Compliance entails adhering to the NIST recommendations and making sure that the company does so moving forward. This frequently entails making modifications when the company's vulnerabilities change and the cybersecurity environment changes.

Maintaining compliance contributes to the protection of both the data and the individuals whose lives the data reflects and impacts. If a hacker gains access to a government data repository, more people than just those working for the agency would be affected. For example, average Americans' data may be disclosed, or secrets that affect national security may be made public.

The NIST Cybersecurity Framework outlines all the ways data needs to be protected to create a more secure organization. In order to make sure assets are adequately protected from malicious actors and code, the framework makes use of the same procedure each time. 

It is composed of five steps:

  1. Identify: In this step, the data and systems that need to be protected are identified. This often involves those that fall under the jurisdiction of specific legislation designed to protect consumers, patients, or sensitive information.
  2. Protect: In the protection phase, the team puts security measures into place to safeguard the data. These will often involve specific tools, hardware, and software designed to address common security concerns. However, it may also involve getting stakeholders and employees on board so everyone can work together to guard sensitive data and systems.
  3. Detect: In the detection step, tools and policies are designed to discover an incident when it happens. This requires enhanced visibility into the various systems, networks, and devices used by the organization. It may also include applications that manage data or interface with it in the course of regular business.
  4. Respond: The response phase requires a company to devise a plan for responding to a threat. The plan will include the different methods used to mitigate the threat, as well as which tools will be used. An organization’s response mechanism may include intentional redundancies designed to approach a threat from multiple angles, such as redundant firewalls or antivirus software.
  5. Recover: In the event an attack penetrates the network, the process outlined by NIST also includes ways of helping an organization recover as quickly as possible. This may include recovering data from backups, regaining control of workstations, or spinning up parallel devices. Recovery may also include resiliency measures and tools that ensure the company has as little downtime as possible.