Tag: NIST CSF

The NIST Cybersecurity Framework Takes the RMF from Manufactured Compliance to Enterprise Risk Management

 

In a blog post last year, I mentioned the addition of the Prepare step to the newly released Revision 2 of the NIST SP 800-37 Risk Management Framework, a.k.a. RMF 2.0.  The Prepare step, which aligns with the core of the NIST Cybersecurity Framework (CSF), expands the conversation from system-focused vulnerability management into organizational risk management.

When RMF 2.0 was released, the Prepare step was sometimes referred to as “Step 0” — a new beginning step added to the original six-step RMF.  Anyone who has attempted to achieve a federal Authorization to Operate (ATO) can appreciate the irony of the name “Step 0.”  It is not uncommon to spend years in the assessment and authorization (A&A) process.  With no ATO to show at the end of this investment, it is no wonder that some system owners feel they are living in Step 0.

Fortunately, by identifying distinct tasks for preparing your organization and separate tasks for preparing your systems, RMF 2.0 emphasizes the need to go beyond the IT Department (or “the 6” as it’s known in the armed forces). From a requirements perspective, this is not a groundbreaking idea. However, this is a major conceptual shift for federal compliance teams, who will now need to think past “the boundary.”

In my experience, the teams supporting the A&A process prefer to engage at the lowest levels and often do not consider the organizational dependency involved in genuine enterprise risk management. By hyper-focusing on that box with dashed lines around the perimeter (the boundary), and avoiding the organizational context, are we really making risk-based decisions?  Of course not.  In their defense, it is nearly impossible to keep undocumented organizational risks from being confusing, especially without traceability to how specific systems may effect that organizational risk.  Additionally, organizational risk was supposed to be made visible and managed by the risk executive (function), which is rarely utilized in the U.S. federal government.

Changing the narrow focus into something much larger and meaningful will take time.  Advocating for organizational awareness and buy-in will certainly add to the overflowing number of tasks CIOs and CISO are balancing.  Fortunately, the NIST CSF helps to achieve this objective.

The NIST CSF: Taking You to Mature Organizational Risk Management.   

Despite being around for over seven years and its mandated adoption by federal agencies under Executive Order 13800, there appears to be a general lack of understanding and awareness of CSF within federal security teams. When I inquire about an organization’s progress with the CSF, I’m often met with a response that ranges anywhere from uncertainty to exasperation.

Unfortunately, instead of looking at the CSF as a tool, many quickly dismissed the publication as another unfunded requirement.  For those who have left it on the shelf, I would encourage you to pick it up again and look at it in a different light.  The CSF is a valuable tool that can assist you in identifying an “as is” and “to be” state for your cybersecurity program through its defined Tiers.  The CSF can also assist in facilitating a transparent dialogue, using a common language, to manage risk across the enterprise.

By extending the risk management discussion from the server room into the boardroom, compliance teams will also win.  Individuals responsible for the implementation of controls families such as acquisition, facilities, personnel, etc., will feed first-hand information into the process.  Mission priorities and impacts will be more accurate, providing the context needed to determine if something is or isn’t an acceptable risk.

Why all this talk about CSF in an RMF blog post? My concern is that despite the effort of organizations to implement the CSF, system owners will maintain the score of “ATO 0, Compliance 10,000” – they’ll continue to meet a multitude of checkbox requirements for compliance rather than achieving true organizational risk management.

In reality, the point of the entire process has always been to identify the risks to the system, mission, and organization.  We’ve traditionally done a good job identifying the risks to the systems; while low level, they’re the easiest to identify and track.  It’s time to grow/mature/evolve and start asking the hard questions about organizational and mission risks in a real way and be able to trace them back to individual systems or capabilities.

True risk awareness is important in making go/no-go decisions on fielding capabilities for all agencies and organizations.  We may never get all the information we need to make a fully informed decision, but we should have as much as we possibly can, to include how these systems affect the larger whole.

Expanding the aperture in compliance to account for the organizational threats, risks, impacts and mitigation is key to this evolution. Standards are important; however, compliance does not need to be one size fits all. Acknowledging the CSF Tiers and interpreting the system-level risk will facilitate contextual discussion about reasonable security expectations.

Getting to the core of the Cybersecurity Framework is the answer to maturing the RMF from manufactured compliance to organizational risk management.  If your commands and compliance teams are not talking about CSF, start asking questions.  CSF is key to success not only with the RMF but also with overall mission assurance.

