The National Institute of Standards and Technology (NIST) is a US-based, non-regulatory agency that has been around since 1901 and whose mission is to promote innovation and industrial competitiveness. Previously known as “National Bureau of Standards” until it became NIST in 1988, one of its key programs is Information Technology. The Cybersecurity Framework version 1.0 was originally published in 2014 with the current version, 1.1, publicly available since April 2018.
Many organisations beyond the US, such as here in Australia, are adopting the framework as a “best practice” towards their own Information Assurance strategies. While originally intended for those responsible for maintaining critical infrastructure, It’s presently receiving broader adoption by a broad range of businesses and organizations as they shift towards being proactive about risk management rather than constantly reactive. It’s always easier to keep a fire from starting than to have to put one out!
In brief, the NIST Cybersecurity Framework is instrumental in helping organisations with five key functions: Identification, Protection, Detection, Response, and Recovery. It’s easy to get bogged down in any of these, so I’ll endeavour to keep this at a fairly high level. One of the main things I find organisations struggling with is the term “compliance” and in version 1.1, NIST has sought to clarify this further where it may have been a bit confusing previously.
It’s important to remember that NIST themselves mentions “This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.” The key word here is “voluntary”.
NIST Cybersecurity Framework?
What Is It?
The framework itself consists of three parts: Core, Profile, and Tiers. The “Core” consists of activities, outcomes, and references about elements of and approaches to cybersecurity. The “Profile” consists of outcomes that a business or organisation has selected from the five function categories and subcategories, and these are based on needs and risk assessments. The “Tiers” are used to clarify how cybersecurity risk is perceived and how elaborate the management of these risks is required.
I know it gets confusing trying to make sense of the core, profile, and tiers as well as functions, categories, and subcategories, but believe me, it’s worthwhile. Like prospecting for gold, you won’t have a “eureka!” moment until you dig long and hard enough. Hopefully this blog is the shovel you need to get started!
Earlier, I mentioned there are five functions. Each of these “functions” is broken down into categories and subcategories that address the elements of each function. Identification consists of 6 and 29 categories and subcategories respectively. Protection has 6 and 39. Detect has 3 and 18. Respond has 5 and 16, and finally Recover has 3 and 6.
Categories include items such as “Asset Management”, “Identity Management”, “Access Control”, and “Detection Processes”. Subcategories include outcomes of actions (technical or management) such as “systems are catalogued”, “Data at rest is adequately protected”, and “Alerts from perimeter defence systems are investigated”.
NIST’s Excel document will use an abbreviated format to identify the function (F), category (C), and subcategory (S) in the format “F.C-S”. For example, “ID.RA-4” is for “Identify – Risk Assessment – Potential business impacts and likelihoods are identified” followed by several informative references.
Yes, I know. It seems like a lot, especially when each of these 23 categories and 108 subcategories also has associated references from the International Organisation for Standardisation (ISO), Control Objectives for Information and Related Technologies (COBIT), the Centre for Internet Security (CIS) Critical Security Controls (CSC), and more. This is where you really want to get the right people involved.
Where Do I Start?
That question alone can be daunting, especially when faced with hundreds of references from the categories and subcategories, but the main thing to do before running off and implementing any controls or making any changes is to understand your current state. Therefore, I highly recommend a Vulnerability Assessment or a Risk Assessment to establish your present security posture. It’s equally important that the assessment is current, so if you haven’t done one recently, its worthwhile to engage an Information Assurance Specialist to assist.
You may start by using the framework to develop a “Current Profile” to define your current cybersecurity activities and the outcomes being achieved from them. This can be scary, but is necessary. From there, you define a “Target Profile” (or, quite often, adopt an industry-specific baseline profile as the target; there’s nothing wrong with borrowing the good ideas of others. Legally, of course) and define steps to get from here to there. Call it a roadmap, a plan, or a migration, but you need to know where you are before you know where you are going.
There are two handy reference documents readily available from NIST, available from their website in the section dedicated to the Cybersecurity Framework. Just head to the “Framework” page (top of the menu on the left) and grab the Version 1.1 PDF and Excel files. I like using the Excel file as a handy-dandy workbook for engagements and the PDF is a thorough reference document and a good read (at 55 pages long, it’s not “War and Peace”, so if you’re serious about NIST, this is a great starting point). Feel free to dig through the NIST website; it’s a goldmine of great information.
NIST Cybersecurity Framework
https://www.nist.gov/cyberframework
I certainly do not expect everyone to download these documents, read them a few times, and magically become experts; that’s absurdity on the level of a Monty Python skit. I’ll say it time and time again – reach out and get the right people involved.
How do I make It Work?
Now that you’re trying to process terms like core, profile, and tiers along with functions, categories, and subcategories, you probably look like me when I get home from IKEA with several boxes, parts everywhere, an Allen Key in one hand and a set of instructions in the other with a cartoon character on every page – but no words. Yes, introducing the NIST Cybersecurity Framework can leave you at a loss like assembling a PAX Wardrobe, so the first step is to find some patience. It also helps that using this framework can become a “common language” to avoid confusion and communicate with others.
Let’s begin by creating a “Current Profile” to understand your present cybersecurity posture. This can be achieved by undertaking assessment activities such as Vulnerability Assessments, Risk Assessments, Penetration Tests, External and Internal Audits, and any combination of there or more. The idea is to determine, with reasonable certainty, where you are right now. How you go about this is up to you, but you must identify a starting point. Otherwise, it’s like being stranded on a desert island and just blindly building a raft and setting out in an uncertain direction. Salvation might just be 10 Km in one direction but everywhere else hundreds or thousands of kilometres the other way. Use these assessments as your compass.
