One of my observations about the NIST Cyber Security Framework (CSF) is that there isn’t much implementation guidance available. Only a few government agencies, like the Department of Energy, have published industry-specific implementation guidance for energy companies to follow.
Despite lots of cross-industry interest, lack of implementation guidance will certainly impact the ability of companies to fully embrace the framework. Many companies don’t even know how to get started. Gartner estimates NIST CSF usage to grow from 20% to 50% of US companies by 2020. To achieve this, more implementation guidance will be necessary.
To complicate matters slightly, the CSF specifically states that: “The Framework complements, and does not replace, an organization’s risk management process and cyber security program.” This suggests that an organization needs to not only understand how to implement the CSF, but must also figure out how to marry it to a cyber risk management process, like the NIST Risk Management Framework (RMF).
A Complex Business Process, in Pictures
To help put the effort involved into perspective, the CSF document is approximately 40 pages:
The NIST RMF references at least eight documents that collectively comprise well over 1,000 pages:
There is a lot to understand!
This is not intended to be a criticism of NIST frameworks. Indeed, these frameworks are world-class and internationally respected. Cyber risk management is a complex business process requiring extensive explanation and guidance. However, many companies do not have the time or expertise necessary to understand, implement, and operationalize such frameworks.
Operationalizing Complex Cyber Risk Management Frameworks
Telos’ Xacta IT GRC platform was specifically designed to ease the burden associated with operationalizing complex cyber risk management frameworks such as the RMF. Xacta has been deployed extensively by federal government and commercial organizations for more than 16 years. Many federal government agencies currently use Xacta to help quickly implement and operationalize complete RMF-based A&A programs, as well as help agencies migrate from legacy DIACAP and NIACAP processes to the new RMF standard. Full transition to RMF will be required the end of 2018.
Xacta can also help government contractors comply with emerging federal government cyber security requirements such as NIST SP 800-171 for the protection of Controlled Unclassified Information, which can also build on the NIST RMF. 800-171 compliance will be required by December 2017. Many companies are currently scrambling to figure out how to comply.
For companies that have an existing ISO 27001 certification, Xacta will be able to help them ingest and automatically map ISO 27001 bodies-of-evidence to other control sets like 800-171. This is done via the NIST-developed crosswalk that has been embedded in our software. This automated mapping functionality will enable organizations to leverage an ISO 27001 body-of-evidence to quickly demonstrate compliance status with other control-sets like 800-171 and 800-53, as required with the push of a button.
Xacta is also being optimized to deliver seamless CSF/RMF integration. This will be very helpful for many organizations, especially those in critical infrastructure sectors that want to use both the CSF and the RMF to help manage cyber risk.
Telos helped write the book on cyber risk management (before it was called cyber risk management) in the late 1980’s. This experience enabled us to operationalize cyber risk management practices using software and play a significant role in establishing the IT GRC industry. We know how to implement complex cyber risk management frameworks. It’s what we do. All of this expertise is embodied in our flagship product, Xacta, which helps to ease the burden of implementing the frameworks needed to operationalize cyber risk management best-practices, and quickly comply with a wide range of security standards.
Do you have time to read, understand, and implement more than 1,000 pages of cyber risk management guidance and instructions? Do you have time to read, understand, and implement emerging guidance for things like the CSF, new control sets, and standards as they are published? Why bother? Xacta does this for you. Contact us today, and let us ease the burden of compliance.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.