The US federal government has been very active over the past year, particularly with the Executive Order on Cybersecurity (EO) and the associated tasks and objectives that flowed from it. The NIST Cybersecurity Framework (CSF) is a framework and industry source that is gaining increasing attention.
The CSF grew out of another EO, 13636, which dates from 2013 and directed NIST to work with stakeholders to develop a voluntary framework to reduce risk to critical infrastructure. It was produced through coordinated efforts with industry and government, both of which have widely adopted the framework.
Here’s how the CSF is composed, how certain aspects of it can help achieve some of OT’s recent cybersecurity goals, and how any organization can use it to better map risks and threats.
What are the components of the cybersecurity framework?
At its foundation, the CSF has three components:
- Heart is essentially a set of desired cybersecurity activities and outcomes.
- Implementation levels are used by adopting organizations to provide context as to how organizations view cybersecurity risk management.
- Frame profiles help provide personalized alignment with organizational requirements and objectives when it comes to achieving results and reducing organizational and even industry-wide risk.
Within these three components are additional areas, such as categories and subcategories within functions, that relate to the outcomes of a cybersecurity program. NIST has already produced several sample framework profiles, such as for manufacturing, elections, and smart grid.
One of the most recognizable aspects of the CSF is the functions into which it breaks down activities: identify, protect, detect, respond, and recover. The reason these functions are so widely recognized is that they are both practical and logical. They align with the cybersecurity and risk management activities and lifecycle within an organization’s security program. These functions are equally applicable to organizations across many industries and verticals, making CSF dynamic and adaptable.
Because the CSF builds on existing standards, guidelines, and practices, it contains activities common to other leading guidelines such as CIS Critical Controls. This is evident through activities such as “identifying critical business processes and assets”. To better leverage existing standards, guidelines, and practices, CSF also has what are known as “informative references” that line up under each function and point to existing framework security controls and references.
How the Cybersecurity Framework Helps Enable EO Compliance
CSF is not explicitly referenced in the recent Cybersecurity EO, but NIST is extensively referenced. As the CSF is its flagship risk management framework, it will relate to many of the activities and tasks that NIST conducts within the OE framework. All cybersecurity tasks and activities defined in the EO can be mapped into the functional categories of the CSF, as shown above.
To promote adoption of the CSF, NIST has published guidance, including NISTIR 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework and NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). Coupling these guidelines with the tasks associated with EO will allow federal agencies to address their existing risks and security gaps.
A major aspect of OE has been the push for agencies to adopt zero trust (mentioned 11 times). This is where agencies as well as industry organizations can begin to see real synergies between FSC and OT goals. For example, with respect to zero trust, the NIST National Cybersecurity Center of Excellence (NCCoE) has provided guidance that maps zero trust components applicable to CSF functions, categories, and subcategories. These are basic zero-trust components, such as policy engines, administrators, enforcement points, and more common security components such as SIEMs.
Federal agencies and industry organizations can leverage the CSF, as in the example above, to map security program objectives into the five CSF functions, categories, and subcategories. This includes mapping tools and aspects of the technology stack to CSF criteria. One of the main advantages of the CSF is its ability to guide decisions, regardless of where an individual is located within the organization. This applies from senior management to activities/processes and to implementation and operations.
Align cybersecurity framework objectives with threats
Organizations, government, and industry can take additional steps to align CSF goals with actual threats. A great way to do this is to take advantage of MITER’s ATT&CK assessments, which emulate adversarial tactics and techniques against leading cybersecurity products. The information is then made available to industry end users to see how the products perform and how well they align with the organization’s security goals. Another excellent MITER resource comes from MITER ATT&CK and NIST 800-53 mapping from the Center for Threat-Informed Defense. Using these mappings, organizations could potentially cross-reference Center mapping with CSF informational references, which are tied to specific functions and categories.
When it comes to actual threats, self-assessment and measurement through SCC can also be used to improve decision-making about investment priorities. A limited set of resources and funding is a reality for all security managers, regardless of industry. Identifying gaps in the security program and driving investments in the areas that pose the greatest risks can provide significant benefits. That’s why it’s important for security leaders to ensure that the implementation of security controls and activities is linked to organizational results and business objectives. This ensures alignment with business leadership, builds buy-in for security initiatives, and enables the business to operate safely.
NIST CSF is a flexible framework for managing organizational risk and security program maturity. Its use cases include managing cyber requirements, reporting cybersecurity risks, and integrating and aligning cyber and acquisition processes. All of these use cases are applicable when it comes to meeting the multitude of tasks and objectives that emerged from the Cybersecurity EO 2021.
Learn about the CSF
NIST’s CSF can be a valuable tool for organizations improving the maturity of their security program and seeking to reduce organizational risk and cover critical security functions. There are many resources for getting started with CSF, including from NIST itself. They provide e-learning, presentations, and detailed documentation of the framework. There is even a book dedicated to the NIST CSF. As organizations continue to improve their security program, a dynamic and comprehensive framework aligned with existing standards is extremely valuable, and that’s what the NIST CSF plays.