Chapter 16
NIST Cybersecurity Framework
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Understand the overall goal of the NIST Cybersecurity Framework.
Identify the Framework’s Core, Profile, and Implementation Tiers.
Explain how the NIST Cybersecurity Framework can be used by any organization as a reference to develop a cybersecurity program.
NIST’s Cybersecurity Framework is a collection of industry standards and best practices to help organizations manage cybersecurity risks. This framework is created in collaboration among the United States government, corporations, and individuals. The NIST Cybersecurity Framework is developed with a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure. Although designed for a specific constituency, the requirements can serve as a security blueprint for any organization.
FYI: Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”
United States Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” was created in February 2013, and tasked NIST to develop a voluntary framework that is centered on existing standards, guidelines, and practices. The main goal is to reduce cybersecurity-related risks to the United States critical infrastructure. Later in 2014, the Cybersecurity Enhancement Act of 2014 reinforced the role of NIST developing such a framework.
Section 7 of Executive Order 13636, “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure,” dictates that “the Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.”
The Executive Order also specifies that the framework “shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” In addition, the framework “shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure” and also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
Section 10 of the Executive Order includes direction regarding the adoption of the framework among government agencies.
Private sector organizations are often motivated to implement the NIST Cybersecurity Framework to enhance their cybersecurity programs. These organizatiosn often follow the NIST Cybersecurity Framework guidance to lower their cybersecurity-related risks.
In this chapter, we examine the NIST Cybersecurity Framework and discover how it can serve as a security blueprint for any organization attempting to create a security program and analyze its cybersecurity risk.
Introducing the NIST Cybersecurity Framework Components
The NIST Cybersecurity Framework was created through collaboration between industry and government. It consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
As mentioned in Chapter 3, “Cybersecurity Framework,” one of the goals of NIST’s Cybersecurity Framework is to not only help the United States government, but provide guidance to any organization regardless of size, degree of cybersecurity risk, or maturity.
Another thing to highlight is that NIST’s Cybersecurity Framework is a living document and will continue to be updated and improved as participants provide feedback on implementation. The latest version of the framework can be obtained at www.nist.gov/cyberframework.
This framework is built from standards, guidelines, and practices to provide a common guidance for organizations to be able to do the following:
Describe their current cybersecurity posture.
Describe their target state for cybersecurity.
Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
Assess progress toward the target state.
Communicate among internal and external stakeholders about cybersecurity risk.
NIST is very clear that the framework is aimed to complement an existing risk management process and cybersecurity program of your organization. It does not replace such a process or program. You can take advantage of the NIST Cybersecurity Framework to help strengthen your policies and programs by following industry best practices. If your organization does not have an existing cybersecurity program, you can use the NIST Cybersecurity Framework as a reference to develop such a program.
Note
Even though the NIST Cybersecurity Framework was created in the United States, this framework is also used outside of the United States.
NIST’s Cybersecurity Framework is divided into three parts, as illustrated in Figure 16-1.
The Framework Core is “a collection of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.”
The Framework Profiles are designed to help the underlying organization align its cybersecurity undertakings with business requirements, risk tolerances, and resources.
The Framework Tiers are designed to help organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
FIGURE 16-1 NIST’s Cybersecurity Framework Parts
The Framework Core
The Framework Core is aimed to structure a list of activities to reach certain cybersecurity outcomes and include examples of guidance to achieve such outcomes.
Figure 16-2 lists the functions defined in the NIST Cybersecurity Framework Core.
FIGURE 16-2 NIST’s Cybersecurity Framework Core Functions
Then the Framework Core is decomposed even further with categories, subcategories, and informative references for each of the framework functions, as illustrated in Figure 16-3.
FIGURE 16-3 NIST’s Cybersecurity Framework Core Function Categories, Subcategories, and Informative References
The following are the elements illustrated in Figure 16-3:
Categories group the elements of a function into collections of cybersecurity outcomes, including things like asset management, identity management and access control, security continuous monitoring, response planning, and many more.
Subcategories are a list of specific outcomes of technical and/or management activities within each category. They can be considered as a set of results to aid in achieving the outcomes of each category.
