How to Implement the NIST CSF with the AWS Cloud for Risk and Control Maturity Cybersecurity Assessments

The focus of this article is implementing the NIST CSF within an AWS Cloud Environment. It follows earlier Cybrary articles, which introduced the NIST CSF and integrating the framework with other industry-specific methods to conduct cybersecurity risk and control maturity assessments.

‍

Brief History of the NIST CSF

The NIST CSF¹ is a cybersecurity assessment-type framework developed by the National Institute of Standards and Technology. The NIST CSF's underlying purpose is to provide a robust cybersecurity evaluation tool that can address multiple security domains towards protecting the nation's critical infrastructure sectors.² The legal underpinning of the NIST CSF is the Cybersecurity Enhancement Act of 2014³ and Presidential Executive Order 13636, Improving Critical Infrastructure in Cybersecurity.⁴

‍

Framework Overview: Core, Tiers, and Profile

A detailed introduction to the NIST CSF can be downloaded from the NIST website.⁵ It is important to recap that the body of the NIST CSF is comprised of three sections:

1. Core Framework Functions: The NIST CSF is comprised of five "framework core" functional domains, each with its own set of categories, subcategories, and informative references. "Functions" include: Identify, Protect, Detect, Respond, and Recover (see below, Figure 1). Functions identify cybersecurity-related activities and security outcomes of an organization's cybersecurity program. The NIST CSF information resources consist of other supporting frameworks and industry guidelines such as COBIT, ISO 27001, 9001, SOC 1, SOC 2, and SOC 3.

2. Framework Implementation Tiers: Underlying the functional domains is the "Framework Implementation Tiers." Tiers provide a declarative statement of an organization's processes of managing risks in alignment with the NIST CSF functions. Cybersecurity practices of a business are tiered (ranked) into four tiers:

Tier 1 – Partial (Risks are partially managed with informal practices and controls). Tier 2 – Risk-Informed (Risks controls are endorsed by management but not fully implemented across the organization). Tier 3 – Repeatable (Risk mitigation is a formalized process). Tier 4 – Adaptive (Risks are mitigated with the implementation of lessons learned).

3. Framework Profile: The Profile is the definitive outcome of a NIST CSF cybersecurity assessment. In short, the Profile provides a clear understanding of how effectively an organization's cybersecurity program is identifying and mitigating risks and vulnerabilities as assessed by the benchmarks of each functional domain. Profiles are used to help a business prioritize actions to reduce risks and improve the overall cybersecurity target goals.

Figure 1: Framework Core Structure.⁶

Start With The "Intro to AWS" Course Now >>

‍

AWS and NIST CSF

In 2019, Amazon published a thorough guide on implementing the NIST CSF in an AWS Secure Cloud Environment.⁷ Amazon recommends using the NIST CSF as a tool to establish a baseline towards improving an organization's cloud security objectives. The NIST CSF is an appropriate tool for private, public, and government agencies to establish their cloud-security baselines, as the NIST CSF contains a comprehensive controls catalog derived from the ISO/IEC 27001,⁸ NIST SP 800-53,⁹ COBIT,¹⁰ ANSI/ISA-62443,¹¹, and the Top 20 Critical Security Controls (CSC).¹²

Examples of Use Cases for implementing the NIST CSF in an AWS Secure Cloud Environment include the health care and financial services industries. In the health care industry, the Department of Health and Human Services (HHS) requires AWS-based covered entities and business associates¹³ to adhere to the Health Insurance Portability and Accountability Act¹⁴ (HIPAA) to protect personal health information. A clearly defined catalog of security controls does not exist for HIPAA,¹⁵. Therefore, the HHS requires covered entities to implement the use of a NIST CSF/AWS framework to conduct annual cybersecurity assessments to adhere to the standards of the HIPAA Security Rule requirement.¹⁶

‍

Aligning AWS Services with NIST CSF

A complete listing of the AWS Web Services that align to the NIST CSF can be download from Amazon.¹⁷ The "AWS Services and Customer Responsibility Matrix for Alignment to the CSF" is a comprehensive list that customers can use to align their specific AWS cloud services security requirements to the NIST CSF. It is aligned to NIST SP 800-53. Both the NIST CSF and the AWS Services matrix are Microsoft Excel spreadsheets. This allows a customer to design the security assessment or baseline requirements to meet their specific cloud security scope and security goals.

