Preparing for a self-attestation of NIST CSF
There is no certification by a third-party assessor, however, the preparation process is the same as when preparing for meeting any other compliance requirements.
After you’ve made the decision to self-attest to NIST CSF, here’s something to keep in mind when drafting your self-attestation preparation strategy. You may want to create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team will also be hugely beneficial.
The NIST CSF process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for your self-attestation. You should account for a loss in productivity, and ensure you are staffed accordingly.
The process can be broken down into three major components:
Step 1: Understanding the NIST CSF Requirements
It is important for you to know what the NIST CSF requirements are and plan accordingly. NIST CSF is not a one-size-fits-all, each organization can decide which functions, categories, and subcategories to comply with. NIST CSF functions, with their categories and subcategories, are:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Asset management (ID.AM)
- Business environment (ID.BE)
- Governance (ID.GV)
- Risk assessment (ID.RA)
- Risk management strategy (ID.RM)
- Supply chain risk management (ID.SC)
- Protect: Ensure that critical infrastructure services remain available.
- Identity management, authentication, and access control (PR.AC)
- Awareness and training (PR.AT)
Data security (PR.DS)
- Information protection processes and procedures: (PR.IP)
- Maintenance (PR.MA)
- Protective technology (PR.PT)
- Detect: Develop and implement activities to identify cybersecurity events.
- Anomalies and events (DE.AE)
- Security continuous monitoring (DE.CM)
- Detection process (DE.DP)
- Respond: Develop and implement responses to detected cybersecurity events.
- Response planning (RS.RP)
- Communications (RS.CO)
- Analysis: (RS.AN)
- Mitigation (RS.MI):
- Improvements (RS.IM)
- Recover: Develop and implement the appropriate actions to take upon detecting a cybersecurity event.
- Recovery planning (RC.RP)
- Improvements (RC.IM)
- Communications (RC.CO)
Step 2: Prepare Materials
In this next phase, you will create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. If you’re a TrustOps user, we’ve got your back. TrustOps helps you automate much of this process, and automatically maps your controls to the NIST CSF standard to make it easy for you to assess your systems, policies, and procedures. If you’re not a TrustOps user yet, call us… we’d love to have your back, too.
Step 3: Complete Internal Review and self-attest
You must first conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review you get when you work with us analyzes your gaps against your level of NIST CSF (as well as other compliance standards such as HIPAA), and could be used as your self-assessment.