Informative references point to industry standards, guidelines, and practices that are beneficial for an organization trying to achieve the outcomes associated with each subcategory. NIST categorizes these informative references as “illustrative and not exhaustive.” The informative references are based upon “cross-sector guidance most frequently referenced during the Framework development process.” You can even submit a reference for consideration following the instructions outlined at the following site: https://www.nist.gov/cyberframework/reference-submission-page.
The following sections define each of the NIST Cybersecurity Framework functions.
Identify
The Identify function includes the categories and subcategories that define what processes and assets need protection. It is used to develop an understanding in order to analyze and manage cybersecurity risk to systems, assets, data, and capabilities. Figure 16-4 shows the Identify function categories.
FIGURE 16-4 NIST’s Cybersecurity Framework Identify Function Categories
In Chapter 5, “Asset Management and Data Loss Prevention,” you learned the details about asset management and that assets include personnel, data, devices, systems, and facilities. The NIST Cybersecurity Framework states that assets “enable the organization to achieve business purposes that are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”
The Business Environment category addresses the need for an organization’s mission, objectives, stakeholders, and activities to be comprehended and prioritized. The NIST Cybersecurity Framework specifies that “this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.”
The Governance category’s purpose is to make sure that the policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are well comprehended within the organization.
The Risk Assessment category addresses the identification and analysis of cybersecurity risk to the organization’s operations, assets, and individuals. The Risk Management Strategy category specifies the establishment of the organization’s priorities, constraints, risk tolerances, and assumptions in order to make appropriate operational risk decisions.
The Supply Chain Risk Management category was introduced in NIST Cybersecurity Framework version 1.1, and it specifies that the organization must establish priorities, constraints, risk tolerances, and assumptions in order to make appropriate risk decisions associated with managing supply chain risk. This category was included as a result of the increase of supply chain–based attacks.
FYI: NIST Cybersecurity Framework Spreadsheet
NIST created a spreadsheet that allows you to start reviewing and documenting each of the framework’s functions, categories, subcategories, and informative references. The spreadsheet is shown in Figure 16-5 and can be downloaded from https://www.nist.gov/cyberframework.
FIGURE 16-5 NIST’s Cybersecurity Framework Spreadsheet
Protect
The Protect category of the Identify function demands the development and implementation of relevant safeguards to make sure that critical infrastructure services are protected. Figure 16-6 shows the Protect categories.
FIGURE 16-6 NIST’s Cybersecurity Framework Protect Function Categories
The Identity Management, Authentication and Access Control category specifies that physical and logical assets and associated facilities be available only to authorized users, processes, and devices and is “managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.”
In Chapter 6, “Human Resources Security,” you learned the importance of cybersecurity awareness and training. The Awareness and Training category addresses cybersecurity awareness education and demands that your employees be adequately trained to perform their information security–related duties and responsibilities consistent with related policies, procedures, and agreements. The following NIST Special Publications provide guidance on how to develop appropriate cybersecurity awareness training.
SP 800-16: Information Technology Security Training Requirements: A Role- and Performance-Based Model
SP 800-50: Building an Information Technology Security Awareness and Training Program
The Data Security category provides guidance around data management practices in order to protect the confidentiality, integrity, and availability of such data. The Information Protection Processes and Procedures category addresses the need for appropriate policies, processes, and procedures to manage protection of information systems and assets. The Maintenance category provides guidance on how to perform maintenance and repairs of industrial control and information system components. The Protective Technology category provides guidance around the technical implementations used to secure your systems and assets, consistent with the organization’s policies, procedures, and agreements.
Detect
The NIST Cybersecurity Framework Detect category specifies the need to develop and implement a good cybersecurity program to be able to detect any cybersecurity events and incidents. Figure 16-7 shows the Detect function categories.
FIGURE 16-7 NIST’s Cybersecurity Framework Detect Function Categories
Respond
In Chapter 11, “Cybersecurity Incident Response,” you learned the different steps required to have a good incident response process and program within your organization. The guidance in the Detect, Response, and Recover categories are in alignment with the concepts you learned in Chapter 11. Figure 16-8 shows the Respond function categories.