A Fresh Start for Enterprise Security and Privacy: Dr. Ron Ross Explains the Latest NIST Revisions.

Last week, Dr. Ron Ross, National Institute of Standards and Technology fellow, joined Telos’ own Steve Horvath for a webinar to discuss the upcoming release of NIST Special Publication 800-53 Rev. 5, its relationship with the NIST RMF Rev. 2, as well as other prevalent cybersecurity topics. I’d like to thank Dr. Ross for giving us all a better understanding of the latest versions of these publications, why these changes were made, and expectations for the future.

This webinar dealt with a number of topics that allowed Dr. Ross to provide some insight into the NIST way of thinking, in addition to how and why perspectives and requirements have changed over the years. It was very helpful to hear the reasoning behind these updates.

A common thread throughout the webinar was that security and privacy are paramount to any organization. Thankfully, it’s becoming more common to think about security as an on-going process, rather than a one-and-done, set-the-binder-on-the-shelf activity. That’s why I especially liked when Steve brought up continuous monitoring, with Dr. Ross deeming it “the only way to operate… [as] those who are tied to a checklist-based approach [are] not going to survive in the dynamic world that we face today.” Telos recognized this problem and we designed our cyber risk management solution, Xacta, to help lessen the workload by automating the continuous monitoring of systems, networks, and resources.

Steve noted that NIST SP 800-53, Rev. 5 has a clear applicability to the private sector. That’s huge. Commercial organizations have increasingly been embracing the NIST frameworks and controls, with the prediction that 50% of U.S. companies will adopt the NIST Cybersecurity Framework (CSF) in some form by the end of this year. The original purpose of the CSF was to help U.S. critical infrastructure manage risk. However, commercial and international adoption of NIST frameworks shows how important it is to any organization to have a common language and process for cyber risk management.

NIST SP 800-53 Rev. 5 also addresses the cloud and continuous integration/continuous delivery (DevSecOps), which many argue remove the need for assessment and authorization (A&A). When Steve asked Dr. Ross his thoughts, he said, “It doesn’t do away with the [A&A] process, it just makes it more efficient… so [government] can do security at the speed of commercial industry.” That resonated with me because, for years, I have been an avid supporter of cloud and the need for the government to move at the speed of commercial organizations. A coalition that I’m proud to be a part of, the Alliance for Digital Innovation (ADI), includes innovative, cloud-forward companies that advocate for the acceleration of government IT modernization.

Again, thank you, Dr. Ross, for speaking on our platform and for clarifying the changes that will make a huge difference in the efficiency of cyber risk management for organizations, both government and commercial. I urge you all to watch the webinar recording, if you haven’t already, to hear directly from Telos VP Steve Horvath and NIST Fellow Dr. Ron Ross about the topics I’ve mentioned, and much more: https://www.telos.com/reserved/webinar-nist-special-publication-800-53-revision-5/.

New GAO Report Questions Adoption and Effectiveness of NIST CSF across Critical Infrastructure

A recent GAO report titled, Critical Infrastructure Protection – Additional Actions Needed to Identify Framework Adoption and Resulting Improvements, indicates there is not enough information about the level or effectiveness of NIST Cybersecurity Framework (CSF) adoption across the 16 critical infrastructure sectors:

1. Chemical Sector

2. Commercial Facilities Sector

3. Communications Sector

4. Critical Manufacturing Sector

5. Dams Sector

6. Defense Industrial Base Sector

7. Emergency Services Sector

8. Energy Sector

9. Financial Services Sector

10. Food and Agriculture Sector

11. Government Facilities Sector

12. Healthcare and Public Health Sector

13. Information Technology Sector

14. Nuclear Reactors, Materials, and Waste Sector

15. Transportation Systems Sector

16. Water and Wastewater Systems Sector

According to the report, there are three impediments that prevent GAO from understanding sector-wide cyber risk improvements resulting from CSF adoption:

  1. Lack of precise measurements of improvement,
  2. Lack of a centralized information sharing mechanism, and
  3. Voluntary nature of the framework.

Items 1 and 2 suggest that methods to measure improvement and share such results in a standardized way are needed in order to draw any real conclusions regarding benefit.  The report indicates that NIST and DHS are working to resolve these two issues.  However, to me, the more interesting point is item 3 – the voluntary nature of the CSF.