Next you can begin creating your “Target Profile” of your own design or duplicating an industry-specific. This is where I find having the spreadsheet handy is beneficial and I’ll add a few columns to identify “Must-Haves”, “Should-Haves”, “Could-Haves”, and “Won’t Haves” (i.e. The MoSCoW Method” and work my way through each Function, Category, and Subcategory. These can change on further review, and it takes a few cuts to get it right, so therefore I emphasis patience. I’ll even add a few more columns to identify integrators, vendors, products, and methods so I can begin having some conversations about the “who, what, when, where, why, and how” of making this a reality.
It’s also worth noting that the “Won’t Haves” are not permanently out of scope; they’re just a very low priority and yield little benefit in the present sense. “Could Haves” are often nice to have but are usually the first things dropped when timelines start slipping. On occasion, a “Should Have” gets elevated or a “Must Have” gets demoted, but it’s crucial to sort out which is which up front to avoid burning budget and wasting time.
You’ve probably noticed that many standards, frameworks, and strategies employ a round visual model and the NIST Cybersecurity Framework is no different. I’ve often wondered if it’s because information assurance is a never-ending endeavour or if it’s just a vicious cycle; that’s up to you. What else is up to you is where you begin on that circle but personally, I always like to start with “Identify” because rare is the organisation that has a full understanding of their present posture and exactly what they need to protect.
Working your way through the five functions and each category and subcategory, you will develop your profile and how to tackle each item. I should also point out that each function deserves equal attention. While the “Identify” and “Protect” functions (i.e. the “Before”) often get all the attention and drive projects ranging from new firewalls to endpoint protection solutions, we cannot discount “Detect” and “Respond” (i.e. the “During”). This is where the rubber meets the road and all the time and money invested earns its keep. Critically, never overlook the function “Recover” (i.e. the “After”) to help you get back on your feet when it all goes pear-shaped. Always think “when”, not “if”. Save your gambling for the Melbourne Cup.
Now that you have your spiffy new workbook aligned with the MoSCoW method, it’s time to start plugging in solutions and controls, and these can be physical, technical, logical, and administrative controls that are either technically-driven or business-driven. Underpinning this should be your previously-undertaken assessment and the risks, impacts, and recommendations contained within it. Word to the wise: Don’t try to tackle it all at once because it’s a big body of work and should start with your “Must Haves”, and even those may need to be broken up into phases based on budget, resources, and priority. What is important to one is not always top priority for another.
For example, during the “Detect” function, which has 3 categories and 18 subcategories, you may see that the category “Security Continuous Monitoring” (DE.CM) has 8 subcategories, and you consider “DE.CM-8: Vulnerability scans are performed” is a “Must Have” just like “DE.CM-1: The network is monitored to detect potential cybersecurity events” but due to budget, you’ll undertake DE.CM-8 right away and move DE.CM-1 to next year because the systems needed are costly.
Please. Take your time and get the right people involved to help you plan and execute.
Pitfalls?
Two major pitfalls when trying to implement the framework are time and money. Trying to blindly implement everything in the framework is nearly impossible for most organisations, and the bit that this is a “voluntary” framework easily gets lost chasing an idea of 100% compliance down the rabbit hole. In fact, so much time can be spent just trying to figure out what the heck to implement. Therefore, you need to assess your current state and use the MoSCoW method in determining your target state.
We also must realise that because this can be a costly and time-consuming endeavour that the cybersecurity threat landscape is constantly shifting, and technology is evolving, so priorities can change during implementation of the NIST Cybersecurity Framework. Solutions may become more affordable, resources and budget will likely change, and it needs to be a living project, not just a one-off box-checking exercise. For what it’s worth, this type of a project, like most, is not simply an “IT” Responsibility, but rather a “whole of business” responsibility.
Ghosts in The Machine?
Implementing the NIST Cybersecurity Framework is a big undertaking, without question, but if approached with patience, assistance from the right people, and underpinned by good information derived from a current profile (via assessment and audit activities), there should be few ghosts. One that has appeared for me is getting lost in all the informative references. While there are 5 functions, 23 categories, and 108 subcategories, each of these subcategories has two or more references with many of them having 4 or 5 each.
Rather than trying to fully understand each of these informative references, I recommend only spending time on the ones based on your MoSCoW method and that can dramatically reduce the number of forks in the road down to a manageable number. In the beginning, I take time to create bookmarks and download & sort anything that is relevant to the task at hand. In some cases, these references are strategies, frameworks, and standards themselves such as CIS CSC and ISO/IEC 27001.
Anything Missing?
If there are few other items I can throw your way, it’s to be sure about your obligations under The Privacy Act and the General Data Protection Regulation which may drive some of your decisions using the MoSCoW method. I’d also recommend subscribing, where available, to the various frameworks, standards, and strategy sources to ensure you have the latest information on hand and access to changes that may impact the information you’re using.
Above all else, breathe and be patient. Look after yourself and realise this is a journey and not a destination. Don’t be afraid to ask for help, ask questions, and get the right people involved.
There is also a recent and informative blog available on the NIST website for further reading.
Identify, Protect, Detect, Respond and Recover: The NIST Cybersecurity Framework
Stay safe out there!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock