NIST Requirements for Backup and Recovery

What is NIST?

NIST is the National Institute of Standards and Technology, a government agency of the United States that operates under the Department of Commerce. The agency in question is over a hundred years old, although it was known as the National Bureau of Standards from 1901 to 1988.

Its main goal is to develop new technical standards and improve the existing ones in different fields – cybersecurity, measurement, or anything related to modern technology.

NIST Cybersecurity Framework

Cybersecurity is one of NIST’s most significant spheres of interest, with information being a person’s or business’s most valuable asset today. In this context, comprehensive data protection is only natural, and it is up to organizations such as NIST to try and create accessible and convenient guidelines on protecting information from multiple cyber attack types.

As such, the NIST Cybersecurity Framework (CSF) was created over a decade ago to provide comprehensive assistance to businesses that are looking into protecting their information using various methods and strategies. The correct CSF implementation is supposed to greatly enhance an organization’s overall cybersecurity.

The goal of this framework is to encourage a more thorough and detailed look at an organization’s security, making tasks such as risk assessment more common for companies and businesses. That way, these companies can be much more certain in their own security systems and infrastructures – or try to solve the issues that may have appeared in one such system over time.

It should also be mentioned that NIST CSF is not a certifiable standard or structure; NIST does not offer any kind of certification for passing or failing CSF in some way. What it does offer is a vast network of IT security programs that companies may submit to in order for their products to be tested – and validated by NIST using official documentation.

The original CSF concept uses five core elements to establish its comprehensive coverage of different fields and topics in cybersecurity. These five fields are referred to as Detect, Identify, Respond, Protect, and Recover.

Detect revolves mainly around threat detection and monitoring, covering functions such as intrusion detection, security event logging, and anomaly detection.

Identify includes functions that provide risk management and issue identification capabilities. It makes it easier to better understand an organization’s current data landscape while also providing features such as asset management and risk assessment.

Respond is a relatively self-explanatory field, covering a detailed list of events and tasks that should be performed if an organization is facing a security incident. It is all about generating an incident response plan, with various coordination and communication efforts included in the field.

Protect is the basis of most security efforts an organization must cover. It might include many activities ranging from data encryption and access control to general awareness training for the entire company’s employees.

Recover is everything an organization does to recover from the consequences of a cybersecurity incident. This field covers not only backup and recovery but also includes post-incident reviews and potential improvements to the existing system based on the aforementioned reviews.

None of these fields are mutually exclusive; all of them have to be used in tandem to create the most resilient security system that can withstand all kinds of threats and attacks.

NIST CSF 2.0 – 2024 Update

Cybersecurity is a very dynamic field that has been developing at a fast pace for several decades now. Accordingly, cybersecurity recommendations and guidelines have to be updated as well.

This is precisely what happened to NIST’s Cybersecurity Framework, with the 2.0 version being released in February 2024. It includes plenty of additions and revisions to the existing content while also adding plenty of new elements to the mix.

One of the most significant additions to the CSF is the inclusion of a brand-new field called Govern. It is used to expand upon the existing five fields, especially when it comes to “control”-oriented capabilities – measuring success, reviewing, planning, etc.

The Protect field was also reworked to a certain extent, introducing two new sub-fields – Data Security and Infrastructure Resilience. Both of these are used to not only reinforce the necessity of data protection as a whole, but also expand upon the more unconventional security methods, such as immutable backups and various resilience methods.

The Response field did not get a lot of new content, but the existing information was heavily restructured while also keeping the original message of using information gathered in different fields to generate efficient response measures for various situations.

Plenty of other changes and modifications were made to the previous version of CSF, but the information above highlights the most significant changes in the overall structure. The complete version of NIST CSF 2.0 can be found on the official website.

The challenges of backup tasks in the context of MSPs

It would be fair to mention that CSF is far from the only piece of information that the agency provides on the topic of data security and other similar topics. In this context, we would want to cover another element of NIST that mostly revolves around the topic of backup and recovery tasks specifically for Managed Service Providers, making it slightly more case-specific than CSF.

One of the most specific issues that the article from NCCoE provides is the issue of backup systems that are implemented but not tested or planned correctly, making them practically ineffective. A single data loss event causes brand issues, reputation loss, productivity loss, revenue loss, and more. Making sure that backup systems are both set up and tested properly is paramount in this context.

How to approach the NIST requirements for backup and recovery

File backups as the means of resuming operation after some form of cybersecurity event or data breach is reinforced in NIST Interagency Report 7621 Rev. 1, Small Business Information Security. The main goal of the research performed by the National Cybersecurity Center of Excellence is to help both the businesses and the MSPs that work with them to create proper backup workflows and operations.

NIST recommendations for backups

The article from NCCoE covers three main pillars of backup recommendations provided by NIST: Planning, Implementation, and Testing.

