NIST Cybersecurity Framework and You

July 3rd, 2023
NIST Cybersecurity Framework and You


Your district is faced with ever-increasing threats, pressures, and regulations. The list is endless. K-12 Cyberattacks continue to increase with devastating consequences. The requirements of Ed Law 2-d must be addressed. The Cyber insurance industry is running scared and requiring ever-increasing documentation and proof you are even “insurance worthy”. It is completely crazy. Then you have your normal responsibilities of managing your school district and supporting teaching and learning for your students.

The reality is that Ed Law 2-d means your district needs to align with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF or NIST). Unfortunately, it can be hard to get your mind around what that actually means and where to start.

The bottom line for SBOs is that the NIST CSF will help you reduce Cyber risk. In a nutshell, NIST CSF defines a set of organization-wide activities to achieve specific cybersecurity outcomes to help manage cybersecurity risk.

It identifies 322+ organizational and technical controls designed to deliver 108 specific outcomes or activities to manage cyber risk. If you did them all, you would have reduced your cyber risk as much as humanly possible.

We understand that can sound pretty daunting. The reality is that evaluating and coming into alignment with the NIST Cybersecurity Framework will be a process or journey and not a destination. None of what you do with NIST CSF is a one-time exercise – schools will need to set up a permanent process of evaluation and adjustment as the risk landscape evolves over time. NIST defined controls span process, policy, and technology. And as we discussed in last week’s email, cyber risk is an organization-wide issue. Because of that, the NIST CSF solution will be organization-wide as well.

Following the NIST CSF does not only require taking action, it also requires documenting what action you took, and why you took it. What is important to the Department of Defense may not be important to your school district. In the same way, what is important to your school district may not be the same for a company that manufactures appliances. Part of the process is understanding what is important for your district and making sure you have taken the steps necessary to secure YOUR information and network.

To help people work with the NIST Cybersecurity Framework it is broken down into five categories. They are:


Over the next five weeks, we will explore each category in a little more detail, with examples of things you can do right now.

Next week’s bulletin will explore the first category – IDENTIFY.

This week’s suggestion:

Watch for next week’s email to begin learning more about the NIST Cybersecurity Framework.

If you would like to learn more before next week, please ask for a copy of our free report “The Changing Face of Cyber Risk Today”.

We are also happy to speak with you, just contact Lisa MacDougall ( or 845.897.9480.