Integrating The NIST CSF With Industry-Specific Frameworks

Heading into 2021, organizations may be searching for better methods to manage and reduce their company's cybersecurity protection challenges, which may involve using industry-specific cybersecurity assessment tools. The question is, "Where to start?" The answer is to customize the current cyber-risk assessment tool by integrating it with the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF).

This article is the first of several upcoming reviews on integrating industry-specific cybersecurity frameworks with the NIST CSF. Integrated NIST CSF and sector-specific frameworks can be used to customize cybersecurity-related assessments towards improving the methodologies in evaluating an organization's cyber-defenses.

Drawbacks of Using Industry/Sector Specific Frameworks

Depending on the industry, the frameworks employed to conduct cyber-related assessments can be costly in manpower hours. Often, the process may be overwhelming due to the lack of C-level management buy-in, stakeholder agreement on the focus of the assessment, the length of time needed to conduct and complete the assessment, and the number of questions the cyber-evaluation may address. For example, some frameworks are known to review over a thousand sector-specific diagnostic questions. The NIST CSF tool can be incorporated into other risk assessment and access control maturity assessment frameworks, such as COBIT, ITIL, ISO 27000, and other Critical Infrastructure (CI) Sector and industry-specific frameworks.

A Brief Recap of the NIST CSF

In February 2013, a Presidential Executive Order (EO 13636)¹ mandated organizations within all Critical Infrastructure Sectors,² used the NIST CSF as a guideline to conduct cybersecurity risk assessments. The Presidential Directive applies to all Federal government agencies and contractors supporting the Federal government and many private companies considered to be Critical Infrastructure (CI). CI Sectors include the following types of businesses: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Health and Public Health, Information Technology, Nuclear (Reactors, Materials, and Waste), Transportation Systems, and Water and Waste Systems. Using the NIST CSF as part of the cybersecurity assessment processes is applicable if your corporation falls into one of the listed CI Sectors. However, the NIST CSF's usefulness is not limited to governmental agencies and contractors but is also advantageous for businesses that are not considered critical infrastructure. Additionally, the NIST CSF can be tailored and scoped to the size of any organization.

The NIST CSF consists of three parts: The Framework Core,³ the Implementation Tiers, and The Roadmap.⁴ Both the Core and the companion Roadmap can be downloaded directly from the NIST CSF website⁵ as an Excel Workbook or PDF file. The Core addresses the overall assessment. The Implementation Tiers identify the impact on national security should the organization fail due to a cyber-attack. The Roadmap is an overview of the cybersecurity gaps and recommended mitigations.

The NIST CSF Excel Workbook divides the domains into five specific sections:

• Identify (ID)
• Protect (PR)
• Detect (DE)
• Respond (RS)
• Recover (RC).

Each Functional domain has Categories with Subcategories. For example, the Function domain:

• Identify (ID) includes the category Governance (ID.GV)

o Governance (ID.GV) contains the sub-category ID.GV-1: Organizational Cybersecurity Policy

Note: The classification of ID.GV-1 is also referred to as the Diagnostic Statement ID). In this case, using categories with subcategories allows for the fine-tuning of the risk/maturity assessment, with options to drill-down to the nuts and bolts of ID.GV-related cyber-policies that are specific to the organization. The goal is determining if the access controls, security measures, and policies are appropriate, up to date, and successfully implemented as access controls.

Integrating the NIST CSF and Other Frameworks

"Function, Categories, and Subcategories" are already rooted in other well-known Frameworks. For instance, the previous example of ID.GV-1 (Identify and Governance) is based on core concepts from Control Objectives for Information and Related Technologies (COBIT) framework,⁶ ISO 27000. The NIST SP 800-53.⁷ It is at this point that the stakeholders participating in the security assessment would meet to discuss and decide how to incorporate or integrate industry-specific assessment diagnostic questions to better reflect the organization's security posture.

Example One: NIST CSF and the FSSCC Profile

For example, if the industry falls within the Financial Services Sector, the primary assessment tool may be the Federal Financial Institutions Examination Council (FFIEC) Examination Handbook,⁸ or it may be the FFIEC Cybersecurity Assessment Tool (CAT),⁹ or it could be the more recent assessment tool, the FSSCC Profile, which is specific to the NIST CSF.¹⁰ These cybersecurity assessment tools are unique to banking. Each has detailed assessment criteria for addressing legal and regulatory cybersecurity compliance requirements (Federal, State, and sometimes local).

The original banking assessment frameworks resulted in cyber-assessments consisting of thousands of diagnostic questions. Each needed to be reviewed, researched, and assessed. However, in 2018, the Bank Policy Institute and BITS (BPI-BITS, the BPI Technology Policy Division) worked with other cybersecurity professionals in the financial services industry to integrate banking cyber-assessment tools NIST CSF. The result was the development of the FSSCC Profile.¹¹ The Profile (framework) is NIST-based and reduced the number of diagnostic statements from thousands of questions down to a few hundred diagnostic questions (or fewer as determined by the Tiering of the organization).

