How easy is it to adopt the new NIST Cybersecurity Framework?
New and changing regulations and guidelines are a mainstay in the cybersecurity field. Keeping up with the changes and more importantly, understanding and applying them is not for the faint of heart. So, here’s a breakdown of the new IoT Cybersecurity Law signed by Congress in December 2020.
The law directs the National Institute of Standards (NIST) to create standards and guidelines on the use and management of internet devices by federal agencies, and develop guidance on vulnerability disclosure and the resolution of disclosed vulnerabilities. Days after the law was passed, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on an advisory of a set of 33 vulnerabilities impacting open-source stacks that “collectively serve as the foundational components of millions of connected devices worldwide.” The result is an effective and cost-savings framework that allows organizations in public and private sectors to manage cybersecurity risks and stay compliant based on existing government guidelines and standards.
Exploring the three main components of the Framework.
The NIST Framework reflects current standards and practices you can use to substitute risk with cybersecurity management communications between internal and external organizational stakeholders. It is comprised of three main components: Core, Implementation Tiers, and Profiles.
The Core Framework provides a set of cybersecurity activities, desired outcomes, and applicable references using common language that is easy to understand across critical infrastructure sectors. The Core extends industry values, guidelines, and practices to communicate cybersecurity actions and outcomes across your organization from the executive level to the implementation/operations level and guides you in managing and reducing cybersecurity risks in a way that complements your existing cybersecurity and risk management processes.
The Core Framework contains five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. Together, these functions provide a high-level, strategic view of the lifecycle of your organization’s management of cybersecurity risk. The Core identifies underlying key groups and subgroups for each purpose and matches examples of useful references and current standards, guidelines, and practices for each subset.
Framework Implementation Tiers offer context on how your organization views cybersecurity risks and processes that are in place to manage risks. The Tiers help you consider the appropriate level of rigor for your cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget. They include:
- Partial (Tier 1)
- Threat Wave (Tier 2)
- Repeatable (Tier 3)
- Adaptive (Tier 4)
These Tiers mirror a process from informational reactive answers to methods that are agile and risk-informed. Within the Tier choice, organizations should consider current risk management practices, threat environment, legal and regulatory requirements, objectives, and constraints.
The final component in the Framework reflects your organization’s unique alignment of organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Categorizing Profiles helps identify opportunities for improving cybersecurity posture by comparing the current state with the desired state. Profiles can be used to conduct self-assessments and communicate within your organization or between organizations.
The Framework was created to complement business and cybersecurity processes, serving as the foundation for new cybersecurity projects and a tool for improving your current program. It provides a resource and requirements to business partners and customers and helps find gaps in your cybersecurity practices. It also provides a comprehensive set of considerations and procedures for considering privacy and civil liberties and suggestions in the context of a cybersecurity program.
Meeting new regulations in the simplest of ways.
While new regulations and guidelines can often be cumbersome to implement, monitor, and remediate, automation can make it easier. Automation takes the repetitive, cumbersome, time-consuming steps out of 24/7 scanning, monitoring, and remediation processes needed for a tight cybersecurity posture.
Steelcloud’s ConfigOS can automate the ongoing remediation and accreditation required by the new guidelines. Better yet, it significantly reduces the time and effort it takes to sort out and find the unique failures to each application stack. ConfigOS has proprietary processes that harden all STIG/CIS controls around an application stack in about 60 minutes, saving significant time and effort. Using this kind of proven, automated approach to cybersecurity across the IoT can turn cumbersome compliance measures into effortless confidence for you and your organization.