Even after a century since its inception in 1901, the National Institute of Standards and Technology (NIST) continues to be an extremely important body of governance for businesses all around the world, including Canada. The NIST Framework for Improving Critical Infrastructure and Cybersecurity assists both large and small businesses in securing IT systems through a comprehensive IT Security Framework, consisting of different security standards.
But while compliance frameworks are critical for small and medium businesses in 2021, their technical nature turns off many founders - even when doing so costs them large contracts, lucrative clients and opportunities. At TUCU, we’re dedicated to solving techaches and to help make compliance easier, we’ll be breaking down everything you need to get started in this definitive guide to NIST compliance for small and medium business in Canada.
This is part one in a series of articles where we offer a comprehensive breakdown of major IT compliance frameworks and security standards in Canada.
What is NIST Compliance?
NIST is not a compliance framework, but rather a government body that has developed a series of important IT standards. NIST is the National Institute of Standards and Technology (NIST) within the United States Commerce Department Technology Administration. The body was tasked to develop and promote technology, standards, and measurement to facilitate trade and boost productivity.
Although primarily US-based, the NIST guidelines reached international application and are used by several organizations worldwide, and especially in Canada for IT compliance.
The NIST requirements for online security controls are widely adopted because they’re based on the most effective cybersecurity practices from several other bodies within the industry. In many cases, the NIST directions are used by government agencies to comply with other regulations, though they’re also extremely beneficial to small and medium businesses to protect their own data and demonstrate their readiness to do business with other security conscious organizations.
Overall, complying with the NIST means following a number of NIST standards - the two most common of which are the NIST Special Publication 800-53 and NIST Special Publication 800-171. The NIST SP 800-171, for example, makes it possible for non-federal organizations to secure unclassified federal information within their information systems, while the NIST 800-53 modulates security control for information belonging to the federal government.
Note: Many Canadian businesses use the ITSG-33 in place of NIST 800-53, which is the Canadian government’s own IT security framework offering baseline advice and guidelines - it serves a very similar purpose within Canada.
What Does It Mean to Be NIST Compliant?
Being NIST compliant is a continuous process. It means consistently observing the structures and strategies in place in your company to reach a minimum compliance level. To meet every security protocol enacted, a company must have IT security, response plans, and other employee policies for awareness.
While it’s encouraged for private bureaus and bodies to meet minimum NIST regulations, most are not required to. Official firms, on the other hand, are compelled by law to follow the NIST framework.
Compliance for SMBs is for safeguarding classified information and developing their IT security to defend against cyberattacks. Non-federal businesses and organizations following NIST guidelines benefit from protection against serious security breaches and phishing attacks. That said, while there is no real pressure from the government, Canadian businesses are motivated to be NIST compliant in order to secure government contracts (both from the Canadian and US agencies).
Private and small companies opt to implement NIST standards listed in the Cybersecurity Framework (CSF), which is a framework for risk management that assists groups in lessening threats to their information systems.
Private companies may also require their business partners and vendors to adopt the NIST framework in order to work with them.
How Can Canadian Small Businesses Become NIST Compliant?
Small businesses in Canada should be motivated to build strong cybersecurity programs by meeting the minimal requirements of the NIST CSF. It’s a good jumping-off point to invest in securing company information and avoiding invasive cyber threats or staff member actions that can cause widespread damage. NIST CSF is also one of the most cost-effective approaches to managing cybersecurity threats.
The Framework Implementation Tiers involved in the CSF guide SMBs in implementing NIST guidelines by evaluating the latest risk management practices, threat levels within the IT environment, compliance requirements, and details that describe a business’ network security model.
Generally speaking, a large organization would work with their IT department and management team to achieve compliance. A small or medium business would work with their IT security consultant and outsourced IT services team to achieve compliance.
Working with NIST, you are able to:
- Clarify and understand your current cyber security posture (known as "Current Profile")
- Define your desired cyber security posture (known as "Target Profile")
- Continuously identify and action changing states and vulnerabilities based on your (or your clients) requirements for cybersecurity and risk mitigation.
How NIST Is Structured
The NIST Framework, from a bird's eye view, has three core pillars.
- Core
- Profile
- Implementation Tiers
Core
Core Functions pertaining to cyber security threats, procedures and activities an organization should follow to:
- Identify
- Protect
- Detect
- Respond
- Recover
Each of the five core functions have over twenty categories pertaining to outcomes. For example, there are outcomes for assessing risk, mitigating risk, maintaining data security and so on.
Profile
Earlier we mentioned that NIST enables you to define your "Current Profile" and your "Target Profile" as it relates to cyber security management.
Profiles help you choose appropriate goals and outcomes for your organization, and help you work through the various core functions, categories and implementation tiers that make the most sense for you.
Some examples of NIST profiles include:
- NISTIR 8183 - Cybersecurity Framework Manufacturing Profile
- NIST TN 2051 - Cybersecurity Framework Smart Grid Profile
- NISTIR 8374 (Draft) - Cybersecurity Framework Profile for Ransomware Risk Management
- More NIST profile examples and documents here
Implementation Tiers
Tiers represents how entrenched the NIST framework and cyber security in general is within an organization. Achieving IT compliance for small businesses often means working through a natural progression of the tiers over time.
♦ Tier 1 (Partial) - Network security strategies are yet to be formalized because they don’t operate on the threat environment or possible risks.
♦ Tier 2 (Risk-informed) - Risk management practices are in place, though they’re not yet formalized, standardized, or promoted through educational sessions for all employees. These practices are already directly informed by business requirements and organizational risks.