FIGURE 16-8 NIST’s Cybersecurity Framework Respond Function Categories
Recover
The Recover category provides guidance on how to recover normal operations after a cybersecurity incident. Figure 16-9 shows the Recover function categories.
FIGURE 16-9 NIST’s Cybersecurity Framework Recover Function Categories
NIST and the cybersecurity community stakeholders are always improving the framework. NIST maintains a roadmap outlining areas for development and future framework features; it can be accessed at https://www.nist.gov/cyberframework/related-efforts-roadmap.
Framework Implementation Tiers (“Tiers”)
The NIST Cybersecurity Framework Tiers provide guidance to allow organizations to analyze cybersecurity risk and to enhance their processes to manage such risk. These tiers describe how your risk management practices align with the characteristics defined in the framework. Figure 16-10 lists the four Framework Implementation Tiers.
FIGURE 16-10 NIST’s Cybersecurity Framework Tiers
Each of the tiers is then further defined in four categories:
Risk Management Process
Integrated Risk Management Program
External Participation
Cyber Supply Chain Risk Management
NIST Framework Tier Definitions
The following are NIST’s definitions for each of the framework’s tiers.
Tier 1: Partial
Risk Management Process: Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Integrated Risk Management Program: There is limited awareness of cybersecurity risk at the organizational level. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
External Participation: An organization may not have the processes in place to participate in coordination or collaboration with other entities.
Cyber Supply Chain Risk Management: An organization may not understand the full implications of cyber supply chain risks or have the processes in place to identify, assess, and mitigate its cyber supply chain risks.
Tier 2: Risk-Informed
Risk Management Process: Risk management practices are approved by management but may not be established as organizationwide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Integrated Risk Management Program: There is an awareness of cybersecurity risk at the organizational level, but an organizationwide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organization on an informal basis. Consideration of cybersecurity in mission/business objectives may occur at some levels of the organization, but not at all levels. Cyber risk assessment of organizational assets is not typically repeatable or reoccurring.
External Participation: The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.
Cyber Supply Chain Risk Management: The organization understands the cyber supply chain risks associated with the products and services that either support the business/mission function of the organization or that are utilized in the organization’s products or services. The organization has not formalized its capabilities to manage cyber supply chain risks internally or with its suppliers and partners and performs these activities inconsistently.
Tier 3: Repeatable
Risk Management Process: The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
Integrated Risk Management Program: There is an organizationwide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organization consistently and accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and noncybersecurity executives communicate regularly regarding cybersecurity risk. Senior executives ensure consideration of cybersecurity through all lines of operation in the organization.
External Participation: The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.
Cyber Supply Chain Risk Management: An organizationwide approach to managing cyber supply chain risks is enacted via enterprise risk management policies, processes, and procedures. This likely includes a governance structure (for example, Risk Council) that manages cyber supply chain risks in balance with other enterprise risks. Policies, processes, and procedures are implemented consistently, as intended, and continuously monitored and reviewed. Personnel possess the knowledge and skills to perform their appointed cyber supply chain risk management responsibilities. The organization has formal agreements in place to communicate baseline requirements to its suppliers and partners.
Tier 4: Adaptive
Risk Management Process: The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.
Integrated Risk Management Program: There is an organizationwide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The relationship between cybersecurity risk and mission/business objectives is clearly understood and considered when making decisions. Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on understanding of current and predicted risk environment and future risk appetites. Business units implement executive vision and analyze system level risks in the context of the organizational risk appetite and tolerances. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on its systems and networks. Cybersecurity risk is clearly articulated and understood across all strata of the enterprise. The organization can quickly and efficiently account for changes to business/mission objectives and threat and technology landscapes in how risk is communicated and approached.
External Participation: The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.
Cyber Supply Chain Risk Management: The organization can quickly and efficiently account for emerging cyber supply chain risks using real-time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization. The organization communicates proactively and uses formal (for example, agreements) and informal mechanisms to develop and maintain strong relationships with its suppliers, partners, and individual and organizational buyers.
Who Should Coordinate the Framework Implementation?
