By Sam Wolf   /   Apr 28th, 2020

A Beginner’s Guide to the NIST Cybersecurity Framework & Password Standards

If you’ve ever had to create a new password or take other authentication measures for an account, you have likely utilized some or all parts of the NIST cybersecurity framework, guidelines, and standards. To give you a brief overview, NIST stands for the National Institute of Standards and Technology. It is a non-regulatory agency that was founded in 1901 and is now part of the U.S. Department of Commerce.

NIST also happens to be one of the nation’s oldest physical science laboratories. The agency provides standards, technology, and measurements that are used in virtually any electronic device or instrument you can imagine. The NIST cybersecurity framework is a voluntary, helpful tool to assess and reduce cybersecurity risks. If you are the owner or executive of an SMB, this brief beginner’s overview of the NIST cybersecurity framework and password guidelines will quickly get you started in the right direction.

By utilizing resources, such as the NIST cybersecurity framework, you can ensure that your organization meets the baseline cybersecurity guidance. The NIST cybersecurity framework has many complexities, but this is a quick, high-level overview so non-technical people can gain some understanding of the NIST cybersecurity framework. It also includes NIST password guidelines. as these guidelines are easy for an SMB to implement and are a quick way to improve cybersecurity.

What is the NIST Risk Management Framework?

NIST is considered an industry standard baseline when it comes to certain guidelines such as the NIST Risk Management framework, NIST Cybersecurity framework, as well as password standards and guidelines. In general, NIST risk management refers to the level of risk to third-party stakeholders involved with the organization and its operations or the organization itself and how those risks are managed throughout the system. The NIST risk management profile helps to demonstrate the overall risk while taking factors such as budget and infrastructure into consideration.

The NIST Cybersecurity Framework Explained

The NIST Cybersecurity Framework is of particular importance, as it provides guidelines, standards, and best practices, which organizations can utilize when it comes to avoiding and mitigating cybersecurity risks. NIST guidelines are especially helpful when it comes to helping organizations meet certain compliance requirements that are usually very specific and very regulated. It has three main components:

NIST Cybersecurity Framework Components Image

Image 1: This image is the property of the National Institute of Standards & Technology. Source link.

The Implementation Tiers are composed of four tiers: Partial, Risk Informed, Repeatable and Adaptive. It is a self-assessment of where you are in your cybersecurity risk management process. It helps organizations to understand exactly how much cybersecurity attention is needed for their particular status, and just how much of their resources they are able to contribute to their cybersecurity measures. This is a part of the framework where organizations can discuss their mission priority, budget, and risk appetite. Many small businesses may stay at Tier 2 for a while before they have the resources to move to Tier 3. This helps organizations understand their current security level and where they want to be – balancing risk, organizations goals and budget.

NIST Cybersecurity Framework Implementation Tiers

Image 2: This image is the property of the National Institute of Standards & Technology. Source link.

The Core of the NIST cybersecurity framework is an overall guide on how organizations can manage and reduce their cybersecurity risks, and it’s meant to work within your existing processes to manage those risks. It’s written in a way that is clear and easy to understand for every level of user. The core has five high-level functions that cover cybersecurity risk management and focus on business outcomes. The five functions are: Identify, Protect, Detect, Respond & Recover. This further breaks down into categories and sub-categories that businesses can use to define and organize their risk and response capabilities.

NIST Cybersecurity Framework Functions & Categories Image

Image 3: This image is the property of the National Institute of Standards & Technology. Source link.

The Profiles component helps the organization come up with a desired outcome based on their budget, risk appetite, and mission priorities, utilizing information obtained through the Core and Implementation Tier components. One approach is for businesses to build a current cybersecurity profile of where they are in each of the five framework functions and categories, as well as a target profile of their cybersecurity target goals. This highlights the gaps and enables organizations to create a prioritized implementation roadmap based on their needs and budget. Most organizations create a multi-year, prioritized plan to reach their cybersecurity objectives.

NIST Password Standards and Guidelines

While the NIST Cybersecurity framework has multiple components to it, password strength and safety is something that is easy to translate, and easy to implement. NIST has set up standards and guidelines that anyone can follow, and any organization can require. Here’s a summary:

  1. It’s important to have passwords that are longer and therefore more difficult to crack by cybercriminals. NIST suggests that you have passwords that are a minimum of eight characters and a maximum of at least sixty-four characters.
  2. When it comes to complexity, users should have the ability to use special characters to further enhance the difficulty for a person or machine to guess those passwords.
  3. Restrict the use of characters that are repetitive or sequential, such as ‘abcd’ or ‘1234’. This is a good addition to an organization’s risk management profile.

While the NIST password guidelines are used to varying degree, most sites will now ask you to use a combination of letters, numbers, and symbols. Many sites may also dictate additional requirements for password complexity. This is why a strong password that is difficult to remember is what you should be aiming for, and why it’s a good idea to use some sort of password manager to keep track of them. This is especially true because you should not be using the same password across various sites and accounts, and they should be changed regularly. Having a password manager helps keep track of the complex and ever-changing authentication processes.

With all this in mind, it’s clear that the NIST cybersecurity framework and guidelines are very much a part of our everyday lives and can have a major impact on organizations if they are ignored or not followed. While some of the guidelines are somewhat flexible in their use, being familiar with them is an important step toward meeting your organization’s cybersecurity needs. Even having a high-level understanding of the Cybersecurity framework is a big first step in protecting your organization’s devices, information systems, and the valuable data that they are storing.

Contact us if you need help assessing your cybersecurity gaps and prioritizing your path forward. We can help you develop a plan that fits your needs and budget. To learn more about the NIST cybersecurity framework, visit

About the Author

Sam Wolf

Sam Wolf is an incident response analyst at LMG Security where she helps a wide range of customers respond to cybersecurity incidents and mitigate damage. Sam also brings a business and accounting background to her position, which can help clients understand the bigger picture. When she’s not battling cyber criminals, Sam enjoys playing roller derby, enjoying the outdoors, and weightlifting.