How would you assess a system or service to ensure alignment with NIST CSF

National Institute of Standards and Technology (NIST) Cyber-security Framework (CSF), sometimes known as NIST Cyber security Framework (CSF), provides private sector businesses a framework for measuring and enhancing their ability to prevent, detect, and respond to cyber incidents. The US National Institute of Standards and Technology (NIST) released Version 1.1 in April 2018 and it has quickly gained traction in a variety of industries. The NIST CSF is the most widely used framework today, according to the 2019 SANS OT/ICS Cyber-security Survey. This framework is being adopted by many enterprises to help them manage their cyber-security risks.

The NIST Framework is being used in a variety of ways by organizations. Many organizations have found it useful in increasing awareness and interacting with internal stakeholders, including executive leadership. The Framework also improves communication between enterprises, allowing business partners, suppliers, and sectors to communicate cyber-security requirements. Organizations learn and demonstrate how they align with the Framework’s principles, recommendations, and best practices by mapping the Framework to current cyber-security management processes. The NIST Framework is being used by some parties to reconcile and de-conflict internal policies with legislation, regulation, and industry best practice. The Framework is also being used to examine risks and present practices as part of strategic planning. The Cyber security Framework’s uniform structure and terminology are useful for organizing and expressing NIST compliance with an organization’s requirements. The Framework offers a flexible, risk-based approach to assisting organizations in managing cyber-security risks and achieving their cyber-security goals. These goals may be influenced by and drawn from an organization’s cyber-security requirements, as well as those of other industries, applicable laws, and rules and regulations.

NIST CS framework components:

  1. Framework core

A set of cyber security operations, desired results, and appropriate references that are consistent across critical infrastructure sectors form the framework’s core. Identify, Protect, Detect, Respond, and Recover are the five concurrent and continuous functions.

  1. Implementation Tiers

Tiers of implementation indicate the extent to which an organization’s cyber security risk management procedures display the characteristics described in the Framework, ranging from Partial (Tier 1) to Adaptive (Tier 10). (Tier 4).

  1. Framework Profile

A framework profile provides an organization’s prioritized Core Functions Categories and Subcategories based on business needs and can be used to track progress toward the Target Profile.

Key functions to check if a system is NIST CSF compliant:

Teodoro. Et al. proposed a model for evaluating an organization’s compliance with the NIST Cyber security framework (CSF), [5]. Three important vectors must be taken into consideration while evaluating the system with NIST CSF compliance, i.e., technology, human resources, and CS activities procedures.The suggested model considers NIST CSF Functions, Categories, and Subcategories, translating them to input vectors to create a connection that results in compliance percentage levels.

The proposed model allows for the creation of different scenarios and hypotheses, as well as the evaluation of how compliance levels vary as a result, resulting in a true impact on the firm. They have proposed following core functions, when considered together provide a strategic view of an organization’s cyber security risk management and should be used as a reference point to assume if a service is NIST CSF compliant.

  1. Identify

To comply with NIST CSF, a system must have complete visibility into your digital and physical assets, their interconnections, and clearly defined roles and duties, as well as assess your present risks and exposure and implement policies and processes to mitigate those risks.

  1. Protect

To restrict or contain the consequences of a possible cyber-security event, organizations must create and implement suitable protections. To establish cyber resilience, a system must manage access to digital and physical assets, give awareness education and training, implement data security policies, maintain network configuration and operations baselines, and deploy defensive technologies to provide cyber resilience.

  1. Detect

To comply with NIST CSF, a system must take the necessary steps to swiftly detect cyber-security incidents. To assess if a service complies with this Function, continuous monitoring systems that detect aberrant behavior and other threats to operational continuity must be implemented. To foresee a cyber-attack and respond appropriately, systems must have insight into their networks.

  1. Respond

Organizations must be able to contain the impact of a cyber-event if it occurs. One can assess a system’s NIST compliance if it creates a response strategy, establishes communication lines among the right parties collect and evaluate event data, carries out all necessary operations to eliminate the issue, and incorporate lessons learned into new response methods.

  1. Recover

An organization’s NIST CSF compliance can be assessed if it devises and implements effective plans to restore any capabilities or services that have been harmed as a result of a cyber-security incident. To comply with CSF, a system must have a recovery plan in place, be able to coordinate restoration efforts with outside parties, and incorporate lessons learned into its revised recovery approach. A timely recovery requires defining a prioritized list of action points that can be used to carry out healing activities.

Opeoluwa Ore Akinsanya et al. presented a study to test the effectiveness of NIST CSF in a health care system. It gives an overview of the security and privacy issues that public cloud computing faces, as well as advice that businesses should think about when outsourcing data, apps, and infrastructure to the cloud, [6].

To ensure the NIST CSF compliance an auditor must compare your real security systems and standards to the NIST compliance requirements specified in your written information security policies during the audit process (WISP). If a company’s cyber-security program fails to fulfill policy standards, it will lose points and might fail the audit. For example, suppose you don’t have two-factor authentication (2FA), or you patch devices every 180 days instead of the recommended 90. The NIST SP 800-171 and NIST SP 800-53 frameworks are legally mandated for government agencies and enterprises in the supply chain, therefore failing an audit can be fatal.

For firms trying to meet their standards, NIST contains a wealth of information. It also provides self-assessment tools, such as the Baldrige Cybersecurity Excellence Builder, to businesses. Making the most of any self-assessment requires accurately measuring where your cyber-security maturity level is concerning where it needs to be to align your cyber-security practices with a NIST framework.

References:

  1. https://www.nist.gov/standardsgov/compliance-faqs-nist-it-security-validation-program
  2. https://www.nist.gov/blogs/taking-measure/identify-protect-detect-respond-and-recover-nist-cybersecurity-framework
  3. https://blog.morphisec.com/nist-cybersecurity-audit
  4. https://www.nist.gov/cyberframework/identify
  5. Teodoro, N., Gonçalves, L., & Serrão, C. (2015, August). Nist cybersecurity framework compliance: A generic model for dynamic assessment and predictive requirements. In 2015 IEEE Trustcom/BigDataSE/ISPA (Vol. 1, pp. 418-425). IEEE.
  6. Akinsanya, O. O., Papadaki, M., & Sun, L. (2019, March). Current cybersecurity maturity models: How effective in healthcare cloud?. In CERC (pp. 211-222).