NIST defines three levels within an organization that should be engaged to coordinate the framework implementation and a common flow of information. Figure 16-11 illustrates these levels.
FIGURE 16-11 NIST’s Cybersecurity Framework Coordination
As you can see in Figure 16-11, there is a feedback loop between the executive and the business/process levels and another feedback loop between the business/process and the implementation/operations levels.
Executive: Communicates the mission priorities, available resources, and overall risk tolerance to the business/process level.
Business/process: Obtains the executive level inputs into the risk management process, and then collaborates with the implementation/operations level.
Implementation/operations: The stakeholders that are in charge of implementing the framework and communicating the implementation progress to the business/process level.
NIST’s Recommended Steps to Establish or Improve a Cybersecurity Program
The following are the steps that NIST’s Cybersecurity Framework recommends to establish or improve a cybersecurity program:
STEP 1. Prioritize and scope: First you identify your business objectives and high-level organizational priorities. This must be accomplished first so that you can make strategic decisions regarding cybersecurity implementations and establish the scope of systems and assets that support the selected business line or process. Implementation tiers may be used to set fluctuating risk tolerances.
STEP 2. Orient your strategy and consult predetermined sources to identify threats and vulnerabilities that may be applicable to your systems and assets.
STEP 3. Create a current profile by defining which category or subcategory outcomes from the Framework Core are presently being achieved. NIST’s Cybersecurity Framework suggests that you take note of any partially completed outcomes, because this will help you accomplish the steps that follow.
STEP 4. Conduct a risk assessment analyzing your operational environment to identify any risks, and use cyber threat intelligence from internal and external sources to gain a better understanding of the potential impact of any cybersecurity incidents.
STEP 5. Create a target profile for your organization that focuses on the assessment of the framework categories and subcategories, and make sure to describe your organization’s cybersecurity goals and outcomes. You can develop your own additional categories and subcategories as appropriate in your environment.
STEP 6. Determine, analyze, and prioritize any gaps in your environment based on the comparison of the Current Profile and the Target Profile. After you do this analysis, create a prioritized action plan to close all those gaps.
STEP 7. Implement the action plan to close the gaps outlined in the previous steps and then monitor your current practices against the Target Profile. NIST’s Cybersecurity Framework outlines example informative references regarding the categories and subcategories. You should determine which standards, guidelines, and practices, including those that are sector-specific, work best for your organization and environment.
You can repeat the aforementioned steps as needed to continuously monitor and improve your cybersecurity posture.
Communication with Stakeholders and Supply Chain Relationships
In Chapter 8, “Communications and Operations Security,” you learned how communication is paramount for your cybersecurity program. NIST’s Cybersecurity Framework provides a common language to communicate requirements with all the stakeholders within or outside your organization that are responsible for the delivery of essential critical infrastructure services. The following are the examples that the NIST Cybersecurity Framework provides:
An organization may utilize a Target Profile to express cybersecurity risk management requirements to an external service provider (for example, a cloud provider to which it is exporting data).
An organization may express its cybersecurity state through a Current Profile to report results or to compare with acquisition requirements.
A critical infrastructure owner/operator, having identified an external partner on whom that infrastructure depends, may use a Target Profile to convey required categories and subcategories.
A critical infrastructure sector may establish a Target Profile that can be used among its constituents as an initial baseline Profile to build their tailored Target Profiles.
Figure 16-12 illustrates NIST Cybersecurity Framework Cyber Supply Chain Relationship. These include communication with your suppliers, buyers, and non-information technology (IT) or non-operation technology (OT) partners.
FIGURE 16-12 NIST Cybersecurity Framework Cyber Supply Chain Relationship
Buying decisions can even be influenced by your cybersecurity posture (from your buyers, if applicable) or the posture of your suppliers (when you are purchasing their goods or services). The framework’s Target Profiles could be used to make these buying decisions, because these are a prioritized list of organizational cybersecurity requirements. The Profile also can allow you and your organization to make sure that all goods or services you purchase or those that you sell meet cybersecurity outcomes through continuous evaluation and testing methodologies.
