Automating the National Institute of Standards and Technology (NIST) Cybersecurity Framework control documentation and processes is one way to help build a strong cybersecurity foundation. The NIST Cybersecurity Framework (NIST CSF), researched because of an executive order, was initially intended to help improve critical infrastructure, such as power plants, by developing sound practices.
However, it can also be a strong base for the private sector to manage cybersecurity risk management. Think of the NIST CSF as “NIST Lite.” It has all the flavor of the NIST with none of the calories or, well, none of the highly prescriptive measures of critical infrastructure cybersecurity.
What are The Five Core Functions of the NIST Cybersecurity Framework?
The framework’s core functions are as follows: identify, protect, detect, respond, and recover. These NIST security recommended practices comprise the cybersecurity lifecycle.
This means understanding the business context, resources, and risks. These triage the different compliance efforts and create a risk management strategy.
You should include asset management, business environment, governance, risk assessment, and risk management strategy outcomes in the identify function.
Protect means creating and implementing safeguards to limit or contain the impact of a cybersecurity event. Protection includes the following fundamentals: access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
The Detect function involves developing and implementing ways to identify whether a cybersecurity event has occurred.
Respond means being able to develop and implement a plan in the event of a cybersecurity event.
This function means you have a line of communication and activities to restore any systems impacted in a cybersecurity event. These allow your organization to return to regular operations and include recovery planning, improvement, and communications.
What are The 7 Steps to the NIST Cybersecurity Framework?
The NIST CSF provides a seven-step process for implementing and improving its cybersecurity posture using the NIST CSF.
Step 1: Prioritize and Scope
Any compliance decision starts with the appropriate scoping activities. First, you should determine where your business goals overlap with your cybersecurity structure. For example, business lines or processes have different needs and risk tolerances.
Step 2: Orient
Once you’ve determined what areas to focus on, you need to identify the related systems and assets, the regulatory requirements, and the overall risk approach. This allows you to determine the threats and vulnerabilities in those assets efficiently.
Step 3: Create a Current Profile
You need to create a profile that looks at the Category and Subcategories in your Framework Core.
Step 4: Conduct a Risk Assessment
A NIST risk assessment is no different in concept than any other. Once you look at your overall risk and other risk assessments, you determine the likelihood and impact of any potential cyber event. Also, look at new risks, threats, and vulnerabilities within the current environment.
Step 5: Create a Target Profile
At this point, you gather all the information and determine your own unique desired outcomes. If there are additional subcategories that drive your business, include them here. In addition, look at whether your company has any individual influences or external stakeholders, from vendors to customers. For example, if you’re working with a cloud service provider, you want to incorporate that here.
Step 6: Determine, Analyze, and Prioritize Gaps
Once you’ve determined your risk and your profile, you’re on the way to figuring out where you have gaps. If you have security gaps, conduct a cost-benefit analysis of addressing them and determine the risk they pose to achieving your desired outcomes. For example, if you have a low-risk gap that doesn’t hinder your overall desired results, that gap should be a low priority among your targeted improvements. On the other hand, if you realize that you need to install a firewall to protect payment processing assets, that should be at the top of your priority list.
Step 7: Implement Action Plan
Address any identified gaps here. Once they have been addressed, you continue to monitor and ensure that you meet your target profile’s desired outcomes.
Why Would I Care About NIST Cybersecurity Controls?
NIST CSF offers a risk management framework within the context of multiple standards. In itself, it is neither a standard nor a regulation. Instead, it allows you to determine, test, and implement risk-reducing controls.
Since the informative references come from various standards-notably ISO 27001: 2013 and NIST 800-53-you can incorporate controls that best help you define and govern your own institutional risk. Moreover, the NIST Implementation Tiers offer a guideline for managing the risk.
Looking at NIST CSF, you can see that the informative references encompass various standards. These include multiple portions of the CCS CSC, COBIT 5, ISA 62443-2-1:2009, ISA 62443-3-3:2013, ISO/IEC 27001:2013, and NIST SP 800-53 Rev. 4.
Since this is a NIST framework, NIST 800-53 is one of the fundamental information sources. That makes sense. When seeking guidance on how to implement the CSF, 800-53 provides answers. The Informative References section of the CSF can direct you to the specific location in the standard.
Getting Started with the NIST Cybersecurity Framework
The Framework is intended for companies of all sizes in practically every sector. That said, one company’s strategy for deploying the Core Framework will differ from another’s. Nonetheless, the NIST security checklist may confirm that you are following the Core best practices.
- Do you have a firm grasp on your critical IT processes and assets?
- Do you have tools and processes to manage user identification and access?
- Do you have DLP solutions for your network, endpoints, and cloud?
- Do you have a solid password policy in place?
- Do you encrypt your data and make frequent backups?
- Are your staff educated to spot phishing scams?
- Do you do vulnerability tests on your system frequently?
- Do you have a plan for business continuity?
- Are you keeping your NIST framework up to date to adapt to the shifting threat landscape?
How Can Automating NIST Cybersecurity Framework Control Documentation Help Your Business?
