Automating NIST Cybersecurity Framework Control Info

Written by
lessons learned from the Equifax breach

Automating the National Institute of Standards and Technology (NIST) Cybersecurity Framework control documentation and processes is one way to help build a strong cybersecurity foundation. The NIST Cybersecurity Framework (NIST CSF), researched because of an executive order, was originally intended to help with improving critical infrastructure, such as power plants, by developing sound practices. However, it can also be used as a strong base for other the private sector to manage cybersecurity risk management. Think of the NIST CSF as “NIST Lite.” It has all the flavor of the NIST with none of the calories, or, well, none of the highly prescriptive measures of critical infrastructure cybersecurity.

What are The Five Core Functions of the NIST Cybersecurity Framework?

Identify

This means understanding the business context, resources, and risks. These are used to triage the different compliance efforts and create a risk management strategy. In the identify function, you should include outcomes related to asset management, business environment, governance, risk assessment, and risk management strategy.

Protect

Protect means creating and implementing safeguards to limit or contain the impact of a cybersecurity event. Protection includes the following fundamentals: access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.

Detect

The Detect function involves developing and implementing ways to identify whether a cybersecurity event has occurred.

Respond

Respond means being able to develop and implement a plan in the event of a cybersecurity event.

Recover

This function means that you have a line of communication and activities in place to restore any systems impacted in a cybersecurity event. These allow your organization to get back to regular operations and includes recovery planning, improvement, and communications.

What are The 5 Steps to the NIST Cybersecurity Framework?

Step 1: Prioritize and Scope

Any compliance decision starts with the appropriate scoping activities. You should determine where your business goals overlap with your cybersecurity structure. It is possible that different business lines or processes have different needs and risk tolerances.

Step 2: Orient

Once you’ve determined what areas to focus on, you need to identify the related systems and assets, the regulatory requirements, and the overall risk approach. This allows you to more easily identify the threats and vulnerabilities inherent in those assets more easily.

Step 3: Create a Current Profile

At this point, you need to create a profile that looks at the Category and Subcategories in your Framework Core.

Step 4: Conduct a Risk Assessment

A NIST risk assessment is no different in concept than any other. Once you look at your overall risk and other risk assessments, you determine out the likelihood and impact of any potential cyber event. Also, look at new risks, threats, and vulnerabilities within the current environment.

Step 5: Create a Target Profile

At this point, you gather all the information and determine your own unique desired outcomes. If there are additional subcategories that drive your business, include them here. In addition, look at whether your business has any unique influences or external stakeholders, from vendors to customers. For example, if you’re working with a cloud service provider, you want to incorporate that here.

Step 6: Determine, Analyze, and Prioritize Gaps

Once you’ve determined your risk and your profile, you’re on the way to figuring out where you have gaps. If you have security gaps, conduct a cost-benefit analysis of addressing them and determine the risk they pose to achieving your desired outcomes. For example, if you have a low-risk gap that doesn’t hinder your overall desired outcomes, that gap should be low priority among your targeted improvements. If you realize that you need to install a firewall to protect payment processing assets, that should be at the top of your priority list.

Step 7: Implement Action Plan

Address any identified gaps here. Once they have been addressed, you continue to monitor and ensure that you are meeting the desired outcomes in your Target Profile.

Why Would I Care About NIST Cybersecurity Controls?

NIST CSF offers a risk management framework within the context of multiple standards. In itself, it is neither a standard nor a regulation. Rather, it allows you to determine, test, and implement risk reducing controls. Since the informative references come from a variety of standards—most notably ISO 27001: 2013 and NIST 800-53—you can incorporate controls that best help you define and govern your own institutional risk. Moreover, the NIST Implementation Tiers offer a guideline as to how well you’re managing the risk. 

Looking at NIST CSF, you can see that the informative references encompass a wide variety of standards. These include various portions of the CCS CSC, COBIT 5, ISA 62443-2-1:2009, ISA 62443-3-3:2013, ISO/IEC 27001:2013, and NIST SP 800-53 Rev. 4.

