NIST Cybersecurity

Making Sense of FISMA in the Private Sector

©Copyright 2018 William L. Wells.All rights reserved.

Use and distribution of this slide deck is permitted for non-commercial use.

It may be presented or copied for use as professional education, as long as it is presented or copied in its entirety

and attribution is given to the author.

For-profit use requires explicit permission from the author:wlwells@sagescodex.info

About

By the end of this presentation you will:

• Understand the relationship between

– the NIST Cybersecurity Framework (CSF)

– the NIST Risk Management Framework (RMF)

– The NIST Catalog of Controls (SP800-53r4)

• Have a better sense of:

– what’s involved with adopting the NIST CSF

– what an “overlay” is in the context of CSF

– how to begin your own NIST CSF journey

Special NoteIt’s all about the terminology.

The CSF uses words that we, as auditors and security folks, are accustomed to using in reference to something different.

OVERVIEWThe Moving Parts

It Starts with FISMAFederal Information Systems Management/Modernization Act

of 2002/2014

• Federal Information Security Modernization Act of 2014– Reaffirms the oversight authority of the Director of Office of Mgmt and Budget

(OMB) for information security policies and practices.

– Gives Secretary of Homeland Security (DHS) authority for the implementation of those policies and practices

– Directs the Secretary to ensure that operational directives do not conflict with NIST standards.

– Provides for the use of automated tools for information security, including periodic risk assessments, testing security procedures, and detecting, reporting, and responding to security incidents.

So, What Is NIST?

• National Institute of Standards and Technology– Responsible for developing standards for information security

– Government agencies must follow NIST standards

– Private Sector is encouraged to follow them as well

– Companies that receive Federal funds are often required to follow • State Departments of Education who receive Federal funds, for example,

can trigger the requirement to follow NIST standards

What Is the CSF?

• Cyber Security Framework (CSF)– An outline that defines domains of information security

– Describes high-level requirements of a security program

– Created to provide a logical starting point for those wanting to get on the NIST CSF cyber-train

– Acts as a roadmap for putting a solid security program in place

– Consists of three parts: Framework Core, Implementation Tiers, and Framework Profiles

What Is the RMF?

• Risk Management Framework– NIST SP800-37r2 - Risk Management Framework for Information Systems and

Organizations.– Revision 2 (currently in draft) updates the RMF to align with CSF

• Includes:– a disciplined, structured, and flexible process for organizational asset

valuation– control selection, implementation, and assessment– system and common control authorizations– continuous monitoring.

How Do They Relate?

Cybersecurity Framework

Risk Management Framework

NIST Controls Catalog

THE NIST CSFLet’s unpack it.

The Output of CSF

The CSF is intended to produce a Framework Profile.

• The Profile represents the outcomes, based on business needs, that an organization has selected from the CSF Categories and Subcategories.

• The profile aligns the standards, guidelines, and practices to the Framework Core in a particular implementation scenario.

The Output of CSF

• And it does so in the context of the Framework Implementation Tiers, which describe how the organization views cybersecurity risk and the processes in place to manage that risk.

• The Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the CSF.

Framework Core

The Framework Core presents industry…

• standards• guidelines• practices

…in a manner that enables cybersecurity activities and outcomes to be communicated across the organization, from executive level to implementation and operations.

Framework Core

It is an iterative process through five concurrent and continuous Functions to define Categories and Subcategories of cybersecurity outcomes:

• Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

• Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.

• Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

• Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

• Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Categories and Subcategories

Categories– In the world of information security and IT audit, we often refer to

these as security control domains or control objectives.– Examples

• Identity Management and Access Control• Asset Management• Business Continuity • Disaster Recovery• Vulnerability Management

Categories and Subcategories

Subcategories– Again, we might call these the controls of each domain or control

objective– For example:

• Subcategories of Identity Management and Access Control: – Unique user ID– Complex Passwords– Authentication and Authorization

• Subcategories of Vulnerability Management:– Vulnerability Scanning– Patch Management– Anti-virus and Malware Detection

Implementation Tiers

The tiers describe the organization’s risk tolerance.

• Tier 1: Partial• Tier 2: Risk Informed• Tier 3: Repeatable• Tier 4: Adaptive

It might not be intuitive, but Tier 1 could be a valid tier!

Implementation Tiers

Tier 1: Partial• Risk management practices are not formalized, often ad-hoc and reactive.

