You might be hearing the buzz of the NIST Cybersecurity Framework (CSF). What started as a popular framework to help track and secure critical infrastructure in 2014 is now becoming widely adopted by all types of organizations.
There are plenty of predictive statistics to suggest that adoption will rise to a high enough percentage to warrant mandatory adoption in order to do business with key vendors and government entities.
Table of Contents
Why It’s So Successful
It’s based on other best practices such as COBIT, ISO, and other NIST publications.
It helps measure the maturity of systems against the framework’s 98 sub-categories of controls. The maturity is rated on a scale from 1 to 4. Not to worry, there is guidance on prioritization.
Here’s a video on why managers think it has been so successful.
Cybersecurity Framework Makeup
It’s understandable why you’re interested in becoming compliant in this program. But before you do so you should learn what the framework is and how it’s used.
Let’s briefly start at the beginning. Check out the original document – Framework for Improving Critical Infrastructure Cybersecurity (History page). It’s actually quite short.
After the intro, we’ll also talk about the recent 1.1 version.
The framework core focuses on five functions of cybersecurity management. That is to:
- Identify (ID)
- Protect (PR)
- Detect (DE)
- Respond (RS)
- Recover (RC)
Under each function houses categories and subcategories.
Each subcategory is paired with a list of standards (the best practices mentioned earlier) to follow. Pretty simple but it’s worth mentioning that organizations will need to make their own choices on measurements.
Framework Implementation Tiers
The tiers range from 1 – Partial to 4 – Adaptive.
There are suggestions for organizations to grade their cybersecurity competence in 3 areas. Again, these suggestions do not actually measure the subcategories according to NIST.
Those 3 areas are:
- Risk Management Process
- Integrated Risk Management Program
- External Participation
Your profile should be based on resources, requirements, and risk tolerance to be able to meet the requirements with your resources.
From here you essentially create your own guide in order to begin or grade your existing cybersecurity program. Grading can help identify a snapshot in your progress.
Grading? Can the Framework Be Used as a Cybersecurity Report Card?
In a way, yes. The good news is this framework:
- Is concise, efficient and adaptable.
- Approaches from a top down view instead of focusing on a list of technical controls.
- Uses the tiers system to measure improvements in a straight forward manner.
But if you break it down, the framework can be viewed at as a glorified checklist. Therefore the framework can provide illusory benefits if the implementation team:
- Assumes by complying with the checklist, the overall risk is lower. This is not necessary true simply because the framework doesn’t help measure risk.
- Attempts to use the checklist in a business case to show return on investment. This checklist doesn’t measure ROI.
- Thinks measurable guidance is available to accurately guide which tier the organization should be in.
Shout out to FAIR model author Jack Jones in his series of blog posts that outline a pretty clear picture of what the CSF is capable of. His work influenced this pros and cons section.
Mr. Jones mentions the framework is comprehensive, which is awesome. Unfortunately, he mentions it can be tough to navigate. He goes on further with: “the odds of an organization accurately measuring and appropriately prioritizing its control improvements are extremely low.”
As someone who helped an organization do an SAQ for PCI compliance, I give this observation 2 thumbs up.
Version 1.1 of the Cybersecurity Framework
If more businesses are using the CSF does that mean it’s a business tool? Yes, it’s a cost-effective, voluntary framework that focuses on security first.
So with constant business and overall security analysis, we’re due for an update. Nearly 9 months ago, Version 1.1 came out.
Version 1.1 refines, clarifies, and enhances Version 1.0 according to Matt Barrett, program manager for the Cybersecurity Framework.
If you have the time, check out this overview video (it’s 1 hour).
Great, So Now What? How Do I Get Started?
Here’s a great article on Dark Reading that lays out how to Turn the NIST Cybersecurity Framework into Reality: 5 Steps. Pretty useful for turning lifeless documents into action.
Otherwise, what you will look into is to be able to map the CSF to other frameworks. In the next few headings, I’ll provide links to some resources that can help explain the other requirements and frameworks.
Comparing NIST CSF to Other Frameworks
NIST Cybersecurity Framework – Everything You Need to Know | Kaseya
CSF vs RMF
A Tale of Two Frameworks: The NIST CSF and NIST RMF Are Not the Same – Telos
HIPAA Security Rule vs CSF
CSF vs NERC CIP
NERC vs. NIST: Choosing the Right Infrastructure Cybersecurity Framework | RSI Security
CSF, ISO, CIS or COBIT
NIST, ISO, CIS or COBIT? Comparing Comprehensive Cybersecurity Frameworks
CSF, 800-53, 800-171
Complete Guide to NIST: Cybersecurity Framework, 800-53, 800-171 | Reciprocity
CSF vs SOC
NIST vs SOC 2: What’s the Difference? | Reciprocity
Cybersecurity Maturity Model Certification (CMMC)
NIST 800-171 vs CMMC | CMMC Certification | CMMC Policy | CMMC Compliance | CMMC Standards
Why Do We Need CMMC?
The Cybersecurity Maturity Model (CMMC): Part 1 – Why Do We Need Another Framework?
CMMC vs. NIST 800-171
CMMC vs DFARS 800-171
CMMC 1.0 vs. NIST 800-171 – Eight Essential Differences
DFARS Info 800-171
DFARS Compliance: The Definitive Guide for DoD Contractors
NIST SP Publications
SP 800-171 Rev. 2NIST Special Publication (SP) 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
SP 800-171 Rev. 1https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
800-171 or CMMC Costs Considered Reimbursable?
Are NIST 800-171 or CMMC Cybersecurity Costs Considered Reimbursable by the DoD? – CyberSheath
How Do I Know if I Need to Be Compliant?
How Do I Know If I Need to Be DFARS Compliant?
NIST 800-171 (DFARS) And NIST 800-53 (FISMA)
The Differences Between NIST 800-171 (DFARS) & NIST 800-53 (FISMA)
One More Thing, the Risk Management Framework
The CSF should not be confused with the RMF even though they appear similar. The steps may be similar in tone but the process is slightly different. Not to mention the CSF doesn’t directly measure risk.
The RMF essentially groups and quantifies. If you use both frameworks, you’ll have a pretty comprehensive security program.
Here’s a brief overview:
- Step 0: Prepare – carry out essential activities and prepare to manage risks using the framework.
- Step 1: Categorize – categorize the system and perform impact analysis on information.
- Step 2: Select – select baseline security controls based on categories and assessment of risk.
- Step 3: Implement – implement security controls and document how they are deployed in the environment.
- Step 4: Assess – assess security controls to determine whether they are implemented correctly.
- Step 5: Authorize – authorize systems based upon acceptable risk.
- Step 6: Monitor – monitor security controls on an ongoing basis to determine effectiveness. Document changes, perform security impact analyses, and report security state of system to organizational officials.
You can view the 2009 Risk Management Framework presentation slides with associated security standards and guidance documents.
Again, this is just a general overview. You can get more context by reading up on their Risk Management Framework (RMF) Overview at NIST CSRC.
So what do you think? Have you bought into the CSF or have plans to review it this year?
What has you stuck? Any additional points you would like to see written about? Sound off in the comments below.