Is Voluntary the Right Approach?

Since it was first introduced in Feb 2014, in response to Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity, the NIST CSF has been a voluntary framework.  During its development, NIST implemented a very progressive crowd-sourcing approach toward the development of the CSF.  They held a number of working groups over the course of 12 months in collaboration with industry in hopes that there would be a feeling of ownership among industry, and that ownership would encourage voluntary adoption.

But the question has remained: will critical infrastructure organizations voluntarily implement the CSF, or will adoption require some pressure… in the form of mandates?

Based on the findings of the GAO report, it seems like the simple question of whether critical infrastructure organizations have adopted the CSF is not adequate.  This should not be a yes or no question, because the CSF offers a great deal of flexibility, so much so that it’s possible for an organization to partially implement the CSF in ways that offer little to no risk reduction benefit.  Therefore, in addition to whether the CSF has been implemented, it is important to understand how it has been implemented to determine if it is being used in a way that offers benefit and helps achieve the desired effect, i.e., reduced cyber risk.  As the GAO report indicates, understanding CSF adoption and level of adoption across each critical infrastructure sector is important.

According to the GAO report, many Sector Specific Agencies (SSAs) have encouraged their respective sectors to adopt the CSF, and many organizations have reported full or partial adoption. On the surface, this sounds encouraging.  There has been adoption, perhaps significant adoption, without mandates.  However, what does adoption really mean? Are these organizations adopting their SSAs’ implementation guidance for their particular sector, or are they taking too much advantage of the CSF’s flexibility?

To be clear:  I’ve often stated – and still believe – that the flexibility of the CSF is one of its greatest benefits, enabling organizations to leverage it as best suits their needs. But too much variation can reduce its effectiveness.  If organizations will not voluntarily adopt the CSF and implement it in the specific ways defined by the SSAs, then it might be necessary to apply more pressure.

It could be helpful to operationalize these sector-specific CSF implementations using software to make it easier for organizations to implement based on defined templates and profiles.  A centralized software approach would make it easier for SSAs to understand status and risk posture across each sector.  It would make future reports to GAO much simpler and more complete.

According to the GAO, approximately 85% of critical infrastructure is owned by the private sector.  Effective cyber risk management practices across all critical infrastructure sectors is essential for national security.  Therefore, it is essential for critical infrastructure organizations to take all appropriate steps to manage their cyber risks.  Voluntarily adopting the CSF in a meaningful way, as defined by the SSAs, is a good first step.

Reciprocity: The Good, The Bad and The Ugly

There is a lot of buzz around the Defense Information Systems Agency’s recent announcement that permits DoD mission partners and service components to host DoD Impact Level 2 data in FedRAMP-authorized (Moderate Baseline) cloud environments without waiting for an explicit DoD-written authorization.

Is this is a good thing? Sure.

Is this a bad thing? Maybe.

Will things get ugly?  They normally do when you are talking about protecting DoD “publicly releasable information” these days.  Just ask Ms. Katie Arrington, the special assistant for cyber in the Office of the Assistant Secretary of Defense for Acquisition, who is currently on a CMMC roadshow in effort to secure the Defense Industrial Base.

In its current form, FedRAMP is too operationally focused to support reciprocity. If the community wants reciprocity, we are going to have to go back to the days of type authorizations, or find something similar.  Under a proper type authorization, the technology itself is thoroughly assessed independent of its physical or organizational environment.  Installation and configuration guidelines accompany the type, providing consuming organizations deployment options based on their operational need.  Hardening guidelines are evaluated for completeness and security rigor. This approach ensures systems are not over- or under-secured; in addition, it often facilitates needed dialogue between stakeholders.

We hear a lot about reciprocity these days, but it has been years since I have heard anyone pursuing a type authorization.  Siding with the compliance folks on this one, most compliance teams stopped accepting types because system owners failed to provide the hardening guides.  If you ask any CISSP how to secure a system, they will tell you that system security covers several domains.  Implementing the associated security controls across these domains takes the form of technical configuration, administrative policies and procedures, and agreements that can reside at the system, mission and/or organizational level.

