The National Institute of Standards and Technology (NIST) Cybersecurity Framework, also known as the Framework for Improving Critical Infrastructure Cybersecurity and commonly referred to as CSF, is top of mind for many organizations.
Whether driven by the May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the need for a common framework between business partners or as a way to measure best practices, many organizations are considering adopting NIST’s framework as a key component of their cybersecurity strategy.
Initially designed by NIST to protect critical infrastructure, the framework is seeing much wider adoption across industries and organizations of various types and sizes. The CSF provides guidance and was built to be customized by organizations to meet their unique business and mission goals.
If you are embarking on implementing CSF, some areas to consider:
- CSF does not prescribe control “requirements.” The framework only provides a very high-level requisite. While this allows organizations to perform a security assessment against CSF, the depth of the assessment is open to organizational interpretation and preference. This can lead to an assessment that leaves weaknesses undetected, giving the organization a false sense of security posture and/or risk exposure.
- CSF does not make NIST SP 800-53 easier. If organizations use the NIST SP 800-53 requirements within the CSF framework, they must address the NIST SP 800-53 requirements per CSF mapping. This is not an easy task and generally requires additional focus.
- CSF control categories … to what end? Control categories (IRM, RM, and EP) provided with CSF are available, but it is up to the implementing organization to determine the alignment for each control and how it applies to their risks. It is not terribly clear how these categories improve the risk assessment results.
- CSF control tiers are not a maturity model. The CSF control tiers provided – partial, risk informed, repeatable, and adaptive – can be assigned to assessed controls. When used in aggregate, these tiers can provide an indication of the implementation level of the organization’s controls. However, if you are looking for a prescription, you might find that you are on your own. For example, CSF maintains that these tiers are not to be confused with a maturity model, so it’s up to you to decide if a ‘partial’ rating is (or is not) good enough for a particular risk.
True to any successful risk management framework, CSF or not, a suitable implementation requires a determination of business impact, risk appetite/tolerance and actual threat vectors, among other key variables. Proper knowledge and true understanding of one’s organizational risks is required when implementing CSF (or any risk management framework for that matter). By going about CSF the wrong way, your end results may belie the true state of your organization’s risk, resulting in false confidence in your current program and potentially misguided investments in resources.
Here are five practical tips to effectively implementing CSF:
- Start by understanding your organizational risks.
- Define your risk appetite (how much) and risk tolerance (acceptable variance).
- Choose the CSF tier that best matches your business and mission (most likely you will end up with several tiers within the same organization).
- Map existing frameworks (FISMA, ISO, COBIT) in your environment to CSF based on your business model.
- Perform initial gap analysis, then use the findings to decide your CSF strategy.
It is best to plan on integrating CSF into your business as a long-term strategy. CSF is not a one-time, quick checklist, so best to allocate the proper resources to ensure a successful implementation for long-term, effective risk management.