• Limited awareness of cybersecurity risk at the organization level and risks are dealt with on a case-by-case basis.

• Generally, the organization does not understand how a cyber security risk can impact its customers or be impacted by its suppliers.

Implementation Tiers

Tier 2: Risk Informed• Risk management practices are approved by management but may not be

established as organizational-wide policy.

• There is an awareness of cybersecurity risk at the organizational level, but an organization-wide approach to managing cybersecurity risk has not been established. The focus is on specific organizational objectives or missions.

• Generally, the organization understands how a cyber security risk can impact its customers or be impacted by its suppliers, but not both.

Implementation Tiers

Tier 3: Repeatable• Organization-wide risk management practices are formally approved,

expressed as risk-informed policies, processes, and procedures, and regularly updated.

• Consistent methods are in place to respond effectively to changes in risk.

• The organization understands how a risk can impact its customers or be impacted by its suppliers

• And may contribute to the community’s broader understanding of risks.

Implementation Tiers

Tier 4: Adaptive• Security practices are adapted based on past and current activities, including lessons

learned and predictive indicators.

• Cybersecurity risk and organizational objectives are clearly understood and considered when making decisions.

• Senior executives monitor security risk the same as financial and organizational risk.

• The organization understands 3rd party security risks and might contribute to the community’s broader understanding of risks.

• It receives, generates, and reviews prioritized information that informs continuous analysis of its risks as the threat and technology landscapes evolve.

Implementation Tiers

• The Implementation Tier is determined during the initial scoping phase.

• Tiers are intended to support organizational decision making about how to manage cybersecurity risk, as well as which dimensions of the organization are higher priority and should receive additional resources.

• Progression to higher Tiers is encouraged when a cost-benefit analysis indicates a feasible and cost-effective reduction of cybersecurity risk.

• Read: Tier progression is not arbitrarily mandated.

The Framework Profile

The Framework Profile is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization.

A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is:• well aligned with organizational and sector goals• considers legal/regulatory requirements and industry best practices, • reflects risk management priorities

Let’s Pause and Review

• FISMA literally “laid down the law” to require information security for Federal agencies.

• NIST defined the controls and organized them into a catalog.

• CSF defined an information security framework to serve as a guide for developing a security program.

• RMF defined a risk management framework to serve as a guide for identifying, quantifying, and prioritizing risks.

Let’s Pause and Review

Using the CSF…• IDENTIFY: Understand the organization—its critical systems, people, assets, data,

and capabilities.

– Categories include: Asset Management, Business Environment, Governance,

Risk Assessment, Risk Management Strategy…and others.

• PROTECT: Develop and implement safeguards to ensure delivery of critical

services.

– Categories include: Identity Management and Access Control, Awareness and

Training, Data Security, Information Protection Processes and Procedures,

Maintenance, Protective Technology…

Let’s Pause and Review

Using the CSF (cont’d)…

• DETECT: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.– Categories include: Anomalies and Events, Security Continuous Monitoring, Detection

Processes…and others.

• RESPOND: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.– Categories include: Response Planning, Communications, Analysis, Mitigation,

Improvements…and others.

Let’s Pause and Review

Using the CSF (cont’d)…

• RECOVER: Develop and implement activities to maintain business continuity and disaster recovery.– Categories include: Recovery Planning, Business Continuity Planning, Plan

Improvements, Communications…and others

To say it differently…

The CSF provides the framework for defining the set of risk categories. (control objectives)

The categories will be further refined by risk subcategories.

(controls)

Appendix A

The CSF .pdf contains the detailed descriptions and processes for applying the information in the document’s appendices. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Appendix A contains the Framework CoreIt is a listing of Functions, Categories, Subcategories, and Informative References that describe specific cybersecurity activities that are common across all critical infrastructure sectors.

The Framework Core

Appendix A (excerpt)

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

The Framework Core

Appendix A (excerpt)

THE RMFWait! What about…

Remember this slide?

Cybersecurity Framework

Risk Management Framework

NIST Controls Catalog

High-Level Objectives

Detailed Risk Mgmt Plan

Selected and Tailored Controls

Overview of the RMF

• Chapter 1 – Describes the purpose and applicability, as well as the target audience for the RMF.

• Chapter 2 – Describes risk management concepts for system-related security and privacy risk; promotes an organization-wide view of risk management.

