Federal agencies are using the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework to manage their agencies’ cybersecurity risk, a year after the White House issued an executive order directing the heads of executive agencies and departments to use the NIST framework, according to an agency official.
“Some agencies were using the Cybersecurity Framework before the executive order,” said Matt Barrett, program manager for the framework. “We are seeing Federal organizations use the Cybersecurity Framework more at that program management, risk decisioning level within [their] organization.”
President Trump issued executive order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, in May 2017. The order stated that effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity developed by NIST, or any successor document, to manage the agency’s cybersecurity risk.
Barrett noted that Department of Veterans Affairs information and security officials have been vocal about VA’s efforts to apply the Cybersecurity Framework and NIST’s Risk Management Framework (RMF), which provides Federal policy and standards for protecting information systems.
The Cybersecurity Framework (CSF) supports concepts such as risk decisioning and requirements management–the process of documenting, analyzing, tracing, prioritizing, and agreeing on requirements and then controlling change and communicating it to all stakeholders. These disciplines can be implemented into practices and tools to protect systems, Barrett explained. Consequently, the pairing of CSF and the RMF helps strengthen an agency’s security posture, he noted.
NIST’s Ron Ross highlighted the connection between RMF and the CSF in May 2018 when RMF received an update.
“Until now, Federal agencies had been using the RMF and CSF separately. The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks,” Ross said.
Industry Mapping Tools to the Cybersecurity Framework
Developed through collaboration between industry and government, the Cybersecurity Framework was released in 2014 to promote the protection of critical infrastructure and improve government security. CSF, which consists of standards, guidelines, and best practices, was updated after a draft circulated for public comment in 2017. A new version 1.1 was released in April 2018. Changes include guidance on how to perform self-assessments, additional details on supply chain risk management, and guidance on how to interact with supply chain stakeholders.
The Framework offers five core functions that act as a backbone for a holistic approach to information security: Identify, Protect, Detect, Respond, and Recover . Companies are using these concepts to align their security tools with CSF’s guidance on implementing security controls and measures.
For instance, “The Protect element of the NIST Framework Core specifically calls for protection of data at rest and data in motion, as well as technology that mitigates the impact of a data breach,” according to a PKWARE blog.
“Persistent, data-level encryption is the best approach for protecting data at rest and data in motion. Unlike whole disk encryption or network-based encryption approaches, persistent encryption remains with data even when it is copied or shared outside an organization’s network,” according to PKWARE, which offers the Smartcrypt encryption platform.
Initially, the governance, risk, and compliance (GRC) companies were the primary vendors mapping their tools to meet the five CSF function areas, Barrett noted. Other product vendors with more specific offerings, even vendors that might be applicable to just one category in the Framework, are staking their claim to CSF.
For example, “We are a hardware drive encryption solution, we protect data at rest. That is one of 108 subcategories in CSF, protecting data at rest,” Barrett said. Microsoft has posted blogs that show how its products apply to every subcategory of the Framework, he noted. Barrett assumed that the executive order was the tipping point for a lot of vendors to explain how their products align with CSF.
Meanwhile, other organizations such as universities and state governments are using the Framework to protect information and information technology assets. The Framework is helping the Multi-State Information Sharing & Analysis Center (MS-ISAC) enable agencies to develop a benchmark to gauge year-to-year progress across the Framework’s functions and categories. It also provides organizations with metrics to see how they rate compared to similar organizations.
“The NIST CSF has served as a superb standard to enable all agencies to be on the same ‘measurement’ page. This allows agencies to be measured and evaluated equally,” said Gary Coverdale, CISO of Napa and Mono Counties in California.