Tailoring the NIST Cybersecurity Framework for a Precise Fit

I recently had the privilege to attend the National Institute of Standards and Technology (NIST) Cybersecurity Workshop 2016, held at the NIST headquarters in Gaithersburg, Maryland on April 6-7, 2016. One thing caught my attention right away: there were two digital clocks prominently displayed on either side of the auditorium. Both clocks were synchronized, and according to my phone, they were accurate to the second. It makes sense because NIST is the keeper of the nation’s atomic clock that will neither gain nor lose one second in about 300 million years. Talk about being a stickler for precision!

The CSF is a framework, and not a standard

The second thing that caught my attention was the “tailorability” they designed into the Framework for Improving Critical Infrastructure Cybersecurity (CSF). At first, this tailorability struck me as being inconsistent with their precise approach to timekeeping and their approach to developing standards. However after thinking more about it, I realized the CSF is a framework, and not a standard. NIST developed the CSF in conjunction with industry to be tailorable so it would precisely meet the needs of wide-ranging organizations. The CSF consists of three primary parts: Core, Implementation Tiers, and Profiles, each of which supports tailoring. Let’s look at some of the ways an organization can tailor the CSF to meet their precise requirements.

The Core provides a set of activities to achieve specific cybersecurity outcomes. At the most detailed level, the outcomes are control objectives, and the CSF specifies 98 specific outcomes (or control objectives.) However, the CSF gives organizations adopting the CSF wide latitude in the specific controls. Matthew Barrett, NIST’s Cybersecurity Framework Program Manager, said, “If you like your framework, you can keep your framework.” The CSF includes references to controls from a number of other frameworks, including COBIT, ISO/IEC 27001:2013, CIS Critical Security Controls, and NIST SP 800-53 Rev. 4. Adopting organizations are free to borrow from other frameworks to tailor controls as needed to meet their specific needs, and can apply different controls to different systems, based on risk assessment.

Implementation Tiers help an organization determine the degree of sophistication their cybersecurity program needs to achieve. At first glance, the four tiers – Partial, Risk Informed, Repeatable, and Adaptive – look similar to a maturity model. However, the CSF explicitly says, “Tiers do not represent maturity levels.” The concept of maturity includes a natural progression from lower levels to the highest level. However, the CSF does not assume that maturation to the highest level is appropriate for every organization nor for every line of business within an organization. It explicitly says, “Progression to higher level Tiers is encouraged when such a change would reduce cyber security risk and be cost effective,” and “The Tier selection process should be informed by an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.”

Given an organization’s environment, mission, and resources, moving to the highest Tier may not be justified. Organizations are encouraged to adopt the Tiers that meet their specific needs. Again, the CSF allows tailoring to achieve a precise organizational fit while still attaining security objectives.

Profiles are snapshots of the status of an organization’s Core functions and supporting categories and sub-categories. The two classes of Profiles are Current Profile, representing the as-is state, and the Target Profile, representing the as-desired state. Profiles are tailorable. They align Core functions, categories, and sub-categories with an organization’s business requirements, risk tolerance, and resources. Comparison of the current and target Profiles helps identify shortcomings that must be addressed to meet an organization’s cyber risk management objectives. This comparison forms the basis for an improvement plan tailored to the specific needs of an organization.

Adopting a framework provides a common language

Much of the value of adopting the CSF is in the self-assessment and planning processes relative to the Core, Tiers, and Profiles. These processes typically involve executives, line-of-business leaders, and technical staff. They result in a better understanding of the precise security controls needed to meet the organization’s specific risk management objectives. Much of the CSF’s value is in the process of implementation. These activities drive organizations to develop an organization-specific awareness of their business objectives, threats, and the actions they should take to manage the risk. Adopting a framework also provides a common language that the different parts of an organization can use to discuss cyber security, enabling better communication, collaboration and achievement of goals and objectives.

If your organization plans to use the CSF, be prepared to tailor it to your organization’s precise needs

Even though the CSF was published by NIST, the National Institute of Standards and Technology, the CSF is a framework, not a standard. If your organization plans to use the CSF, be prepared to tailor it to your organization’s precise needs, and look to Tenable to help you automate the operation and assessment of CSF’s technical controls. Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) includes multiple dashboards and Assurance Report Cards that you can easily tailor to give you the precise visibility you need.