This piece was guest written by Bob Heckman.
First, Some Background
During 2013-2014, the National Institute of Standards and Technology worked with public and private entities to create the NIST Cybersecurity Framework as a risk management approach to be used voluntarily by organizations to improve the cybersecurity of critical infrastructure in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The NIST CSF consists of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cybersecurity risks and provides a high-level vocabulary for cybersecurity risk management, a cybersecurity outcomes taxonomy and a methodology to assess and manage those outcomes. On May 11, 2017, the president signed a new EO, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, mandating each agency head use the NIST CSF to manage agency cybersecurity risk. To provide implementation guidance, NIST currently is updating its CSF documentation, including the Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1 (Jan. 10, 2017) and a new NISTIR 8170, The Cybersecurity Framework, Implementation Guidance for Federal Agencies, Draft (May 2017). Both are available for public comment. Also, NIST is in the process of integrating the CSF into its suite of current cybersecurity risk management publications (such as NIST SP 800-37 Revision 1 and NIST SP 800-53 Revision 5). NIST’s Baldrige Cybersecurity Excellence Builder can be used in conjunction with the CSF to enable federal agencies to better understand the effectiveness of their cybersecurity risk management efforts and to identify strengths and opportunities for improvement in managing cybersecurity risk.
How Can All this be Balanced? Process, Process, Process… and Programs
To obtain and maintain this balanced integration between CSF and the risk management framework, an effective organizational-level cybersecurity program requires supporting IT processes and programs. Asset management, mature system development life cycle, configuration management and established security assessment and authorization programs or processes are critical to cybersecurity program success. If these programs are not already in place, the overall cybersecurity strategy and program must establish them. Without these supporting processes and programs, the federal agency cybersecurity program will be harder to implement. Here are some key points to remember:
- The ongoing assessment of all implemented security controls for all information systems requires a comprehensive, accurate, rational and documented asset management program. Asset management must include a comprehensive IT inventory composed of all FISMA reportable information systems and components including hardware, software, ports, protocols, services and external/internal connections, etc.
- Key security controls are identified or implemented without support from a mature SDLC process that incorporates applicable cybersecurity activities such as requirements analysis, engineering, testing, remediation and documentation. Therefore, there is no guarantee the implemented security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
- Changes in information systems (because of changes in mission, business processes, technology, operational environment, cybersecurity status, etc.) are incorporated into monitoring and reporting activities without a mature configuration management process. Therefore, the configuration management process/program must develop, review, update and maintain the necessary CM-related documentation, and it must integrate hardening standards, configuration audits and change control with security impact assessments for potential changes, patch management, vulnerability management and applicable documentation updates.
- Ensure SIAs are conducted, or that changes do not introduce new security risks without the supporting CM documentation.
- Validation of the proper assessment of the implemented security controls without a thorough, rigorous, NIST SP 800-37 Revision 1 and NIST SP 800-53/53A Revision 4-compliant, SA&A process or program. Has what consequence? See comments above.
The Key to Success is Advance Preparation
To successfully implement the CSF, federal agencies should consider the following actions as part of their advance preparation:
- Plan, prepare, document and coordinate a formal CSF implementation plan; brief and obtain approval of the plan from agency senior leadership, management and other stakeholders to obtain their participation and support and to build confidence.
- Revise current personal cybersecurity responsibility and accountability requirements including sanctions and penalties for compliance with new EO and CSF requirements, including contractors.
- Consider asset and resource constraints and impacts for CSF implementation, as no additional resources are currently provided to comply with the provisions of this EO as part of their planning process.
- Ensure the federal agency cybersecurity program contains the following requirements:
- A dedicated resource line in the budget request that addresses cybersecurity requirements for each information system in the FISMA-reportable information system inventory.
- An approved Security Program Plan that documents their agency cybersecurity program and addresses cybersecurity requirements for the supporting enterprise architecture, SDLC and CM program.
- An approved EA that addresses security requirements, is compliant with the Federal Enterprise Architecture, and contains all information systems that constitute their IT enterprise.
- An approved SDLC and that all information systems follow and document compliance with the established SDLC process. This will be a special interest area during the SA&A process.
- An approved Configuration Management Plan and that all information systems follow and document compliance with the established CMP processes. The CMP must address hardening standards, change control management, vulnerability management, and configuration audit requirements. This will be a special interest area during the security authorization process.
- A requirement for all information systems that process, transmit, or store federal government information or are funded by the federal government receive a security authorization before going into production. Extend this requirement to include all IT environments including development, test and production. Also, consider a formal reciprocity policy for security authorizations for all information systems utilized by the federal agency.
- Ensure as part of the planning and integration efforts between CSF and RMF that compliance activities such as SA&A include continuous monitoring and that ongoing authorizations are addressed and tightly integrated.
- Determine the balance between compliance activities and continuous testing/remediation activities facilitated by a risk management process for the agency as part of the planning process. The security controls implemented for an information system need to be documented, monitored, tested and remediated, which should be embedded in the plan.
In addition, cybersecurity performance metrics and measures are important to gauge CSF implementation progress, so consider leveraging cybersecurity metrics currently being collected and analyzed such as for annual FISMA or CyberScope reporting based upon annual Office of Management and Budget and Homeland Security Department FISMA Metrics reporting guidance. On May 19, 2017, OMB issued OMB Memorandum M-17-25 that contains NIST CSF implementation and reporting guidance for federal agencies and can be found here. Consideration and implementation of these actions will greatly ease and smooth the implementation of the CSF at the federal agency level along with the integration with the existing RMF program. The true test of adequate cybersecurity is: Do the security controls implemented in and for the information system provide adequate cybersecurity for mission/business capability?