Dynamics That Reflect an Identity Crisis

These dynamics reflect the fact that the risk management and compliance community is going through something of an identity crisis.  On one side, we are preaching “Cloud First” and reciprocity: “It will make sense once we get there!”  Then we have governance organizations, such as NIST, likely beating their heads against a wall trying to rephrase the same expectations they have been preaching for 10+ years.  Joining the conversation are the privacy teams (do those exist yet?).  Lastly, industry is being hectored to substantiate how they protect government information when many agencies themselves struggle to articulate how they meet their own security requirements.

The identity crisis we are facing in compliance is not new to the security community.  We are constantly challenged with balancing free and open disclosure and collaboration with security, privacy, and mission.  Which poses a conundrum: what does the government want from industry?  At one point it looked as if industry should put all its eggs in the FedRAMP basket so its solutions can be leveraged across other agencies.  Simultaneously there are RFIs for how to revamp the FedRAMP process itself.  On top of all of this we have the DFARS requirement to implement NIST 800-171 for Controlled Unclassified Information and finally the soon-to-be CMMC requirement for anyone wanting to work with DoD.

Mercy!

Plotting a New Path to Reciprocity

Given that reciprocity is supposed to lead to more consistently sound security postures – as well as simplify life for community professionals – one would hope it would help untangle this web of often contradictory or conflicting dynamics.  So that takes us back to our original questions about reciprocity…

Is this a good thing?  Absolutely! If done properly.  Traditional type authorization may or may not be the final solution.  However, if we can (1) isolate the technology, (2) validate its inherent security and supply chain, and (3) leave the application of organizational and mission common control infrastructure to the deploying organization, we are headed toward increased solution adoption as well as reduced cost and frustration.

Is this a bad thing?  It doesn’t have to be. As mentioned previously, FedRAMP is not currently structured for reciprocity.  In addition, the management of mission impact in DoD exceeds the contexts of a FIPS 199. As long as there is a clear understanding and deliberate integration of how the technology – validated by FedRAMP – sits within the command’s view of the NIST Cybersecurity Framework, the end result could be positive.

Will things get ugly? I hope not.  The reciprocity “easy button” is a popular choice, and is very attractive with the external pressures to improve.  I would posit that if you are in a leadership position and do not know your CSF Tier, you are probably not ready to take advantage of reciprocity from a FedRAMP-certified system or any other security-attested system.  But – if you’re confident that your Tier is based on measured success and you have established common control frameworks to increase security where the technology can’t, then you are ready to leverage the benefits that can come from reciprocity.

The Irony of RMF Step 0

How the NIST CSF can help take you to mature enterprise risk management.

In my previous post, I mentioned the addition of the Prepare step, often referred to as Step 0, in the revised NIST SP 800-37 Risk Management Framework, a.k.a. RMF 2.0. The Prepare step, which aligns with the core of the NIST Cybersecurity Framework, expands the conversation from system-focused vulnerability management into organizational risk management.

Anyone who has attempted to achieve a federal Authorization to Operate (ATO) can appreciate the irony of the name “Step 0.”  It is not uncommon to spend years in the Assessment and Authorization (A&A) process.  With no ATO to show at the end of this investment, it is no wonder that some system owners feel they are living in Step 0.

Fortunately, by identifying distinct tasks for preparing your organization and separate tasks for preparing your systems, RMF 2.0 emphasizes the need to go beyond the IT Department (or “the 6” as it’s known in the armed forces).   From a requirements perspective, this is not a groundbreaking idea. However, this is a major conceptual shift for federal compliance teams, who will now need to think past “the boundary.”

In my experience, the teams supporting the A&A process prefer to engage at the lowest levels and often do not consider the organizational dependency involved in genuine enterprise risk management.   By hyper-focusing on that box with dashed lines around the perimeter (the boundary), and avoiding the organizational context, are we really making risk-based decisions?  Of course not.  In their defense, it is nearly impossible to keep undocumented organizational risks from being confusing, especially without traceability to how specific systems may effect that organizational risk.  Additionally, organizational risk was supposed to be made visible and managed by the “risk executive function,” which has almost never been utilized in the U.S. federal government.

Changing the narrow focus into something much larger and meaningful will take time.  Advocating for organizational awareness and buy-in will certainly add to the overflowing number of tasks CIOs and CISO are balancing.  Fortunately, the NIST Cybersecurity Framework helps to achieve this objective.

The NIST CSF: Taking You to Mature Organizational Risk Management.   