♦ Tier 3 (Repeatable) - A formalized and standardized cybersecurity now exists, ready for organization-wide implementation. Protocols and user policies are now also in place.
♦ Tier 4 (Adaptive) - The company now possesses a polished, sophisticated, and well-maintained approach to information security risks and assessments that rely entirely on organizational data, predictive indicators, and previous experience.
Benefits of Becoming NIST Compliant
NIST compliance for SMB comes with several benefits. Here are a few advantages that might help build protection from predatory online practices.
1. Security from cyber threats
Every business today is vulnerable to online security breaches that threaten their brands. Threats range from malware, spyware, and ransomware to email phishing and several other kinds of information attacks. The NIST CSF incorporates tested and proven cybersecurity practices from several other standard agencies, such as the International Standards Organization.
For small and medium businesses (SMB) NIST compliance is especially useful. Most SMBs do not have the manpower or capital to have a full-time IT staff so becoming NIST compliant means that they are better equipped to combat cyber threats.
Maintaining this compliance also takes only a fraction of the cost of a full IT security team. significantly reducing the cost.
The NIST website has a Small Business Cybersecurity Corner, listing a variety of free and accessible resources on the fundamentals of cybersecurity, all of which are based on the NIST Cybersecurity Framework. These resources:
- can accommodate different types of technologies.
- are based on international standards.
- can adapt to the nature and size of the data stored in these small businesses’ information systems.
2. Customizable framework
The NIST CSF’s guidelines can be implemented in full or in portions. Small businesses and organizations can choose the most appropriate categories and subcategories. You may start small with just a small number of subcategories, then expand to cover more subcategories when you can.
This is essential since the CSF recommends setting a “target profile” for their “current profile” to work towards, identifying gaps and addressing shortcomings along the way.
3. Following other industry mandates
NIST compliance supports other government or industry regulatory policies. Failing to heed the NIST and various other official bureaus can strip a business’ ability to bid for government contracts. Other consequences include:
♦ Reputation hits - Clients are unlikely to trust a company that doesn’t have strict data security policies. The resulting data breaches may further damage a company’s reputation and companies are required by law to disclose data breaches.
♦ Criminal charges - Neglecting your cyber environment and knowingly putting yourself at risk of security breaches make you liable to criminal charges, breach of contract cases, and heavy fines.
♦ Loss of business - While most companies suffer from the bad press because of NIST non-compliance, not complying with the NIST guidelines may put a business in more serious trouble if they are legally obligated to follow these standards.
4. Edge over competitors
Keeping with NIST IT security directives can significantly boost a company’s chances of passing vendor screenings, especially for SMBs. This is because compliance indicates information security efficiency and improved data handling.
Being NIST compliant, therefore shows that the company follows the right policies and practices to protect its data and users from cyberthreats - making it more likely for the company to win the bid. It’s also a plus that the NIST prescriptions have international recognition, so whether it’s in the US or in Canada, implementing these standards provide credibility for your organization, beating out your competitors.
Still, one should remember that NIST compliance is not the end-all-be-all of standard regulation. NIST compliance has several benefits but doesn’t ensure complete security because it’s essentially a supporting act to comply with other regulatory standards in ensuring cybersecurity, implementing policies, and promoting awareness.
The Cost of NIST Compliance?
Being NIST compliant can be costly. It can come at a different price for different organizations, depending on a number of factors, such as the size and operation of the organization. While it can be a bit pricey on average, there are also viable options for SMB budgets. The total expenditure of NIST compliance can be divided into two separate groups: primary and ancillary factors. Let’s take a closer look at each.
Costs driven by primary factors
These factors include consultants, security packages worth investing in, and HR policies to ensure compliance within the organization.
Figures below are for mid market organizations. Smaller businesses will have lower costs.
♦ Risk assessment: Before any concrete compliance efforts can begin, a comprehensive risk assessment must be performed that allows companies to inventory every asset that needs to be protected, what it needs to be protected from, and how it will be protected. The risk assessment costs between $10,000 to $20,000.
♦ Compliance solution - Securing your data will mean purchasing as well as building your data storage which can either be on-prem (in-house solution) or cloud storage, depending on the option you choose, this can cost anywhere from $25,000 to $35,000.
♦ Compliance consultants - These are outsourced teams tasked to manage compliance measures and perform continuous assessments. Fees range, depending on the size of the business, scope of the engagement, and the amount of data being worked on. It is not uncommon for fees to reach $100,000.
♦ Managed solutions - Unlike compliance consultants, a managed service provider will not only provide a company with the compliance expertise but also the manpower to carry out remediation efforts. This approach significantly speeds up your time-to-compliance so that you can act on opportunities. Costs vary, and can commonly reach $50,000- $60,000 per year, significantly lower than hiring qualified, in-house IT staff to perform same.
Costs driven by ancillary factors
Indirect costs mostly involve the number of hours spent on the compliance measures:
- Compliance process management personnel - These are either outsourced or are in-house teams.
- Time allocation for maintaining compliance - Man-hours invested in a “do it yourself” approach can save on out-of-pocket costs but maintaining compliance can still cost around $10,000 to $25,000 in total per year.
In general, Canadian businesses pay anywhere between $10,000 to $20,000 for assessment, $50,000 to $100,000 for remediation (bringing IT operations up to compliance), and an operating cost of at least $10,000 to maintain compliance.
Of course, these are ballpark ranges - the actual cost for your business will vary. The best way to get an accurate estimate for NIST compliance is to get in touch with an iT security consultant or Managed Services Provider (MSP).
