When performing a gap analysis, one must have an understanding of the desired future or "to be" state. For cybersecurity focused gap analyses, we frequently use IT security controls as the means by which we describe the "to be" (or "should be") state of IT systems and Information Security Management Programs. There are a variety of guidance documents which list and define sets of security controls. Each of these documents or sets of controls has an underlying framework.
One of the newest frameworks that sets forth a collection of "security controls" is the NIST Cybersecurity Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
Mapping and alignment efforts are currently underway to provide guidance to federal agencies and contractors for using NIST CSF and NIST SP 800-53 together since compliance with both is now required of them. Federal contractors and many other businesses are in a position where they must implement both either by contractual requirements or by choice.
Research and then prepare a short briefing paper (5 to 7 paragraphs) which explains the following in language suitable for an executive audience:
1. What is the NIST Cybersecurity Framework? (explain how it is organized, i.e. core functions, tiers, etc.) How does the CSF differ from the way that controls are presented in NIST SP 800-53?
2. Compare the NIST CSF functions to the NIST SP 800-53 families of controls (provide 3 to 5 specific examples of overlap or commonalities). Use this document to help you identify overlapping areas: https://www.nist.gov/document/csfsubcategories-sp80053mappingxlsx
3. Discuss the issues or problems that an organization may face in using both the CSF and the 800-53 control sets within a single Information Security Management program.
Post your briefing paper as a response to this message. Remember to cite your sources and put your reference list at the end of your posting.
NIST Cyber security Framework is a set of best practices, standards, and recommendations that help an organization improve its cyber security measures. In other words The NIST Cyber security Framework is US Government guidance for private sector organizations that own, operate, or supply critical infrastructure. It provides a reasonable base level of cyber security. It establishes basic processes and essential controls for cyber security.
The NIST CSF is organized into five core Functions also known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function is essential to a well-operating security posture and successful management of cyber security risk. Definitions for each Function are as follows:
The framework defines tiers that describe the level to which the requirements are implemented. The tier’s are sometimes referred to as maturity levels, but according to NIST they are more a tool for internal communication between cyber security risk management and operational risk management, and should not be seen as maturity level. Nevertheless, higher tiers represent higher degree of sophistication and maturity in the management of cyber security risks and responses.
|
Tier-1 |
Partial |
Informal practices; limited awareness; no cyber security coordination |
|
Tier-2 |
Risk Informed |
Management approved processes and prioritization, but not deployed organization-wide; high-level awareness exists, adequate resources provided; informal sharing and coordination |
|
Tier-3 |
Repeatable |
Formal policy defines risk management practices processes, with regular reviews and updates; organization-wide approach to manage cyber security risk, with implemented processes; regular formalized coordination |
|
Tier-4 |
Adaptive |
Practices actively adapt based on lessons learned and predictive indicators; cyber security implemented and part of culture organization-wide; active risk management and information sharing. |
While the Framework was written primarily by NIST, the same organization behind 800-53, there are several differences between them. The Framework is concise, voluntary in nature and builds on existing frameworks.
The Framework is more high-level in its scope compared to existing frameworks like NIST 800-53. It focuses on how to access and prioritize security functions, and references existing documents like NIST 800-53, COBIT 5, and ISO 27000 for more detail on how to implement specific controls and processes. This allows the Framework to be a much more concise document at 40 pages as opposed to NIST 800-53’s 460 pages.
Due to its high-level scope and clear language, the Framework is also more suitable for reading by executives of an organization who may not have a technical background. The Framework could be more useful to achieve the buy-in of C-level executives necessary for the success of a cyber-security initiative.
NIST 800-53 is a regulatory document, encompassing the processes and controls needed for a government-affiliated entity to comply with the FIPS 200 certification. In contrast, the Framework is voluntary for organizations and therefore allows more flexibility in its implementation.
The Framework builds on and does not replace security standards like NIST 800-53 or ISO 27001. It’s a great starting point for organizations looking to improve their cyber security.
The NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.
The controls are broken into 3 classes based on impact – low, moderate, and high – and split into 18 different families. The NIST SP 800-53 security control families are:
System and Services Acquisition
Cybersecurity Framework Issues
Let’s take a closer look at these obstacles:
Worldwide, there is a huge shortage in skilled cybersecurity professionals. According to a survey of 775 IT pros in by Vanson Bourne on behalf of Intel Security and the Center for Strategic and International Studies (CSIS), 82 percent of respondents admitted to a shortage of cybersecurity skills at their company, with 71 percent of respondents citing this shortage as responsible for direct and measurable damage.
The IT pros surveyed estimated that 15 percent of cybersecurity positions in their company will go unfilled by 2020. This is a problem across the board, not just for companies struggling to implement security frameworks.
James Lewis, senior vice president and director of the Strategic Technologies Program at CSIS, observed that a “shortage of people with cybersecurity skills results in direct damage to companies…This is a global problem.”
Security budgets across the board are lagging behind the security challenges faced by companies. The average IT security budget for enterprises worldwide declined from $25.5 million in 2016 to $13.7 million this year, according to a survey of 5,000 businesses worldwide by Kaspersky Lab and B2B International. This despite the growing costs of data breaches.
Obviously, with IT security spending contracting, there is a lot less to go toward implementing cybersecurity frameworks. What is left goes to protecting critical data and putting out fires.
With shrinking budgets, upper management is less likely to prioritize investment in complicated security frameworks. A SANS survey of organizations implementing the CIS Critical Security Controls (CSCs) framework found that only one-quarter of security managers received support for adopting security controls from their chief executive officer, chief operating officer, and business units.
“It is important for tactical managers to take steps to introduce CEOs, COOs, and boards of directors to the CSCs as a means through which to identify and defend their organization’s assets,” said James Tarala, SANS analyst and author of the survey report.
Possible issues with NIST SP 800-53r4
Criticisms of the 800-53r4 update have ranged from claims that its
guidance is too obvious to the insinuation that it may be making
agencies too complacent about security.
NoVA Infosec proposed that the update failed to add any essential new controls that agencies did not already have access to in the previous version, citing cyber security expert Dan Philpott’s observations on the SP 800-53r4 draft. Philpott pointed out that some of SP 800-53r4’s suggested mechanisms were not entirely new and observed that the document spent little time dealing with issues of application security.
Berk took a bolder line, arguing that SP 800-53r4 emphasizes compliance at the expense of security. More specifically, he stated that even agencies that achieve compliance with FISMA are not completely safe because of the sheer number of attack surfaces and vulnerabilities that they must confront.
Altering cybersecurity tactics to more fully account for attacker behavior may be the key to protecting assets within the current threat environment. However, Berk claimed that the defense-minded SP 800-53r4 did not give agencies a framework in which to adopt such a proactive approach.
“The truth remains, however, that we cannot simply expect the NIST guidelines to be a step-by-step recipe for achieving decent data security,” Berk posited. “Understanding the nature of the data at stake, and the risks to it, will be the most important step any agency can take to bolster the appropriate defenses. Simply putting up the wall might get the compliance checkbox checked, but it won’t make you that much more secure.”
References
When performing a gap analysis, one must have an understanding of the desired future or "to be" state. For cybersecurity focused gap analyses, we frequently use IT security controls as the mea...