It is hard to believe the CSF is turning five this month, with the most recent version released in April 2018.   Despite achieving this milestone and its mandated adoption by federal agencies under Executive Order 13800, there appears to be a general lack of understanding and awareness of it within federal security teams.   When I inquire about an organizations progress with the CSF, I’m often met with blank stares, head tilts, or eye rolls.

Unfortunately, instead of looking at the CSF as a tool, many quickly dismissed the publication as another unfunded requirement.  For those who have left it on the shelf, I would encourage you to pick it up again.  The CSF is a tool that can assist you in identifying an “as is” and “to be” state for your cybersecurity program through its defined Tiers.  The CSF can also assist in facilitating a transparent dialogue, using a common language, to manage risk across the enterprise.

By extending the risk management discussion from the server room into the boardroom, compliance teams will also win.  Individuals responsible for the implementation of controls families such as acquisition, facilities, personnel, etc., will feed first-hand information into the process.  Mission priorities and impacts will be more accurate, providing the context needed to determine if something is or isn’t an acceptable risk.

Why all this talk about CSF in an RMF blog post? My concern is that despite the effort of organizations to implement the CSF, system owners will maintain the score of “ATO 0, Compliance 10,000” – they’ll continue to meet a multitude of checkbox requirements rather than achieving true organizational risk management.

In reality, the point of the entire process has always been to identify the risks to the system, mission, and organization.  We’ve traditionally done a good job identifying the risks to the systems; while low level, they’re the easiest to identify and track.  It’s time to grow/mature/evolve and start asking the hard questions about organizational and mission risks in a real way and be able to trace them back to individual systems or capabilities.

True risk awareness is important in making go/no-go decisions on fielding capabilities for all agencies and organizations.  We may never get all the information we need to make a fully informed decision, but we should have as much as we possibly can, to include how these systems affect the larger whole.

Expanding the aperture in compliance to account for the organizational threats, risks, impacts and mitigation is key to this evolution.   Standards are important; however, compliance does not need to be once size fits all. Acknowledging the CSF Tiers and interpreting the system-level risk will facilitate contextual discussion about reasonable security expectations.

Getting to the core of the Cybersecurity Framework is the answer to maturing the RMF from manufactured compliance to organization risk management.  If your commands and compliance teams are not talking about CSF, start asking questions.  CSF is key to success not only with the RMF but also with overall mission assurance.

RMF 2.0: Are you “Prepare’d”?

The updated framework does a great job emphasizing organizational risk management, but the first step (literally) is being prepared.

I have always found the updates to federal risk management and compliance processes interesting.  As new versions are introduced, I scan through the instruction looking for the major as well as the subtle differences, trying to understand the intent of the update. What problems are we attempting to solve this time around? How prepared is my component, command, or organization to initiate this change?

Other than standardizing federal agencies on the NIST Risk Management Framework (RMF) in 2010, I do not know that the intent of information assurance frameworks has changed that much over the years.  In my opinion, the fundamental intent of DITSCAP, DIACAP and RMF has been to help organizations define, understand, and manage risks to information systems within the context of the organization and/or mission impact rather than to grade them on how well they can manufacture compliance in a “package.”

Another attempt to communicate the need for organizational risk management was released this past December in the much-anticipated update to the NIST SP 800-37, aka RMF 2.0.  There are several noteworthy additions, such as incorporating the management of privacy and supply chain risk.  Other significant updates include the much-needed Prepare” step and recurring references to NIST’s complementary Framework for Improving Critical Infrastructure Cybersecurity, i.e., the NIST Cybersecurity Framework.

There are seven major objectives in the updated SP 800-37; I am pleased to report that the first three listed in the executive summary emphasize the management of organizational risk.  There is no mention of ensuring that scans are submitted within the required periodicity (which of course is important but not a strategic focal point).  No examples of an acceptable boundary diagram or definition of a representative sample.  Instead the objectives use phrases such as, “closer linkage…at the C-suite or governance level of the organization,” and my favorite, “institutionalizing critical risk management.”

The Prepare step(s) provide tactical instruction on establishing and managing risk at the organization and system level, ideally as a tool for CISOs and CIOs to engage leadership and mission owners. While I hope I am wrong, I am not sure that most federal agencies are “Prepared” to have this dialogue with leadership.  Likewise I am not sure that mission owners want to engage in what has been traditionally perceived as a solely IT issue.