NIST’s Cybersecurity Framework Reference Tool
NIST created a tool, called the NIST Cybersecurity Framework (CSF) Reference Tool, that allows you to navigate through the framework components and references. This tool can be downloaded from
https://www.nist.gov/cyberframework/csf-reference-tool
The tool can run in Microsoft Windows and Apple Mac OS-X. Figure 16-13 shows the home screen of the CSF tool.
FIGURE 16-13 NIST CSF Tool Home Screen
NIST CSF Reference Tool provides a way for you to browse the Framework Core by
Functions
Categories
Subcategories
Informative references
Figure 16-14 shows the different views or categories you can explore in the tool.
FIGURE 16-14 NIST CSF Views Pull-Down Menu
Figure 16-15 provides an example of the NIST CSF Reference Tool views (the Cybersecurity Framework Core).
FIGURE 16-15 NIST CSF Cybersecurity Framework Core View
The NIST CSF Reference Tool also allows you to search for specific words and export the current viewed data to different file types, such as tab- or comma-separated text files or XML files, as shown in Figure 16-16.
FIGURE 16-16 NIST CSF Export Capability
Adopting the NIST Cybersecurity Framework in Real Life
The NIST Cybersecurity Framework is often used by organizations of many sizes, because it provides guidance that can be very beneficial to establishing your own cybersecurity program and maintaining compliance with certain regulations. For example, in Chapter 14, “Regulatory Compliance for the Health-Care Sector,” you learned that the United States Department of Health and Human Services has already aligned and mapped the components of the NIST Cybersecurity Framework with the Health Insurance Portability and Accountability Act (HIPAA) elements. Many organizations need to be compliant with the HIPAA Security Rule and the Payment Card Industry Data Security Standard, as well as their own cybersecurity policy. Many sections of these rules, policies, guidelines, and objectives can be aligned with the various functions, categories, and subcategories of the NIST Cybersecurity Framework Core.
By integrating cybersecurity requirements in this manner, an organization can determine where requirements overlap and, in some cases, may conflict. This allows you to consider alternative methodologies and probably modify your cybersecurity practices to address those requirements.
The NIST Cybersecurity Framework Core subcategory outcomes are meaningful for multiple requirements. For example, priorities can be captured in the structure framework and used as inputs to drive cybersecurity investments, effort, and focus. The work product of cybersecurity requirements management using the NIST Cybersecurity Framework is referred to as a Profile, as we discussed earlier in this chapter. Figure 16-17 provides a good overview of this process.
FIGURE 16-17 Operationalizing Cybersecurity Activities Based on the NIST Cybersecurity Framework
The NIST Cybersecurity Framework can also be used to translate among a variety of risk management practices and support your organization as you interact with a wide variety of suppliers (including service providers, product vendors, systems integrators, and other partners). For example, you can even use the framework during market research by asking vendors when responding to a Request for Information (RFI) to include something similar to their Cybersecurity Framework Profile or to express the cybersecurity capabilities of their offerings and organization.
The Implementation Tiers in the NIST Cybersecurity Framework are designed as an overarching measurement of cybersecurity risk management maturity. However, the Implementation Tiers are not prescriptive, as you may find in other maturity models. In addition, following the general guidance in the NIST Cybersecurity Framework allows you to assign cybersecurity responsibility to business units or individuals in an organization. You can specify tasks, responsibilities, and ownership of the cybersecurity program and its associated strategies.
Summary
The NIST Cybersecurity Framework is created in collaboration between the United States government, corporations, and individuals. The NIST Cybersecurity Framework is developed with a common taxonomy, and one of the main goals is to address and manage cybersecurity risk in a cost-effective way to protect critical infrastructure.
The NIST Cybersecurity Framework is aimed to complement an existing risk management process and cybersecurity program of your organization. It does not replace such a process or program. You can take advantage of the framework to help strengthen your policies and programs by following industry best practices. If your organization does not have an existing cybersecurity program, you can use the NIST Cybersecurity Framework as a reference to develop such a program.
