Around 50 percent of all organizations in the US adhere to it today. The CSF was initially designed to help critical industries such as energy suppliers stop cyber threats. But it has evolved to become a scalable, effective, and relatively straightforward framework for companies in every sector to improve their IT security and risk management capability.
The NIST CSF document is around 41 pages long, divided into five functional areas: identify, protect, detect, respond, and recover. There are also 23 categories and 108 security controls, giving you a relatively granular framework for reducing cybersecurity risk. Other NIST frameworks such as NIST SP 800-171, NIST SP 800-37, and NIST SP 800-53 follow a similar pattern but with different area definitions and numbers of controls.
Generally speaking, the compliance standards within the NIST CSF are easier to align with and offer less robust coverage. Other NIST and similar frameworks may be heavier duty and stipulate more detailed requirements for cybersecurity compliance.
Passing a NIST-Based Cybersecurity Compliance Audit
NIST is the gold standard for other security frameworks in the US and worldwide, so NIST compliance is increasingly necessary.
However, neither NIST nor any other federal body currently audit organizations to prove compliance with NIST frameworks. Instead, NIST “encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs." This means companies are responsible for ensuring their compliance. Typically they’ll contract a consultancy firm to conduct an audit which is generally a checkbox exercise.
During the audit process, an auditor compares your actual security systems and security standards to the NIST compliance requirements outlined in your written information security policies (WISP). If a company’s cybersecurity program does not meet its policy requirements it will lose marks and may fail the audit. For example, say if two factor authentication (2FA) is not in place, or you patch devices every 180 days instead of the indicated 90 days. Federal agencies and organizations in the federal supply chain are legally required to comply with the NIST SP 800-171 and NIST SP 800-53 frameworks, so failing an audit can be disastrous.
Here are three things you can do to increase your chances of passing a NIST-based audit.
Read the Documentation
The first step in meeting a NIST framework's requirements and passing an audit is not to panic. Particularly for smaller organizations, compliance can seem like climbing a mountain. But ultimately, it’s about taking many small steps to align your security posture with that recommended by the framework.
This starts with taking a deliberate approach to understanding the framework itself. Individuals tasked with implementing NIST frameworks should read the actual information produced by NIST and not rely on a synopsis from third parties.
Remove Bias When Self Assessing
NIST has produced plenty of helpful information for organizations looking to meet their requirements. And it also provides companies with tools for self-assessment, such as the Baldrige Cybersecurity Excellence Builder.
To align your cybersecurity practices with a NIST framework, making the most of any self-assessment requires accurately assessing where your cybersecurity maturity level is in relation to where it needs to be. Critical to this is removing bias. It's easy to see a control you might be meeting at around 75 percent and think it’s met. However, to successfully pass an audit may require satisfying every applicable control 100 percent and not settling for "good enough" compliance.
Don't Make an Auditor's Job Difficult
Providing an auditor or an audit team with out-of-date or unclear documentation can lead to awkward conversations, or worse. Prevent this with time- and date-stamped evidence clearly showing you’re still doing what you say you’re doing.
Whether an organization is trying to comply with the hundreds of controls stipulated by NIST SP 800-53, or starting its journey towards NIST CSF alignment, it’s crucial to have high-level documentation that refers to an organization's entire environment.
When required, an organization’s system security plan (SSP) must be up to date and touch on all the controls needed for a NIST framework, detailing how it will meet them.
Morphisec Helps Organizations Align With NIST
Morphisec’s Moving Target Defense and vulnerability management solutions are powerful tools for helping organizations cover NIST controls.
Extending zero-trust to the endpoint, Morphisec Guard defends organizations against advanced evasive threats. These slip past traditional detection-based solutions like antivirus (AV), endpoint protection platforms (EPP), and endpoint detection and response (EDR/XDR/MDR).
To protect unpatched software, Morphisec Guard can also deploy a next-generation virtual patch with runtime application hardening. This enables companies to reduce ‘panic patching’ by safely increasing patch implementation time. Even for business-critical legacy software, Morphisec Guard’s lightweight agent means out-of-patch applications receive an extra layer of protection without compromising usability or performance.
To detect vulnerabilities, Morphisec Scout provides a continuous picture of application security gaps. It empowers organizations to prioritize vulnerabilities based on actual usage and severity. Morphisec Scout proactively reduces risk and improves your alignment with the NIST CSF and other frameworks.
Cybersecurity Audits Can be (Relatively) Simple
Do you want to ensure business continuity or show clients your organization meets stringent security compliance regulations? Then passing an external cybersecurity audit is critical.
Passing a NIST audit requires aligning your organization's cybersecurity policies with a particular framework’s security compliance requirements. However, doing so sustainably entails a cultural shift. Firms that pass audits easily make cybersecurity an integral part of their operations, rather than a bolt-on extra. Particularly for organizations with lean security teams, this means partnering with security solution vendors like Morphisec who understand their compliance journey.
Learn more about how Morphisec’s zero-trust architecture can help organizations like yours. Read the white paper: The Ultimate Ransomware Strategy: Zero Trust + Moving Target Defense.