One of the reasons that you’re implementing NIST CSF and not NIST 800-53 is that your business needs and risk don’t rise to that level of detail. While the NIST 800-53 is an informative reference for all but two of the NIST CSF subcategories, you may already be instituting many of the subcategory measures.
Automating NIST Cybersecurity Framework control documentation helps you find overlaps more quickly. If you are using various standards to help mitigate security risks, then you will need to be able to find the appropriate documentation.
ISO 27001: 2013 is a reference point for nearly all of the NIST CSF. If you use ISO 27001 as your compliance foundation, you will most likely fit into the NIST CSF. However, it’s important to note that there are several subcategories to which ISO 27001 is not responsive. This is another reason that automating NIST Cybersecurity Framework control documentation can help your organization. GRC automation offers transparency into your program controls so that you can see where ISO 27001 responds to the NIST CSF.
Of the 98 subcategories, ISO 27001 helps respond to all but 25. Of those remaining 25, a combination of NIST SP 800-53 controls and a few other standards help respond to the following 21:
- ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
- ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
- ID.GV-4: Governance and risk management processes address cybersecurity risks
- D.RA-3: Threats, both internal and external, are identified and documented
- D.RA-4: Potential business impacts and likelihoods are identified
- ID.RA-6: Risk responses are identified and prioritized
- ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
- ID.RM-2: Organizational risk tolerance is determined and clearly expressed
- PR.IP-7: Protection processes are continuously improved
- DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
- DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors
- DE.AE-4: Impact of events is determined
- DE.AE-5: Incident alert thresholds are established
- DE.CM-1: The network is monitored to detect potential cybersecurity events
- DE.CM-2: The physical environment is monitored to detect potential cybersecurity
- DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
- RS.CO-4: Coordination with stakeholders occurs consistently with response plans
- RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
- RS.IM-2: Response strategies are updated
- RC.IM-1: Recovery plans incorporate lessons learned
- RC.IM-2: Recovery strategies are updated
Two subcategories can be responded to only by following NIST 800-53:
- ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector-specific risk analysis
- RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams
Finally, there are two subcategories that even NIST 800-53 does not cover. These require COBIT 5:
- RC.CO-1: Public relations are managed
- RC.CO-2: Reputation after an event is repaired
These 25 subcategories are the reason that automating NIST Cybersecurity Framework control documentation and the continuous monitoring to be compliant creates a more efficient and effective program.
The purpose of the NIST CSF is to avoid having to be as detailed as the NIST 800-53 standards would require. This means that although NIST 800-53 covers 97 of these subcategories, using only NIST would be a burden that would make you align with NIST 800-53 only. Remember that more than NIST 800-53 is needed to respond to the NIST CSF since you need to review COBIT 5 to manage public relations and repair your reputation. Therefore, you will look at your current stance to determine how to fill the gaps. Moreover, more than NIST 800-53 is needed to respond to the NIST CSF since you need to review COBIT 5 for managing public relations and repairing reputation.
To learn more about how automated compliance solutions can ease your compliance, read our eBook “Compliance Management Best Practices: When Will Excel Crush You?”
ZenGRC Makes Compliance Easier for Businesses
Ultimately, NIST CSF control development can be accomplished in various ways, but you need to have a smooth integration of information. This means seeing where your chosen ISO 27001 controls overlap with your COBIT 5 controls and how those engage with your ISA 62443-2-1:2009 controls.
Tracking this on a spreadsheet may work as you begin your program, but you cannot maintain the puzzle pieces of NIST CSF control documentation in this way in the long term.
As your business evolves, you may want to change your systems. For example, you can make changes to your controls. However, when you choose to make these changes, they will have a ripple effect across your entire compliance profile. At this point, spreadsheets become untenable.
This is why investing in automating NIST Cybersecurity Framework control documentation eases compliance pains. Quickly changing a complex compliance program has a monetary value. Likewise, being able to provide audit documentation for a complex compliance program promptly has value rooted in saved labor. Unfortunately, these values seem invisible until you monetize your positive audit outcomes.
The Reciprocity® ROAR platform can help you with all those elements and more. In addition, ROAR provides you with the visibility you need to analyze the progress and success of your compliance activities and their influence on risk reduction.
An audit overview report summarizes the frameworks, requirements, and controls in scope, the activities to be done, and the present audit status.
Operational dashboards give information on the status of evidence collection requests, control efficacy, results, and other indicators, allowing you to keep work moving forward while communicating your compliance posture.
A risk posture dashboard also provides an instant insight into how your present actions affect your risk posture, which may help you prioritize compliance efforts. ROAR delivers the content required for compliance. It includes a comprehensive library of over 20 regulatory and legislative frameworks that mirror industry best practices, saving you hours of manual effort and consultation expenditures. As your program grows, the Secure Control Framework’s (SCF) library of cybersecurity risks allows you to comply with more than 150 worldwide information security and privacy regulations.
Even evidence requests have been pre-mapped, and expert-provided templates have been made available to speed up evidence collecting. Best of all, because Governance, Risk Management, and Compliance (GRC) Experts keep your material up to date, you never have to worry about it.
Schedule a demo today to learn how ZenGRC can help you streamline your cybersecurity compliance.