In this chapter you learned the different parts of the NIST Cybersecurity Framework. The Framework Core is “a collection of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.” The Framework Profiles are designed to help the underlying organization align its cybersecurity undertakings with business requirements, risk tolerances, and resources. The Framework Tiers are designed to help organizations to view and understand the characteristics of their approach to managing cybersecurity risk. These tiers describe how your risk management practices align with the characteristics defined in the framework.
You also learned about tools that can be used to navigate through the NIST Cybersecurity Framework components and references. Last, you learned how an organization can align its cybersecurity programs and practices with the NIST Cybersecurity Framework.
Test Your Skills
Multiple Choice Questions
1. The NIST Cybersecurity Framework is built from which of the following?
A. Laws and regulations
B. Standards, guidelines, and practices
C. Checklists developed by cybersecurity professionals
D. All of the above
2. The NIST Cybersecurity Framework provides a common guidance for organizations to be able to achieve which of the following?
A. Describe their current cybersecurity posture.
B. Describe their target state for cybersecurity.
C. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
D. All of the above.
3. The NIST Cybersecurity Framework is divided into which of the following parts?
A. Framework Profile, Implementation Tiers, Outcomes
B. Framework Profile, Core, Outcomes
C. Framework Core, Profile, Implementation Tiers
D. Framework Core, Implementation Tiers, Outcomes
4. The Framework Core is divided into functions. Those functions include which of the following elements?
A. Implementation Tiers, Categories, Informative References
B. Implementation Tiers, Identification Elements, Informative References
C. Categories, Subcategories, Informative References
D. Standards, Categories, Informative References
5. Categories group the elements of a function into collections of cybersecurity ___________.
A. outcomes
B. standards
C. rules
D. checklists
6. Which of the following is not true about informative references?
A. Informative references point to industry standards, guidelines, and practices that are beneficial for an organization trying to achieve the outcomes associated with each subcategory.
B. Informative references are rules that apply only to government institutions trying to achieve the outcomes associated with each subcategory.
C. NIST mentions that informative references are “illustrative and not exhaustive.”
D. You can submit a reference to be considered to be part of the NIST Cybersecurity Framework informative references.
7. The Risk Assessment category addresses the identification and analysis of cybersecurity risk to the organization’s operations, assets, and individuals. The Risk Assessment category is part of which function?
A. Identify
B. Detect
C. Protect
D. Respond
8. The Awareness and Training category addresses cybersecurity awareness education so that your employees are adequately trained to perform their information security–related duties and responsibilities consistent with related policies, procedures, and agreements. The Awareness and Training category is part of which function?
A. Identify
B. Detect
C. Protect
D. Respond
9. The Anomalies and Events, Security Continuous Monitoring, and Detection Processes categories are part of which function?
A. Identify
B. Detect
C. Protect
D. Respond
10. Which of the following is true about the NIST Cybersecurity Framework Implementation Tiers?
A. Provide guidance to allow organizations to maintain compliance with FISMA requirements.
B. Provide guidance to allow organizations to analyze cybersecurity risks and to enhance their processes to manage such risk.
C. Provide guidance to allow organizations to maintain compliance with FIPS requirements.
D. Provide guidance to allow organizations to maintain compliance with HIPAA requirements.
11. Who should communicate the mission priorities, available resources, and overall risk tolerance to the business/process level?
A. NIST
B. Executives
C. The United States President
D. The United States Department of Commerce
12. Which of the following is not one of the steps that the NIST’s Cybersecurity Framework recommends to establish or improve a cybersecurity program?
A. Identify your business objectives and high-level organizational priorities.
B. Use the framework as a checklist for FISMA compliance.
C. Create a current profile by defining which categories or subcategories are relevant to GDPR compliance.
D. Create a target profile for your organization.
13. Which of the following is not true?
A. An organization may utilize a Target Profile to express cybersecurity risk management requirements to an external service provider (for example, a cloud provider to which it is exporting data).
B. An organization may express its cybersecurity state through a Current Profile to report results or to compare with acquisition requirements.
C. A critical infrastructure owner/operator, having identified an external partner on whom that infrastructure depends, may use a Target Profile to convey required categories and subcategories.