• Chapter 3 – Describes the tasks required to implement the RFM at both the organization-level and a the information system-level.

It’s Worth StudyingThere is a lot baked into this over-simplified graphic.

From an RMF Perspective…

The RMF places considerable importance on the first two layers of the model: organizational risk and business process risk.

From an RMF perspective, the right controls cannot be selected for any given system-level risk without first working through the tasks associated with the first two layers.

System-Level Risk

In contrast to the Level 1 and 2 activities that prepare the organization for the execution of the RMF, Level 3 addresses risk from an information system perspective and is guided and informed by the risk decisions at the organization and mission/business process levels.

System security and privacy requirements are satisfied by the selection and implementation of controls from NIST Special Publication 800-53 revision 4 (SP800-53r4).

Privacy Risk

In 2016, the OMB revised the requirements for Federal agencies and mandated the inclusion of privacy risk management.

A new appendix was added to NIST SP800-53r4, Appendix J: Privacy Control Catalog.

OrganizationalDecision Flows

Six and a Prep

Six and a Prep

• Prepare to execute the RMF from an organization-level and a system-level perspective by considering a variety of inputs and carrying out specific activities that establish the context for managing security and privacy risk for the system-of-interest.

• Categorize the system and the information processed, stored, and transmitted by the system based on a security impact analysis.

• Select an initial set of controls for the system and tailor the controls as needed based on an organizational assessment of risk and local conditions.

• Implement the controls and describe how the controls are employed within the system and its environment of operation.

Six and a Prep

• Assess the controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and satisfying security and privacy policy.

• Authorize the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the Nation is acceptable.

• Monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

Authorization Boundary

RMF: Appendix E

Appendix E of the RMF provides a summary of:

• Tasks• Responsibilities• Supporting Roles

…and is constructed with convenient links to the parts of the document that discuss them in detail.

THE NIST CATALOGWait! What about…

The NIST Catalog

Security and Privacy Controls for Federal Systems and Organizations

otherwise known as

SP800-53r4

Dependencies

SP800-53r4 (“800-53”) depends on the upstream work embodied in the CSF and RMF, as well as the use of:

• FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems

• FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems

FIPS 199

Potential Impact definitions of:• Low• Moderate• High

For each security objective:• Confidentiality• Integrity• Availability

FIPS 200

Defines minimum information security requirements over 17 domains:• Access Controls (AC)• Awareness and Training (AT)• Audit and Accountability (AU)• Certification, Accreditation, and

Security Assessments (CA)• Configuration Management (CM)• Contingency Planning (CP)• Identification and Authorization (IA)• Incident Response (IR)• Maintenance (MA)

• Media Protection (MP)• Physical and Environmental

Protection (PE)• Planning (PL)• Personnel Security (PS)• Risk Assessment (RA)• System and Services Acquisition (SA)• System and Communications

Protection (SC)• System and Information Integrity

Control Selection

Within 800-53 there exists a table that lists the minimum set of controls required for each security impact level of a given dataset or system. Appendix D provides a summary of Security Control Baselines for each impact level (Low, Moderate, High) and assigns a priority code to assist in determining which controls should be implemented ahead of others.

Security Baseline

Appendix D (excerpt)

Appendix F: The Catalog

Appendix F of 800-53 contains a full listing of the controls in the catalog.

Each control has the following sections, as seen in the example on the right:• Control• Supplemental Guidance• Control Enhancements• References• Priority and Baseline Allocation

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

NIST SP800-53r4

• Revision 4 added the concept of “overlays”

• An overlay is a set of selected controls that can be applied as a common set of controls to a particular risk subject.

• FedRAMP is an example of an overlay.

• FedRAMP is the set of controls from the 800-53 catalog that is applicable to cloud-based systems and services.

NIST SP800-53r4

• 462 pages• 3 chapters• Loaded with appendices• Appendix D provides the Security Baselines• Appendix F provides the Security Controls Catalog• Appendix J provides the Privacy Controls Catalog

PUTTING IT ALL TOGETHEROkay. Um…now what?

Recommended Next Steps

• Start with the CSF and give it a close read.

• Next, read through the RMF to get a good sense of the context and the extent of its coverage for each tier.

• Read FIPS 199 and FIPS 200. Compared to the two above, they are quick reads. ;)

• Read SP800-53r4. Don’t be put off by the number of pages. Most of it is Appendices.

Questions?