NIST Framework
October 23, 2024

Understanding the NIST Framework and Recent AI Updates

Government
Security & Compliance

By

A lot has changed for the National Institute of Standards and Technology NIST Framework since 2013, when former President Barack Obama signed Executive Order 13636 that directed the Executive Branch to: 

  • “Develop a technology-neutral voluntary cybersecurity framework 
  • Promote and incentivize the adoption of cybersecurity practices 
  • Increase the volume, timeliness, and quality of cyber threat information sharing 
  • Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure 
  • Explore the use of existing regulation to promote cyber security” - From Executive Order 13636 

Since the creation of the NIST framework, we’ve seen an evolution in sophisticated cyberattacks on the rise with new challenges like AI. In this blog, we’ll provide up-to-date information about the NIST Framework along with the recent updates that have been made to keep critical infrastructure secure. 

Table of Contents: 

What is the NIST Framework? 

The National Institute of Standards and Technology (NIST) Framework is a set of guidelines for private companies in the United States to follow to prevent, prepare, and respond to cyber-attacks.

The National Institute of Standards and Technology (NIST) was originally tasked to create a cybersecurity framework that would act as a guidebook to help businesses understand and fix their cybersecurity problems. 

The NIST framework is designed to be flexible, so it can work for different kinds of businesses. It helps businesses identify risks, prioritize them, and find solutions to protect themselves. 

For the framework to stay up to date, it relies on voluntary feedback from organizations that are using government resources to increase their cyber resilience. From this feedback, the NIST Framework continuously evolves and acts as a living document to meet the changing needs of business. 

Why Implement the NIST Framework? 

Implementing the NIST Cybersecurity Framework is not just a good idea — it's a necessity. In today's digital age, cyberattacks are inevitable, with costly and devastating repercussions to you and your customers. Following the NIST Framework means that you're not only protecting your business from potential breaches, but also mitigating legal risks. 

The benefits far outweigh the challenges of implementation: a more secure business not only instills trust in customers but also fosters a security-conscious culture among employees. 

For U.S. government agencies, compliance is mandatory. The Trump Administration mandated that all agencies develop their own implementation plans within ninety days of the executive order issued in May 2017

The NIST Framework Core Functions 

The NIST Cybersecurity Framework Core Functions are: 

  1. Identify: Organizations must identify the assets that need to be protected, understand the threats to those assets, and assess the possible vulnerabilities that could be exploited. Personal customer information, employee information, and other sensitive internal data are just a few examples of assets that need to be identified and understood. 
  2. Protect: At this stage, organizations need to focus on implementing measures to protect the identified assets from threats. This includes taking action like access control, vulnerability management, and incident response planning. 
  3. Detect: This function involves implementing systems to detect cyber security incidents — including intrusion detection systems, network monitoring, and security analytics. 
  4. Respond: Organizations need to establish actions to take in response to a cyber security incident, such as response planning, containment, eradication, recovery, and follow-up. 
  5. Recover: The final NIST Framework function focuses on restoring operations to normal after a cyber security incident. This includes disaster recovery planning, data backup, and business continuity planning. 

Each of the five functions has categories, which are specific tasks, and subcategories, which are the individual steps within those tasks. 

Within each subcategory, Implementation Tiers and Profiles provide a framework for assessing and improving your organization's cybersecurity posture.

Implementation Tiers measure your level of compliance. By identifying weaknesses and implementing solutions, you can move up the tiers and prove the benefits of NIST compliance to your organization. 

Profiles offer a detailed roadmap and provide a clear overview of your progress, helping you prioritize improvements and measure your success. 

Again: much of the NIST Framework implementation will be based on your industry and the sensitivity of the data you manage — it’s not overly prescriptive for this reason. 

The Artificial Intelligence Executive Order 

The Biden Administration released an Executive Order on October 30 2023, that required new standards for AI safety and security, called the Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. 

Among a list of new requirements around AI, this Executive Order asks NIST specifically to: 

  • “Establish guidelines and best practices, with the aim of promoting consensus industry standards, for developing and deploying safe, secure, and trustworthy AI systems.” Read the full Executive Order here. 

In response to this Executive Order, the Artificial Intelligence Risk Management Framework (AI RMF 1.0) was released. 

  • “AI risk management can drive responsible uses and practices by prompting organizations and their internal teams who design, develop, and deploy AI to think more critically about context and the potential or unexpected negative and positive impacts. Understanding and managing the risks of AI systems will help enhance trustworthiness, and in turn, cultivate public trust.” Read the full AI RMF 1.0

For impacted organizations, the NIST provided a playbook with four new AI RMF functions: Govern, Map, Measure, and Manage. 

  • Govern: All policies that are specific to managing AI risk are in place and shared transparently. 
  • Map: The organization’s goals for using AI technology are clearly shared and documented. 
  • Measure: Metrics and methods must be applied to make sure that AI is being appropriately used. 
  • Manage: Information from the Map and Measure functions are applied and quickly responded to when needed. 

The AI RMF was built to address a critical security need as AI evolves — it’s important that all AI systems are safe and secure before the public has access to them. All private organizations can expect an impact from AI, directly or indirectly, and should anticipate additional updates in the future. 

Automate and Enforce the NIST Framework 

One way to stay ahead of changing NIST Framework functions is to automate key security and compliance tasks with policy as code — this is where Puppet steps in to help. 

With Puppet, you can set and enforce NIST standards that are specific to your organization, and then roll them out automatically across your infrastructure. Thanks to 24/7 agent-based enforcement, you’ll also have continuous compliance even during network interruptions. 

From patch management to access control, many elements of the NIST framework can easily be written as code and rolled out consistently and at scale. You’ll gain visibility into your entire infrastructure in the event of configuration drift, no more manual remediation required. 

With Puppet, organizations can streamline their NIST compliance efforts, reduce the risk of cyberattacks, and improve overall security posture. 

Why not try it out today and see what Puppet can automate for you? 

TRY PUPPET FOR NIST

A profile headshot of Robin Tatam, Senior Director of Product Marketing at Puppet by Perforce

Robin Tatam

Senior Technical Marketer and Evangelist, Puppet by Perforce

Robin Tatam (CISM CPFA CTSP CTMA PCI-P) is a Senior Technical Marketer and Evangelist at Puppet by Perforce, where he promotes the benefits of managing compliance using Puppet. Prior to his role with Puppet, Robin worked as a Security Evangelist, and was a globally recognized SME and five-time IBM Champion. Robin also loves travel and cultural exploration, is an accomplished photographer, and considers himself an amateur mixologist.