Recall, the NIST CSF has five functional domains. BPI-BITS customized the FSSCC Profile by incorporating two additional financial-services specific Functional domains into the NIST CSF. The two added domains included: Governance (GV) and Supply Chain/Dependency Management (DM); evolving the Functional domains from five basic domains to seven, with two banking-specific domains, narrowed the assessment's focus. It resulted in a more accurate evaluation of each financial institution's cyber threats, vulnerabilities, and risks.

Example Two: NIST CSF and the SAR

Another example of an industry-specific cybersecurity assessment tool is the Security Risk Assessment (SRA)¹² tool used by the Healthcare Sector to meet the Health Information Portability and Accountability Act (HIPAA) regulatory compliance requirements. The SRA is also NIST-CSF-based. It contains the original Functional domains and is it is embedded in the NIST SP 800-53.¹³. The NIST Privacy Framework,¹⁴, which mirrors the NIST CSF, may also be used in conjunction with the SAR tool or the NIST CSF to develop a cybersecurity assessment tool tailored to any organization's needs.

Benefits of Integrating the NIST CSF and Any Current Framework

The benefits of integrating the NIST CSF with any current assessment framework will depend on the security levels of the final security posture the organization wants to achieve. A one-size-fits-all assessment tool may be impractical and costly for a smaller organization, inadequate for a larger company, or not detailed enough for a service-specific establishment. Incorporating the NIST CSF with a current framework provides an opportunity to tailor an assessment to meet the organization's particular cybersecurity compliance needs, which will be beneficial during an IT audit or a cybersecurity audit. It can also be beneficial to the overall implementation and improvement in the governance of a cybersecurity program.

A second benefit is that developing a cyber-assessment specific to the industry provides a more accurate evaluation of the organization's risks, threats, and vulnerabilities. Developing an integrated, tailored assessment may also benefit from better meeting compliance objectives and avoid costly fines and fees. Developing an assessment based on the NIST CSF will reduce manpower hours and costs normally associated with conducting an in-depth risk and controls maturity assessment.

Ultimately, the primary benefit of incorporating the NIST CSF into a current assessment process is it will afford the organization's stakeholders and C-level executives an opportunity to buy-in to the overall security objectives that need to be addressed to build stronger cybersecurity defenses. This will establish a useful Roadmap towards identifying and mitigating threats and risk challenges to the organization.

--- __References__ 1. The White House. (2013, February 12). Executive Order – Improving Critical Infrastructure Cybersecurity. The Office of the Press Secretary. Retrieved January 5, 2021, from: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity 2. CISA. (n.d.). Critical Infrastructure Sectors. Cybersecurity and Infrastructure Security Agency. Web, January 5, 2021, from: https://www.cisa.gov/critical-infrastructure-sectors 3. NIST. (n.d.). Alternate View: Appendix A – Framework Core Informative References. National Institute for Standards and Technology. Web, January 5, 2021, from: https://www.nist.gov/system/files/alternative-view-framework-core-021214.pdf 4. NIST. (2014, February 12). NIST Roadmap for Improving Critical Infrastructure Cybersecurity. National Institute for Standards and Technology. Web, January 5, 2021, from: https://www.nist.gov/system/files/roadmap-021214.pdf 5. NIST Cybersecurity Framework: https://www.nist.gov/cyberframework/new-framework 6. ISACA. (2021). Control Objectives for Information and Related Technologies. Information Systems Audit and Controls Association (ISACA). Web, January 5, 2021, from: https://www.isaca.org/resources/cobit 7. NIST. (2020, September). NIST Special Publication 800-53, Revision 5. Security and privacy controls for information systems and organization. Joint Task Force. National Institute for Standards and Technology. Web, January 5, 2021, from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 8. FFIEC. (2021). Information Security FFIEC Examination Handbook. FFIEC IT Examination Handbook Infobase. Web, January 5, 2021, from: https://ithandbook.ffiec.gov/it-booklets/information-security.aspx 9. FFICE. (2017, May). FFIEC Cybersecurity Assessment Tool. FFIEC. Web, January 5, 2021, from: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf 10. Cyber Risk Institute. (2020). The FSSCC Cybersecurity Profile: A NIST-based cybersecurity assessment approach – community banks. Cyber Risk Institute. Web, January 5, 2021, from: https://cyberriskinstitute.org/fsscc-cybersecurity-profile-a-nist-based-cybersecurity-assessment-approach-community-banks/ 11. Cyber Risk Institute. (2020). Financial Services Cybersecurity Profile: An overview and request for comment. Web, January 5, 2021, from: https://cyberriskinstitute.org/financial-services-cybersecurity-profile-an-overview-and-request-for-comment/ 12. ONC. (2020). Security Risk Assessment Tool. Office of the National Coordination for Health Information Technology. HealthIT. Web, January 5, 2021, from: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool 13. NIST. (2020, September). NIST Special Publication 800-53, Revision 5. Security and privacy controls for information systems and organization. Joint Task Force. National Institute for Standards and Technology. Web, January 5, 2021, from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 14. NIST. (2020, Jan). NIST Privacy Framework, Version1.0. National Institute for Standards and Technology. Web, January 5, 2021, from: https://www.nist.gov/privacy-framework/privacy-framework