Figure 2: Example of the AWS Services and Customer Responsibility Matrix.

Figure 3: NIST SP 800-53 Security Controls Mapping.

The AWS Web Services Customer Responsibility Matrix is also aligned with NIST SP 800-171, Protecting CUI (Controlled Unclassified Information) in Non-federal systems and organization.¹⁸

Figure 4: Example of the NIST CSF controls mapping as identified in NIST SP 800-171.

‍

AWS Cloud Adoption Framework

Before establishing a baseline, it is beneficial for a customer to gain a clear understanding of their business needs and the customer-owned responsibilities for "Security in the AWS Cloud." A review of Amazon's "AWS Cloud Adoption Framework (CAF)" ¹⁹ can help a business owner or manager evaluate the overall governance of the roles and responsibilities that will need to be addressed in the NIST CSF/AWS security assessment.²⁰ The AWS CAF outlines Six CAF Perspectives that will help identify security gaps in skills, capabilities, and cybersecurity processes.

‍

Functions and Responsibilities

Amazon refined the NIST CSF Functions into categories that produce subcategories with 108 outcome-based security activities. Each function (CSF core domain) provides a delineation of AWS responsibilities and customer responsibilities. Amazon defines its responsibilities as "security of the cloud." The customer is responsible for "security in the cloud."

For example, in the functional core of "Protect," the customer is responsible for maintaining the data's confidentiality, integrity, and availability. The customer is accountable for setting the suitable security settings for anyone who will access the data (permissions, security policies, and so on). Within the same CSF core function, Amazon is responsible for ensuring the data centers, the Availability Zones, and so forth are fully managed and available to the customer, or in other words, security of the cloud's infrastructure. Amazon defines its core functions according to the NIST CSF, with slight variations of categories and subcategories.

Figure 5: AWS/NIST CSF Responsibility Overview²¹

Figure 5 (above) reflects the CSF core function of Detect and requires the customer to use the appropriate web service to set alarms, monitor the environment, and log events (e.g., implement AWS CloudTrail, AWS GuardDuty). Amazon is accountable for ensuring the real-time delivery of alerts and to provide AWS Security Teams to respond to security events as needed or defined by the customer's AWS Support Plan.

‍

Conducting the Assessment

To conduct an AWS Cloud Environment assessment using the NIST CSF, the business owner has the option of using the Excel spreadsheets to tailor a variety of possible combinations that best reflect the organization's tier level and profile. For example, a smaller web-based business with ten employees and one AWS store-front will not opt to invest the time and money to conduct a cybersecurity assessment that is better suited to an enterprise-level organization with one-hundred customers and a multi web-store front with numerous products. Likewise, an enterprise such as a large bank running an AWS platform may implement a more robust NIST CSF/AWS assessment to meet regulatory compliance requirements.

‍

Conclusion

Regardless of the size or type of organization, adopting the NIST CSF into an AWS cloud environment will always produce valuable, quantifiable results to help any business improve its overall cybersecurity posture. Cybrary offers a number of AWS and NIST-related courses that provide the foundational knowledge needed to build and tailor a risk or control maturity assessment that aligns to both the NIST CSF and the AWS cloud setting. The AWS Cloud Practitioner course is a suitable starting point to gain a general understanding of Amazon Web Services. Additionally, Cybrary offers a NIST SP 800-53 course, which can provide greater insight into the NIST CSF's overall use. It is recommended to download the NIST CSF and AWS Secure Cloud tools and documentation to gain a beneficial understanding of how these tools can be used to conduct meaningful and measurable cybersecurity assessments.