Getting “Prepared” with the Cybersecurity Framework

This is where the NIST Cybersecurity Framework (CSF) comes into play.  The CSF is far more than a control mapping to the core functions (Identify, Protect, Detect, Respond and Recover).  The CSF is a guide to enhancing your cybersecurity program and incorporating it into your organization’s risk management processes.  The CSF is often acknowledged as a valuable tool for establishing a common language to discuss risk with organizational stakeholders.  What I find most refreshing is the honesty and transparency the framework supports, something I have rarely seen within federal A&A processes.

Unfortunately, the reality for many organizations is they are not “Prepared” for this level of engagement.  Maybe you are new talent entering the government and have a lot of cleaning up to do to reach that point.  Maybe you were handed the role of ISSM as an additional duty and have spent the last five years with no budget, authority, or exposure to leadership.  In any case, it is good news that, through the RMF 2.0 and CSF, NIST has done an incredible job in balancing the flexibility and structure needed to implement common sense risk management.  We can only hope that the same characteristics are visible in the updated agency assessment and authorization implementation guidance that is soon to follow.   I’ll cover that and other facets of RMF 2.0, the CSF, and how they work together in future posts.

IT GRC Geek Speak: Body of Evidence

IT GRC Geek Speak is a blog series that seeks to help define common language and jargon used around the IT Governance, Risk and Compliance (GRC) space.  If commonly defined terms are used to discuss security and compliance, it will be easier for people at every level of the organization, from CISOs to the board of directors, to communicate about compliance and risk management more effectively.

***

What is a body of evidence and why do you need it?

NIST defines body of evidence as:

The totality of evidence used to substantiate trust, trustworthiness, and risk relative to the system.

Essentially, a body of evidence is necessary to demonstrate to business partners, regulators, or in a court of law that reasonable security practices and due care exist within an organization.

In some industries the standards are regulated or mandated, and it is essential to maintain a body of evidence to demonstrate compliance.

Other industries require a body of evidence to authorize a system for use.  For example, within the Federal Government it is essential to demonstrate with evidence and artifacts, that a system meets certain security requirements before the system is activated and trusted to process and store sensitive information.

In many industries, a body of evidence is important to understand the trustworthiness of business partners that are part of your supply chain.

Insurance companies are increasingly interested in a body of evidence to justify cyber risk indemnification, coverage levels, premiums, and deductibles.

Lastly, as a result of recent high profile breaches it should be noted that bodies of evidence would have been helpful as a legal defense, demonstrating due care in court of law.

Beyond using bodies of evidence to demonstrate trustworthiness among and between external parties, they can also be used to effectively communicate internal risk and compliance posture to all levels of an organization – from the server room to the board room.

By operationalizing information and cyber risk frameworks such as the NIST RMF, NIST CSF, and ISO 27001 the Xacta IT GRC platform helps create a comprehensive body of evidence in accordance with internationally recognized standards. Designed with security in mind, Xacta helps ensure data integrity of the body of evidence via role based access, defined user permissions, and audit logs.

Do you have a body of evidence that shows your organization is secure and compliant?  Click here to learn more about how Xacta can help you establish a meaningful body of evidence needed to address a variety of business requirements.

 

NIST CSF: A Swiss Army Knife for Managing Cyber Risk

 

The NIST Cyber Security Framework (CSF) is not a rigid standard; it represents a highly flexible tool that can be used to address a wide range of cyber risk management activity and reporting that can go well beyond what is explicitly spelled out in the NIST CSF document. It is the Swiss Army Knife for managing your cyber risk.

Organizations that fully embrace the CSF and relate all of their cyber risk management activity back to Framework Core Components (Functions, Categories, Subcategories) have the ability to synchronize a wide range of cyber risk management activities that might not be immediately obvious beyond what is addressed in the NIST CSF document.  Doing so will help ensure all participants in the cyber risk management process are in sync and understand each other.

Beyond using the CSF for its expressed purpose, as defined by NIST, it can also be used to organize and manage a wide range of related functions, some of which include:

Viewing cyber risk remediation investments and benefits over time

Relate all cyber security investments to the CSF.  Let the CSF help justify the need for such investments.  Understand where the most significant investments are being made (e.g., which Function, Category, Subcategory) and why.  Also, understand how these investment patterns change over time (e.g., year to year).SwissArmy_Square

Understanding cyber risk remediation coverage, overlap, and gaps

View remediation activities and investments in the context of the CSF to better understand relationships and dependencies.  Doing so will also help reveal where there is redundancy, and where there might still be gaps.  It will also help you understand where there might be over-reliance on manual activity, and where automation could be used to reduce labor costs and/or accelerate activity.

