NIST Cybersecurity Framework
President Barak Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure, in February 2013. This order directed NIST to work with stakeholders to create a voluntary framework that provides guidance based on existing standards, guidelines, and practices. A primary focus is to communicate risk and cybersecurity management functions among both internal and external stakeholders.
Program frameworks tell us how to put the pieces together into a cohesive whole. The framework consists of five functions:
- Identify the development of an organization’s understanding of cybersecurity risks related to systems, people, assets, and data.
- Protect development of appropriate safeguards to ensure delivery of critical services.
- Detect development and implementation of activities focused on the identification of cybersecurity events.
- Respond development and implementation of incident response activities.
- Recover: development and implementation of appropriate activities focused on maintaining plans for resilience and restoring any capability of service impaired by a cybersecurity incident.
Each function maps well to specific business functions. They can assist us with assigning ownership which will be vital to our success in the security realm. For example, if we must worry about identification, it will be necessary to identify who will perform the associated tasks.
Who will perform the asset management functions?
Who will own risk management?
Who will be responsible for assessing supply chain risk management?
Who will own the proactive and protective technologies (e.g., firewalls, antivirus, or IAM systems)?
The answers to questions like these are foundational elements that make our security policies come alive. Ownership and measurement are critical determinants for the effectiveness of our deployments. We can have the most fantastic security policies written. There will be no chance of success if no associated mapping of responsibilities shows individual achievement metrics.
The listed functions will have varying levels of applications based on the organizational environment. They can be used cross-functionally by teams ranging from cyber to risk. It will be essential for us to keep this in mind because it is unlikely for legal, sales, or even human resource organizations to think about things like automated detection mechanisms.
Frameworks such as the one provided by NIST provide guidance but are not the answer to every problem. We will be in a much better position having all of our defenses deployed, but it will still not be possible to block every attack. Regardless of how closely we follow the provided guidance, attackers will eventually find a way into our networks. In the world of cyber, winning will require much more than scoring a single point. The attackers will score points. Our goal is to achieve a higher score than they do.
We have listed the five functions of the NIST Cybersecurity Framework. These are the first of the core framework elements:
- Functions: organize the framework at its highest level.
- Categories: subdivisions of Functions into groups of cybersecurity outcomes.
- Subcategories: division of Categories into specific results of technical and management activities.
- Information References: specific sections of standards, practices, and guidelines common among critical infrastructure sectors illustrating methods to achieve outcomes associated with each Subcategory.
The Framework utilizes an approach seen in these core elements, designed to show how an organization addresses cybersecurity activities. For example, the identification phase discusses asset management like the first two controls in the CIS framework that focus on hardware and software assets.
Some cross-reference documents are available that cover each function, category, and subcategory. These provide mappings to other frameworks like the CIS Controls or NIST 800-53 Controls. The reference documents offering a sort of connective tissue between the individual frameworks and program frameworks.
Let’s pause to take a moment to think about the historical progression of cybersecurity practices. Practitioners mainly were focused on asset management and identification to create an understanding of organizational assets in the 80s. This focus shifted to protective technologies like antivirus, firewalls, and secure configurations in the 90s. In a sense, efforts moved from the Identify to Protect function. As time progressed, practitioners realized that the protective technologies were not one hundred percent effective, so efforts moved into the Detect phase. The transition into the 2000s saw tools like IDS and Security Information Event Monitoring (SIEM) introduced. These tools created even more stress as security teams became overloaded with information. A transition began somewhere around 2010 that focused on developing tools like EDR, Carbon Black, and Crowdstrike to enable more granular options for triaging data.
Cybersecurity processes are continuing to evolve. As ransomware has become more prevalent, the need for transitioning into the Recovery function has become even more critical. The focus is shifting to processes including business continuity, disaster recovery, and air-gapped backups. Ransomware has created the need for the development of architectures that are immutable, distributed, and ephemeral.