‍

References

1. NIST. (2013). Cybersecurity Framework. National Institute for Standards and Technology. Retrieved February 18, 2021 from: https://www.nist.gov/cyberframework
2. CISA. (2021). Critical Infrastructure Sectors. Cybersecurity & Infrastructure Security Agency. Retrieved February 18, 2021, from: https://www.cisa.gov/critical-infrastructure-sectors
3. (2013, Jul. 24). S.1353 – Cybersecurity Enhancement Act of 2014, 113th Congress (2013-2014). Introduced by Sen. John Rockefeller, IV. Public Law No: 113-270. The U.S. Library of Congress. Retrieved on February 18, 2021, from: https://www.congress.gov/bill/113th-congress/senate-bill/1353
4. (2013, Feb. 12). Executive Order, Improving Critical Infrastructure Cybersecurity. The White House. Retrieved February 18, 2021, from: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
5. (2014, Feb. 12). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. The National Institute of Standards and Technology. Retrieved February 18, 2021, from: https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf
6. (2014, Feb. 12). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. Figure 1. Framework Core Structure, p. 7. The National Institute of Standards and Technology. Retrieved February 18, 2021 from: https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf
7. Amazon. (2019, Jan.). NIST Cybersecurity Framework (CSF), Aligning to the NIST CSF in the AWS Cloud. Amazon Web Services, Inc. Retrieved February 18, 2021 from: https://d0.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf
8. (2013, October). ISO/IEC 27001:2013, Information Technology – Security techniques – Information Security management systems – Requirements. ISO. Retrieved February 18, 2021, from: https://www.iso.org/standard/54534.html
9. (2020, September). NIST Special Publication (SP) 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations. National Institute for Standards and Technology. Retrieved February 18, 2021, from: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
10. (2019). Control Objectives for Information and Related Technology (COBIT), an ISACA Framework. Information Systems Audit and Control Association (ISACA). Retrieved February 18, 2021 from: https://www.isaca.org/resources/cobit
11. (2018, Feb. 2). ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV, Security for industrial automation and control systems. International Society of Automation (ISACA). Retrieved February 18, 2021 from: https://www.isa.org/products/ansi-isa-62443-2-4-2018-iec-62443-2-4-2015-amd1-20 (2021).
12. The 20 CIS Controls & Resources. Center for Internet Security (CIS). Retrieved February 18, 2021, from https://www.cisecurity.org/controls/cis-controls-list/
13. Covered Entities and Business Associates are individuals, organizations, and agencies that record, process, or work with health care data. By law, these types of organizations are required to keep personal health related data protected. For more information read, "Covered Entities and Business Associates," by HHS.gov: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
14. (1996, Aug. 21). Public Law 104-191-Aug.21, 1996, Health Insurance Portability and Accountability Act of 1996. U.S. Library of Congress. Retrieved February 19, 2021 from: https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf
15. Amazon. (2019, Jan.). NIST Cybersecurity Framework (CSF), Aligning to the NIST CSF in the AWS Cloud, Appendix A – AWS Services and Customer Responsibility Matrix for Alignment to the CSF, p.3. Amazon Web Services, Inc. Retrieved February 18, 2021 from: https://d1.awsstatic.com/whitepapers/compliance/AWS_Services_and_Customer_Responsibility_Matrix_for_Alignment_to_the_CSF.fca4b7f5c7282cc221dee72732624a0389aa2596.xlsx
16. Amazon. (2019, Jan.). NIST Cybersecurity Framework (CSF), Aligning to the NIST CSF in the AWS Cloud, Appendix A – AWS Services and Customer Responsibility Matrix for Alignment to the CSF. Amazon Web Services, Inc. Retrieved February 18, 2021 from: https://d1.awsstatic.com/whitepapers/compliance/AWS_Services_and_Customer_Responsibility_Matrix_for_Alignment_to_the_CSF.fca4b7f5c7282cc221dee72732624a0389aa2596.xlsx
17. AWS Services and Customer Responsibility Matrix for Alignment to the CSF can be downloaded from here: https://aws.amazon.com/compliance/nist/
18. (2021, Jan. 28). NIST SP 800-171 Rev. 2, Protecting CUI (Controlled Unclassified Information) in nonfederal systems and organizations. National Institute for Standards and Technology. Retrieved February 18, 2021 from: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
19. (2017, February). An overview of the AWS Cloud Adoption Framework (CAF), Ver. 2. Amazon Web Services, Inc. Retrieved February 18, 2021 from: https://d1.awsstatic.com/whitepapers/aws_cloud_adoption_framework.pdf
20. Ibid., pp. 2-3.
21. (2021, Feb. 19). Figure 5: AWS/NIST CSF Responsibility Overview, by S.E. Williams.