NIST offers several resources to help commercial enterprises prepare for threats and manage cyber risk.
Recent events like those connected with the Iranian conflict underscore the importance of active cyber risk management in commercial enterprises. The truth is that it isn’t “new news” that Iran is a formidable and motivated cyber adversary. These events shouldn’t have been the catalyst for understanding your cyber risk posture. This is something we should all have been actively managing already. In today’s world, managing cyber risk should be as important to businesses as managing cash.
That said, the problem with much of the advice in the official alerts and news briefs that came out is that you already needed that risk management strategy in place in order to follow many of their recommendations. “Adopting a state of heightened awareness,” “confirming your reporting processes,” and “exercising your incident response plans” are difficult or impossible to do without a risk management strategy in place beforehand. It’s too late by the time trouble comes.
The good news is there are a variety of resources available to help commercial organizations actively manage cyber risk. We believe that NIST offers some of the best resources for this in the world — and they are free. While NIST is often thought of as “the federal standards people,” their security controls and frameworks are equally valuable to the private sector – and some of their standards apply specifically to commercial and non-federal organizations.
Here is a look at just a few of the many NIST resources you should consider adopting to avoid being caught unprepared with each new crisis:
NIST Cybersecurity Framework (CSF). NIST developed the CSF to protect critical infrastructure such as utilities, manufacturers, and financial services, so it applies to the very kinds of enterprises that nation-state threat actors and their proxies are likely to come after. Its use by private organizations is voluntary, but with every new headline, it becomes more obvious why the federal government felt it necessary to create a security framework specifically for critical infrastructure.
As a framework rather than a standard or regulation, it’s flexible enough to meet you where you are and make use of the security controls you’re likely already following, such as ISO, COBIT, and NIST SP 800-53. It’s also written in business language, appealing to the need to manage business risk and protect the organization rather than being a technical treatise strictly for IT personnel.
Organized into five primary functions (Identify, Protect, Detect, Respond, Recover) and categories under them, the CSF covers the full spectrum of activities needed to assure awareness and action concerning cyber risk throughout the enterprise, from the server room to the boardroom.
NIST SP 800-171. This is NIST’s standard for protecting controlled unclassified information (CUI). Organizations that should adopt it would include virtually all federal systems integrators and defense contractors, many universities and think tanks, and any other private organization entrusted with the care of important government information.
It consists of a set of the fundamental security controls from the NIST library, so it isn’t as daunting as some frameworks that make use of the full collection. But it provides evidence to senior executives and any government agency you serve that you’re a responsible custodian of their information. (And, if you’re a defense contractor, you can’t bid on new business without following NIST SP 800-171.)
NIST Risk Management Framework (RMF). The NIST RMF consists of seven interrelated steps that federal and defense agencies must follow to satisfy the requirements of the Federal Information Security Modernization Act, or FISMA. That said, NIST has taken the word “Federal” out of the title of the latest version of the RMF document to reflect that its specifications can be (and are) used by non-federal organizations such as commercial businesses and state and local government.
One advantage of the RMF in commercial organizations is that federal security officials that move to the private sector are familiar with its processes and respect its rigor and thoroughness. And, while system owners in the private sector aren’t required by law to obtain and maintain an Authorization to Operate (ATO) the way federal agencies are, the concept of having a process for gaining formal operational approval from an organization’s IT department or risk management and compliance office can be useful in sensitive industries such as financial services and healthcare.
The RMF has gotten a bad rap over the years as being a “check the box” compliance activity that produces massive security assessments and related documents that are obsolete the moment they come out. However, modern tools that automate and streamline the rote and repetitive parts of the RMF help to accelerate the process, giving organizations the ongoing assurance and the real-time evidence that they are following best security practices.
* * *
A popular proverb says, “The best time to plant a tree is 20 years ago. The second-best time is today.” The current threat landscape makes it difficult to know when threats will escalate. You need to manage cyber risk in a proactive and continuous manner. If you don’t have a cyber risk strategy in place, we hope you’ll review and make plans to adopt one (or more!) of these frameworks and standards.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.