The planning pillar

Planning is the first pillar of the three; it is an overarching process that helps the company find a balance between operational needs and total running costs. Most of the recommendations in the “Planning” part of this article are based on the NIST Special Publication (SP) 800-53, Rev 4, including elements such as:

• Determining the correct restoration time
• Figuring out dependencies between systems and infrastructure elements
• Identifying what files should have priority when it comes to the backup process
• Developing extensive processes for different situations, including both response and recovery elements
• Not relying on a single backup copy of the system (and instead using the 3-2-1 backup strategy)
• Evaluate the overall sensitivity status of all data elements since some of them would have to have additional security measures per various compliance frameworks and regulations

The implementation pillar

Implementation is a slightly less sophisticated pillar that revolves around performing pre-planned actions within the borders of a company’s infrastructure. This particular pillar includes events such as:

• Evaluating potential off-site backup storage locations
• Integrating modern technologies into the backup and recovery system (the exact technologies recommended by NIST are going to be mentioned in detail below)
• Implementing a “Go Bag” system for sensitive data recovery purposes – a collection of critical data, such as security keys and passwords, stored and protected in a location separate from the system’s overall infrastructure
• Prepare a set of systems and infrastructure elements that can work while wholly separated from the original business infrastructure to be used in emergencies only

The testing pillar

Testing is the last but not least pillar of the NIST recommendations (it can be called Testing and Monitoring interchangeably since it includes elements from both processes). It is self-explanatory in its main purpose—to test and monitor technologies, systems, and workflows to ensure that they are working and would help in case of a disaster or cyber attack. This pillar can be separated in two groups:

• Testing
  • Perform automated testing
  • Verify backup integrity
  • Evaluate the performance of recovery processes
  • Extract data from the aforementioned tests for future adjustments
• Monitoring
  • Monitor automated testing processes
  • Make sure that backups are generated properly
  • Ensure that backups can be used to restore data to its original form

Useful technologies for backup tasks

To perform all of the aforementioned actions and processes, there are plenty of different capabilities and technologies that NIST recommends using in the backup and recovery framework:

• Backup system automation is necessary to perform backup tasks in comprehensive environments that consist of different storage types – disk, tape, NAS, VM, cloud storage, and so on.
• Cloud-based backup storage operates as a great alternative to on-site local storage for backups due to its capability to stay separated from other storage options; it can also offer different backup types, implementation methods, etc.
• Different local storage technologies can also offer unique advantages depending on the storage type – including everything from local hard drives and removable media to cloud storage, WORM storage, and other unconventional storage types
• Data encryption often serves as one of the most significant security measures for data mid-transit and at rest, offering another layer of protection against unlawful actions aside from backup processes themselves.
• Backups for cloud-based storage are just as necessary for their on-site counterparts, ensuring that the data itself is still available if the cloud storage goes offline for some reason; it may not be necessary in certain situations and use cases

The following NIST publications cover these technologies and their implementation processes:

• NIST SP 1800-26, Detecting and Responding to Ransomware and Other Destructive Events
• NIST SP 1800-25, Identifying and Protecting Assets Against Ransomware and Other Destructive Events
• NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events

NIST and its role in a modern cybersecurity environment

The number of data breaches and cybersecurity incidents keeps growing with each passing year, and the technologies themselves are improving at an extremely fast pace. In this context, anything that explains different elements of an effective cybersecurity protection system is a welcome addition to the overall effort of the industry to stay ahead of the cybercriminal environment. Practically any company that needs to improve its existing cybersecurity measures can take advantage of NIST recommendations to improve either specific elements of it or an entire  infrastructure across the board.

Conclusion

In today’s world of increased risk from cyber.attack, Cybersecurity features highly in the awareness of technology leaders from all kinds of organizations. NIST is a large institution that covers many application areas, with its cybersecurity framework being one of its most important elements. NIST offers several different standards and recommendations regarding cybersecurity as a whole. Some of these recommendations are used in a general sense, while others are slightly more case-specific, such as the article above from NCCoE about MSP backups and their testing.

While NIST recommendations are only mandatory for a particular range of companies and businesses (including any U.S. federal government agencies and practically any company that is going to do business with the U.S. government as a whole), they can still be used as general considerations for general cybersecurity and backup configuration. Many of these recommendations are highly detailed in their nature, making it easier for many different companies to implement them and improve their cybersecurity situation.

Bacula Enterprise and NIST compatibility

There are some backup and recovery solutions that are already created and managed with all of the NIST requirements in mind. However some solutions go further than others and, for security-conscious organizations, Bacula Enterprise is probably the strongest example of this, offering a comprehensive backup and recovery platform with especially high security levels that meets and excels all of the auditing requirements from NIST.

Bacula can offer a multitude of features and capabilities that make it far better at ensuring an organization’s compliance than most of its competitors, including:

• Backup encryption no matter where they are stored.
• Regular data integrity checks.
• Detailed reporting capabilities.
• Vast logging capabilities.
• Support for automated and centralized data protection policies.
• Advanced data immutability features.
• Flexibility in terms of data partition.
• Plenty of integration capabilities with external monitoring solutions.
• Support for many different storage types.
• Wide range of immutability types and compatibility.
• Extremely high infrastructure resilience compared to other backup and recovery vendors.
• Broad and granular reporting capabilities

Not only can Bacula Enterprise readily cover all six NIST pillars (Protect, Identify, Detect, Respond, Recover, and Govern), it is also FIPS 140-2 compliant and supports many other regulatory frameworks, including GDPR, CCPA, FISMA, and more. More information about Bacula Enterprise’s compliance capabilities can be found here.

FAQ

How is NIST connected with the cybersecurity industry?

Cybersecurity is one of the most essential pillars of NIST, it serves as a developer and distributor of security frameworks in order to help companies with fighting all kinds of cyber threats.

How can NIST help businesses with cybersecurity issues?

Not only does NIST offer an entire Cybersecurity Framework as the basis for its security recommendations, but there are also plenty of other, more specific recommendations and documents, such as the article from NCCoE about backup testing for MSPs that we mentioned earlier.

What are NIST’s recommendations when it comes to data backups?

NIST provides many different options for improving the existing backup framework. Many of them are case-specific, but some of the more common recommendations include adhering to the 3-2-1 strategy, data encryption, backup immutability, and more.