NIST Framework : Guide for SaaS Security Compliance

NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework assists businesses of all sizes in better understanding, managing, and mitigating cybersecurity risk, as well as protecting their networks and data. The Framework is entirely voluntary. It provides an outline of best practices for your business to help you decide where to focus your time and money for cybersecurity protection.

The NIST Cybersecurity Framework (CSF) was first released in 2014 and was most recently updated in 2018.

The framework enables organizations to improve the security and resilience of critical infrastructure with a well-planned and easy-to-use framework.

The continuing growth in SaaS, and the major changes to the work environment due to COVID-19 bring new security challenges. Despite the fact that the CSF was written and updated during the rise of SaaS, it is still geared toward the classic legacy critical infrastructure security challenges. Organizations, on the other hand, can better respond to new risks by adapting the CSF to modern, SaaS-based work environments.

Overview of NIST CSF

The NIST CSF lays out five functions of security, then splits them into categories and subcategories. The subcategories contain the actual controls. For each subcategory, the CSF includes a list of cross-references to well-known standards and frameworks such as ISO 27001, COBIT, NIST SP 800-53, and ANSI/ISA-62443.

These cross-references help organizations implement the CSF and map it to other frameworks. For example, security managers or other team members can use the references to justify their decisions no matter what security standard the company needs to comply with.

In a single document, the Framework combines a host of approaches to dealing with cyber security threats. This includes:

-Setting up procedures
-Defining roles

The framework has a five-stage core structure: Identify, Protect, Detect, Respond and Recover.


NIST Releases Version 1.1 of its Popular Cybersecurity Framework | NIST


NIST defines this function as follows:

“Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”

Within this function, NIST  includes the following control categories:

Asset Management
Business Environment
Risk Assessment
Risk Management Strategy
Supply Chain Risk Management.

NIST defines this function as follows:

“Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”

Within this function, NIST includes the following control categories:

Access Control
Awareness and Training
Data Security
Information Protection Processes and Procedures
Protective Technology


NIST defines this function as follows:

“Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event”.

Within this function, NIST includes the following control categories:

Anomalies and Events
Security Continuous Monitoring
Detection Processes


NIST defines this function as follows:

“Develop and implement the appropriate activities to take action regarding a detected cybersecurity event”.

Within this function, NIST includes the following control categories:

Response Planning


NIST defines this function as follows:

“Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event”.

Within this function, NIST includes the following control categories:

Recovery Planning

How can 3columns help you in implementing NIST Cybersecurity Framework ?

If your organization is facing cybersecurity issues , we will not only help you by identifying and fixing the security gaps but along with that will guide you in implementing NIST Cybersecurity Framework for your organization. Feel free to reach out to our cyber security consultants for  a no obligation call. Click here to contact.

Applying the CSF to SaaS Security

While definitely a model in best practices, the Framework is a challenge to implement.

Learn more how a SaaS Security Posture Management (SSPM) solution can automate compliance to NIST across your SaaS estate.

Data-in-transit is protected

A company using SaaS services may wonder how this is relevant for them. They may think that compliance is the SaaS provider’s responsibility. However, a deeper look into it shows that many SaaS providers have security measures in place, and the user is responsible for using them.

For example, admins should not allow any connections via HTTP to a SaaS service. They should only allow secure HTTPS connections.

Protections against data leaks are implemented

This may seem like a small subcategory, but underneath there is a behemoth. Data leaks are extremely difficult to prevent. SaaS application adoption makes this harder because people can share and access them from anywhere in the world.

An admin or member of the CISO office should take special care of this threat. DLP in SaaS can include security measures such as:

  • sharing links to files rather than the actual file
  • setting an expiration date for the link
  • disabling the download option if not needed
  • blocking the ability to export data in data analysis SaaS
  • user authentication hardening
  • prevention of locale recording in communication SaaS
  • well-defined user roles with a limited number of super users and admins

Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

As an enterprise scales its workforce and SaaS adoption, this subcategory becomes more challenging. Managing 50,000 users over just five SaaS means that the security team needs to manage 250,000 identities. This problem is real and complicated.

Even more challenging, each SaaS has a different way to define identities, view them, and secure identities. Adding to the risk, SaaS applications don’t always integrate with each other, which means users can find themselves with different privileges across different systems. This then leads to unnecessary privileges that can create a potential security risk.

6 Steps for Implementing the NIST Cybersecurity Framework

1. Set Your Goals

2. Create a Detailed Profile

3. Determine Your Current Position

4. Determine Your Current Position

5.  Implement Your Plan’

6. Take Advantage of NIST Resources

NIST Checklist

The National Checklist Program (NCP), as defined by NIST SP 800-70, is the United States government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on configuring operating systems and applications for security.

NCP provides metadata and links to checklists in a variety of formats, including those that adhere to the Security Content Automation Protocol (SCAP). SCAP enables validated security products to perform configuration checks automatically using NCP checklists.

How Adaptive Shield Can Help Meet NIST CSF Requirements

The NIST CSF is an industry-standard for cybersecurity today, yet to implement it with typical manual practices and processes is an uphill battle. So why not automate?

Adaptive Shield is a SaaS Security Posture Management (SSPM) solution that can automate the compliance and configuration checks across the SaaS estate. Adaptive Shield enables security teams to easily see and fix configuration weaknesses quickly, ensuring compliance with company and industry standards, from NIST CSF, as well as other compliance mandates such as SOC 2 and the CSA Cloud Controls Matrix.

NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance

Recent Post

Close Bitnami banner