D. Only critical infrastructure agencies may establish a Target Profile that can be used among their constituents as an initial baseline Profile to build their tailored Target Profiles.
Exercises
Exercise 16-1: Understanding the NIST Cybersecurity Framework Core
Explain how the NIST Cybersecurity Framework Core is aimed to structure a list of activities to reach certain cybersecurity outcomes and include examples of guidance to achieve such outcomes.
Explain which parts can be used as guidance to create an incident response program and practice.
Explore the informative references in each category. Do you find any that overlap? Did you find any that contradict each other?
Exercise 16-2: Understanding the Implementation Tiers
Describe how an organization’s risk management practices can align with the characteristics defined in the framework.
What areas of the Implementation Tiers can be used to enhance an organization’s risk management process? Explain why.
Exercise 16-3: Using the Framework as Guidance to Manage Cyber Supply Chain Risk Management
Explain how the NIST Cybersecurity Framework can help your organization to establish a baseline requirement to suppliers and partners.
Create an example of such a baseline.
Projects
Project 16-1: NIST’s Cybersecurity Framework Spreadsheet
Download NIST’s Cybersecurity Framework spreadsheet from https://www.nist.gov/cyberframework.
Familiarize yourself with all the different components, categories, subcategories, and informative references of the NIST Cybersecurity Framework.
Download NIST’s CSF tool from https://www.nist.gov/cyberframework/csf-reference-tool. Familiarize yourself with all the different capabilities of the tool and how it may allow you to start developing your own cybersecurity program.
Prepare a report that explains how an enterprise or private sector organization can leverage the framework to help with the following:
Identify assets and associated risks.
Protect against threat actors.
Detect and respond to any cybersecurity events and incidents.
Recover after a cybersecurity incident happened.
Case Study
Intel and McAfee Adoption of the NIST Cybersecurity Framework
Intel published and delivered a presentation titled “Cybersecurity Framework: Intel’s Implementation Tools and Approach.” This presentation can be found at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurityframework_6thworkshop_intel_corp.pdf.
Intel’s goals in using the NIST Cybersecurity Framework included alignment to their risk tolerance practices. In addition, they used the framework as guidance to communicate risk to their senior executives.
Similarly, McAfee published a blog post titled “We Tried the NIST Framework and It Works” that can be accessed at https://securingtomorrow.mcafee.com/executive-perspectives/tried-nist-framework-works-2.
In their blog post, McAfee explained how they “focused on developing a use case that would create a common language and encourage the use of the Framework as a process and risk management tool rather than a set of static requirements.”
Research both implementations and answer the following questions:
Why did these companies try to align their cybersecurity programs with the NIST Cybersecurity Framework?
What are some of the major benefits?
Describe how the efforts at Intel and McAfee are similar and/or different.
Research other companies that have also aligned their cybersecurity efforts with the NIST Cybersecurity Framework, and compare the outcomes to those of Intel and McAfee.
References
Executive Order—“Improving Critical Infrastructure Cybersecurity,” accessed 04/2018, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
Cybersecurity Enhancement Act of 2014, accessed 04/2018, https://www.congress.gov/bill/113th-congress/senate-bill/1353/text.
NIST Cybersecurity Framework, accessed 04/2018, https://www.nist.gov/cyberframework.
NIST Cybersecurity Framework Interactive Framework Resources, accessed 04/2018, https://www.nist.gov/cyberframework/framework-resources-0.
NIST Cybersecurity Framework Roadmap, accessed 04/2018, https://www.nist.gov/cyberframework/related-efforts-roadmap.
“We Tried the NIST Framework and It Works,” McAfee, accessed 04/2018, https://securingtomorrow.mcafee.com/executive-perspectives/tried-nist-framework-works-2.
“Cybersecurity Framework: Intel’s Implementation Tools and Approach,” Intel, accessed 04/2018, https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurityframework_6thworkshop_intel_corp.pdf.
Applying the NIST Cybersecurity Framework to Elections, accessed 04/2018, https://www.eac.gov/file.aspx?&A=Us%2BFqgpgVZw6CIHjBnD2tHKX0PKbwfShtOKsIx2kbEE%3D.