Since this is a NIST framework, NIST 800-53 is one of the fundamental information sources. That makes sense. When seeking guidance on how to implement the CSF, 800-53 provides answers. The Informative References section of the CSF can direct you to the specific location in the standard.

How Can Automating NIST Cybersecurity Framework Control Documentation Help Your Business?

One of the reasons that you’re implementing NIST CSF and not NIST 800-53 is because your business needs and risk don’t rise to that level of detail. This means that while the NIST 800-53 is an informative reference for all but two of the NIST CSF subcategories, you may already be instituting many of the subcategory measures.

Automating NIST Cybersecurity Framework control documentation helps you find overlaps more quickly. If you are using various standards to help mitigate security risks then you will need to be able to find the appropriate documentation.

ISO 27001: 2013 is a reference point for nearly all of the NIST CSF. This means that if you are using ISO 27001 as your compliance foundation, you are most of the way to fitting into the NIST CSF as well. It’s important to note that there are several subcategories to which ISO 27001 is not responsive. This is another reason that automating NIST Cybersecurity Framework control documentation can help your organization. GRC automation offers transparency into your program controls so that you can see where ISO 27001 responds to the NIST CSF.

Of the 98 subcategories, ISO 27001 helps respond to all but 25. Of those remaining 25, a combination of NIST SP 800-53 controls and a few other standards help respond to the following 21:

ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated

ID.GV-4: Governance and risk management processes address cybersecurity risks

D.RA-3: Threats, both internal and external, are identified and documented

D.RA-4: Potential business impacts and likelihoods are identified

ID.RA-6: Risk responses are identified and prioritized

ID.RM-1: Risk management processes are established, managed, and agreed to by

organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

PR.IP-7: Protection processes are continuously improved

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors

DE.AE-4: Impact of events is determined

DE.AE-5: Incident alert thresholds are established

DE.CM-1: The network is monitored to detect potential cybersecurity events

DE.CM-2: The physical environment is monitored to detect potential cybersecurity

events

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

RS.CO-4: Coordination with stakeholders occurs consistently with response plans

RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

RS.IM-2: Response strategies are updated

RC.IM-1: Recovery plans incorporate lessons learned

RC.IM-2: Recovery strategies are updated

There are two subcategories that can be responded to only by following NIST 800-53:

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams

Finally, there are two subcategories that even NIST 800-53 does not cover. These require COBIT 5:

RC.CO-1: Public relations are managed

RC.CO-2: Reputation after an event is repaired

These 25 subcategories are the reason that automating  NIST Cybersecurity Framework control documentation and the continuous monitoring to be compliant creates a more efficient and effective program.

The purpose of the NIST CSF is to avoid having to be as detailed as the NIST 800-53 standard would require. This means that although  NIST 800-53 covers 97 of these subcategories, using only NIST would be a burden that would make you align with NIST 800-53 only. Remember that NIST 800-53 alone does not respond to the NIST CSF since you would need to review COBIT 5 for managing public relations and repairing reputation. Therefore, you will be looking to your current stance to determine how to fill in gaps. Moreover, NIST 800-53 alone does not respond to the NIST CSF since you would need to review COBIT 5 for managing public relations and repairing reputation.

Ultimately, NIST CSF control development can be accomplished in a variety of ways, but you need to have a smooth integration of information. This means being able to see where your chosen ISO 27001 controls overlap with your chosen COBIT 5 controls and how those engage with your ISA 62443-2-1:2009 controls. Tracking this on a spreadsheet may work as you begin your program, but the puzzle pieces of NIST CSF control documentation cannot be maintained this way in the long term.

As your business evolves, you may want to change your systems. You may want to make changes to your controls. When you choose to make these changes, they will have a ripple effect across your entire compliance profile. At this point, spreadsheets become untenable.

This is why investing in automating NIST Cybersecurity Framework control documentation eases compliance pains. Easily changing a complex compliance program has a monetary value. Being able to easily provide audit documentation for a complex compliance program has value rooted in saved labor. These values seem invisible until you monetize your positive audit outcomes.

To learn more about how automated compliance solutions can ease your compliance, read our eBook “Compliance Management Best Practices: When Will Excel Crush You?