Producing meaningful cyber risk metrics

Deriving metrics from the CSF and relating the findings back to the CSF helps synchronize cyber risk management activity (e.g., IT security and Audit).  It allows auditors and IT people to better understand each other.  It also helps organizations understand the effectiveness of security controls in the context of the CSF (vs an audit report that is completely independent from the CSF).

 

Centralizing all of your cyber risk management activity and reporting around the CSF will further ensure all of the participants involved in the cyber risk management are appropriately synchronized… from the server room to the board room.

 

How to Operationalize Cyber Risk Management Frameworks

I previously discussed what constitutes a reasonable cyber risk management practice, and suggested that the NIST Cyber Security Framework (CSF) is an excellent option for this purpose.

Though many companies appear to like the NIST CSF, there are concerns about resource requirements and the overall effort needed for implementation.  These are both legitimate concerns and potential issues with all available frameworks.

The problem with in-house and manual methods

Not all companies have the internal expertise needed to operationalize a cyber security framework like the NIST CSF.  That lack of expertise requires them to hire or contract for this skill.  Because skilled cyber security personnel are in short supply, they are also expensive.  Many companies cannot afford to hire dedicated resources to enable cyber risk frameworks.

Additionally, purely manual methods of implementation do not scale well.  This is especially true for larger companies that have multiple divisions and locations where many resources would be required.  Beyond scaleability, enterprise-wide standardization, consistency and accuracy are also difficult to achieve using only manual methods.

In fact, due to the importance of cyber risk management and demonstrating due-care and regulatory compliance, there is an emerging need to maintain a database of record.  There must be a database to serve as an official body of evidence for the corporate cyber risk and compliance management process.  Simple management tools such as spreadsheets are not adequate for this complex business process, just as they’re inadequate for other complex business functions like CRM and ERP.

IT-GRC is ideal for cyber risk and compliance management

Generally speaking, IT-GRC solutions are ideal for the purpose of enterprise-wide cyber risk and compliance management.  As a matter of background, IT-GRC isCompliance_Square an outgrowth of the current Federal Government A&A process that has been in existence since the 1980s.  A&A is a comprehensive cyber risk and compliance management process that relies heavily on testing, attestation, evidence, and artifacts to demonstrate controls-compliance, which in turn is used to derive a coherent statement of cyber risk.

Telos was an early provider of C&A (now A&A) services, and was the first to automate the C&A process in 2000.  In 2002, we demonstrated our technology to Mike Rasmussen, a prominent industry analyst, who credits Telos as the catalyst for the IT-GRC product market:

“In the late 1990s it occurred to me there had to be a better way to manage risks, policies, controls, and compliance requirements, and do this in the context of each other. In February 2002 a solution provider named Telos Corporation demoed their Xacta solution to me, which did just that. It struck me that this is exactly what I had envisioned.”  — Mike Rasmussen, GRC2020

IT-GRC platforms like Xacta AE allow organizations to quickly and efficiently operationalize frameworks such as the NIST CSF, ISO 27001, and the NIST RMF.  Our platform reduces the need for dedicate framework expertise, because essential framework elements are baked into the software.  Xacta AE simply allows personnel to participate in the cyber risk and compliance process according to their defined role, while the embedded workflow allows people to collaborate in an integrated process across an enterprise to achieve all of the necessary risk and compliance management steps.

As a result, the organization is able to get its arms around the complex process of cyber risk and compliance management.  This process will yield a comprehensive understanding of cyber risk and compliance that will help organizations make informed decisions that will ultimately make the enterprise more secure.  Perhaps just as important, such platforms help organizations demonstrate a standard of due care that will be helpful if there is ever an official inquiry resulting from a data breach.

The next blog post in the series will focus on the benefit of IT-GRC platforms for communicating cyber risk to boards of directors and corporate officers.

