You might be hearing the buzz of the NIST Cybersecurity Framework (CSF). What started as a popular framework to help track and secure critical infrastructure in 2014 is now becoming widely adopted by all types of organizations.
There are plenty of predictive statistics to suggest that adoption will rise to a high enough percentage to warrant mandatory adoption in order to do business with key vendors and government entities.
Why It's So Successful
It's based on other best practices such as COBIT, ISO, and other NIST publications.
It helps measure maturity of systems against the framework's 98 sub-categories of controls. The maturity is rated on a scale from 1 to 4. Not to worry, there is guidance on prioritization.
Here's a video on why managers think it has been so successful.
Cybersecurity Framework Makeup
It's understandable why you're interested in becoming compliant in this program. But before you do so you should learn what the framework is and how it's used.
Let's briefly start at the beginning. Check out the original document – Framework for Improving Critical Infrastructure Cybersecurity (History page). It's actually quite short.
After the intro, we'll also talk about the recent 1.1 version.
The framework core focuses on five functions of cybersecurity management. That is to:
- Identify (ID)
- Protect (PR)
- Detect (DE)
- Respond (RS)
- Recover (RC)
Under each function houses categories and subcategories.
Each subcategory is paired with a list of standards (the best practices mentioned earlier) to follow. Pretty simple but it's worth mentioning that organizations will need to make their own choices on measurements.
Framework Implementation Tiers
The tiers range from 1 – Partial to 4 – Adaptive.
There are suggestions for organizations to grade their cybersecurity competence in 3 areas. Again, these suggestions do not actually measure the subcategories according to NIST.
Those 3 areas are:
- Risk Management Process
- Integrated Risk Management Program
- External Participation
Your profile should be based on based on resources, requirements, and risk tolerance to be able to meet the requirements with your resources.
From here you essentially create your own guide in order to begin or grade your existing cybersecurity program. Grading can help identify a snapshot in your progress.
Grading? Can the Framework Be Used as a Cybersecurity Report Card?
In a way, yes. The good news is this framework:
- Is concise, efficient and adaptable.
- Approaches from a top down view instead of focusing on a list of technical controls.
- Uses the tiers system to measure improvements in a straight forward manner.
But if you break it down, the framework can be viewed at as a glorified checklist. Therefore the framework can provide illusory benefits if the implementation team:
- Assumes by complying with the checklist, the overall risk is lower. This is not necessary true simply because the framework doesn't help measure risk.
- Attempts to use the checklist in a business case to show return on investment. This checklist doesn't measure ROI.
- Thinks measurable guidance is available to accurately guide which tier the organization should be in.
Shout out to FAIR model author Jack Jones in his series of blog posts that outlines a pretty clear picture of what the CSF is capable of. His work influenced this pros and cons section.
Mr. Jones mentions the framework is comprehensive, which is awesome. Unfortunately, he mentions it can be tough to navigate. He goes on further with: “the odds of an organization accurately measuring and appropriately prioritizing its control improvements are extremely low.”
As someone who helped an organization do a SAQ for PCI compliance, I give this observation 2 thumbs up.
Version 1.1 of the Cybersecurity Framework
If more businesses are using the CSF does that mean it's a business tool? Yes, it's a cost effective, voluntary framework that focuses on security first.
So with constant business and overall security analysis, we're due for an update. Nearly 9 months ago, Version 1.1 came out.
Version 1.1 refines, clarifies and enhances Version 1.0 according to Matt Barrett, program manager for the Cybersecurity Framework.
If you have the time, check out this overview video (it's 1 hour).
Great, So Now What? How Do I Get Started?
I'll be publishing more content and examples in the future.
But for now, this great article on Dark Reading lays out how to Turn the NIST Cybersecurity Framework into Reality: 5 Steps. Pretty useful for turning lifeless documents into action.
One More Thing, the Risk Management Framework
The CSF should not be confused with the RMF even though they appear similar. The steps may be similar in tone but the process is slightly different. Not to mention the CSF doesn't directly measure risk.
The RMF essentially groups and quantifies. If you use both frameworks, you'll have a pretty comprehensive security program.
Here's a brief overview:
- Step 0: Prepare – carry out essential activities and prepare to manage risks using the framework.
- Step 1: Categorize – categorize the system and perform impact analysis on information.
- Step 2: Select – select baseline security controls based on categories and assessment of risk.
- Step 3: Implement – implement security controls and document how they are deployed in the environment.
- Step 4: Assess – assess security controls to determine whether they are implemented correctly.
- Step 5: Authorize – authorize systems based upon acceptable risk.
- Step 6: Monitor – monitor security controls on an ongoing basis to determine effectiveness. Document changes, perform security impact analyses, and report security state of system to organizational officials.
You can view the 2009 Risk Management Framework presentation slides with associated security standards and guidance documents.
Again, this is just a general overview. You can get more context by reading up on their Risk Management Framework (RMF) Overview at NIST CSRC.
So what do you think? Have you bought into the CSF or have plans to review it this year?
What has you stuck? Any additional points you would like to see written about? Sound off in the comments below.