The NIST Cybersecurity Framework( 2 minute read)

The National Institute of Standards and Technology (NIST) created the NIST Cybersecurity Framework as a non-technical approach to cybersecurity. Following the framework will give you an overarching way to move your campaign or organization. Much of the advice that we provide in this Knowledge Base is based on this framework

The framework has five components:

Identify: What are the most valuable technology and data assets you have to protect, and who is in need of protection? Prioritize your cybersecurity efforts by protecting the  “crown jewels.” Identify technologies in use, including computers, phones, tablets, and other connected devices. Know where information and data assets—the intellectual property of your campaign or organization—such as internal polling data, donor lists, draft policy papers, voter data, media buying strategies, and communications (emails, texts) are being stored. Make sure your website is protected. Consider who needs to be protected by the campaign. Identify shared accounts (like email boxes and social media accounts).  Reassess from time-to-time.

Learn more: Asssessing Risk in a Campaign , Who needs to be protected , How to Secure Shared Accounts

Protect: The measures you take in order to strengthen defenses around your most critical assets and processes. This usually includes securing accounts—email, social media, and cloud accounts for documents—using the strongest multifactor authentication available, using encrypted communications for sharing sensitive documents or conducting confidential communications, protecting your website, and properly configuring platforms, such as Google workspace or Office 365. 

Learn More: Who Needs to be Protected?, The Importance of Protecting Personal Accounts

Detect: Means becoming aware or alerted if something is wrong. This could include automatic notifications you receive about things out of the ordinary, such as suspicious emails, or unauthorized attempts to access an account. Unfortunately, it could be an alert of compromised data, like a notice you have ransomware. People are part of your detection frontline. They might be the first to see a phishing attempt or suspicious information request, like the immediate processing of invoices. Clear policies on how and to whom potential cybersecurity incidents should be reported help ensure an early warning system. 

Learn More:

Respond: Be ready with a plan, should an incident occur.  Your goal is to reduce downtime, especially on critical systems, and return to normal as quickly as possible. Part of responding is being prepared with alternatives to using technology, such as accepting donations by phone and keeping a paper record. You will likely need legal assistance to ensure you comply with applicable laws and evaluate reporting incidents to law enforcement. Have a communications plan to proactively inform the public and the media.

Learn more: Incident Response 

Recover: Once back to normal operations, identify and implement any changes—new products or policies—that will reduce the likelihood of future incidents, and improve response capabilities. This might include staff training, adding controls on who can access what data, or adding new layers of protection, such as a password manager or security keys