Empowering the NIST Cybersecurity Framework with Cyber Insurance — and Vice Versa

The National Institute of Standards and Technology (NIST) hosted a workshop April 5-7 on the NIST Cybersecurity Framework (CSF).  The workshop allowed industry representatives to provide the collaborative input needed to improve the use and utility of the CSF.

There were about 900 registrants from various industry sectors, including international representation — the largest cyber insurance panelevent NIST has ever hosted.  The turnout for this event and the extensive interaction among all of the participants show that the CSF has changed the nature of cyber risk management in a positive way.

One of the highlights of this workshop was the panel discussion on cyber liability insurance and how insurance companies are using the CSF to help better understand and underwrite cyber risk. The panel, moderated by Matt Shabat with the DHS Office of Cybersecurity and Communications, consisted of:

  • Erica Davis, Zurich Insurance NA
  • Tom Finan, Ark Network Security Solutions
  • Ryan Gibney, Lockton
  • Steve Horvath, Telos Corporation
  • Marcin Weryk, XL Catlin Insurance

Early in the session, the panel discussed whether they are now any better able to glean from their customers the information they need about their cyber security posture.  The panelists confirmed that they can get more information today than in the past, with the CSF helping in that effort.

Erica Davis with Zurich Insurance said that a security engineer walks the customer through each of the five steps of the CSF to ensure everyone involved understands its requirements and expectations.  She also described the thorough underwriting meetings her firm holds with all insurers involved in a cyber insurance policy.

The panelists also agreed that one of the key benefits of the CSF is that it provides a common vocabulary for risks and controls, facilitating deeper cyber risk conversations among brokers, underwriters, and companies who are seeking cyber coverage.  The CSF helps to break down siloes within companies and helps security and risk specialists to communicate with the C-suite and board room in a “business-friendly” way.

Underwriting the “Security Culture” of an Organization

Marcin Weryk with XL Catlin Insurance further observed that the CSF has allowed insurance companies to move beyond just looking at IT risks, allowing them to underwrite the “security culture” of an organization.  Tom Finan with Ark NSS suggested four things that help to create a more effective risk culture: (1) executive leadership; (2) education and awareness; (3) role of technology and (4) information sharing.

The notion of security culture is very important, as managing cyber risk is not strictly limited to IT. Panelist Ryan Gibney with Lockton noted that a holistic approach to risk management encompasses people and processes as well as technology.

In fact, about 75 percent of NIST security controls are non-technical in nature.  The CSF actually addresses a broad set of issues beyond technical security controls that can contribute to the accumulation of cyber risk, such as roles and responsibilities, awareness and training, security process and procedures, incident response and recovery planning, and communication.

A Common Framework Leads to Better Insurance Products and Pricing

The panel also acknowledged that the CSF allows cyber insurance underwriters to put out better products and price them with greater precision.  For example, the panel discussed the challenges of rating customers and pricing policies in the absence of historical actuarial data concerning cyber-related events.

Calling the CSF “a Rosetta Stone for talking about risk,” our own Steve Horvath noted that the CSF supports the Capture9development of a common frame of reference for sharing and analyzing claims data in order to create actuarial tables for cyber liability policies.  That opinion comports with the U.S. Department of Treasury’s position that “adoption of the Framework could lead to the creation of more standardized information-sharing practices and policies,” helping organizations to more effectively mitigate cyberthreats and improve the ability of insurers to price and underwrite cybersecurity policies.

Cyber Insurance: An Incentive for Adopting the CSF

One concern often expressed about the CSF is that its use in industry is voluntary.  The panel observed that cyber insurance creates incentives for organizations across industry sectors to adopt the CSF, echoing comments from the U.S. Commerce Department that cyber insurance “may be an effective, market-driven way of increasing cybersecurity because it can…encourage the adoption of best practices.”

With the CSF in place, enterprises can also better determine cyber security budgetary priorities at the micro and macro level so they can move from their current security posture to their target profile.  They can also move beyond “static” measurement to a more continuous way to monitor and improve risk with improved data sharing.

ÐÐÐÐÐ

Cyber insurance and the NIST Cybersecurity Framework have a symbiotic relationship, in which one enables and reinforces the other.  Solutions and services from companies like Telos support companies that need to adhere to the CSF in order to assess and attest to their current security profiles; facilitate internal communication “from the server room to the board room;” justify and prioritize budget decisions; and continually monitor progress towards targeted goals.   The rewards are lower premiums and lower risks for an improved security posture.