Putting the NIST Cybersecurity Framework to Work

Using the NIST Framework to guide best practices for security audits, compliance, and communication.

Dwight Koop, COO of Cohesive Networks

Unlike the millions of other standards out there, the NIST Cybersecurity Framework combines the best of existing rules, assessments, regulations and guidelines into a new type of cybersecurity reference guide. While it’s created for critical infrastructure — transportation, oil and gas, defense, and so on — the standard is applicable to most organizations. The NIST Framework is easy to apply, once you dig through it.

An emerging SaaS company focused on the energy sector recently sought our expertise in NIST Cybersecurity Framework and compliance. Our client was facing an increasing stream of requests for documentation, certifications, and penetration test results from their customers. The client wanted to answer each request for security information with a consistent package of responses.

Cohesive’s primary role was to advise the customer with their security policies before and after the audits. As a provider of VNS3 firewall virtual machines, we can also help the customer manage and secure their network. By leveraging Cohesive’s experience with the cross-mapping frameworks, our SaaS client was able to use the NIST Framework as a unifying process. Their internal teams used NIST as a guide to update their risk-management approach to defense in depth and a roadmap for repeatable reports to customers.

Step one

The first step in the process was to identify a short list of security standards with specific recommendations for reaching an adaptive implementation level (or maturity level). For this client, we needed to find the most useful tools for identifying the desired cybersecurity profile. In order to find any gaps in the company’s current profile, we recommended using the following guidelines:

• The Department of Energy Cybersecurity Capability Maturity Model (C2M2)
• The Department of Homeland Security US-Computer Emergency Readiness Team, Cyber Resilience Review (US CERT-CRR)
• The Payment Card Industry Security Standards Council Self-Assessment Questionnaire and Attestation of Compliance

These three guidelines provide cybersecurity questionnaires and self-evaluation tools that streamline the first three steps of the NIST implementation process. Taken together, these three are an exhaustive compilation of the requirements that are identified across the much larger universe of cybersecurity frameworks and standards for each of the NIST function subcategories.

In preparation for the second step, we reorganized each of the specific questions in the DOE C2M2 Self-Assessment, CERT Self-Service CRR, and PCI Self-Assessment into the Functional Categories and Subcategories found in the NIST Framework.

Step two

We worked with each of the client’s application owners (including representation from both the IT organization and business units) to address each set of questions. By staying focused on answering each specific and prescriptive question, the process moved quickly with considerably less discussion. For each question, the current and target responses were tabulated into 5 categories:

Cyber Security Program Requirements
A. Policy, Procedures, & Organizational Documents
B. Registries (Database Tables of Current and Historical Cyber Security Records)
C. Logs (Database Tables of Cybersecurity Events, Changes, & Etc.)
D. Incident Case History Reports and Analytics
E. Gap Analysis, Budget, and Improvement Plan Documents

Any gaps?

By consolidating current and target profiles into the same discussion at the detail level, any gaps can become clear to the team. We were able to document and discuss action plans as issues arose, simplifying and shortening the process.

In this particular case, application owners shared a preconceived notion that PCI requirements did not apply since the client did not handle credit card information. In practice, and like the other assessment tools, the PCI Self-Assessment Questions deal with the common cybersecurity concerns of any company:

• Network Segmentation
• Firewall Configuration Tracking
• Access and Change Monitoring
• Network Segment Traffic Flow Analytics
• Packet Inspection & Intrusion Detection
• Alert Reporting, and Response Process

Step three

The third step in the process was to create a “Cybersecurity Risk Management & Network Operations Manual” for each of our client’s application teams. At this step, the value of distributing accountability for cybersecurity to the application owners becomes clear. Viewing the enterprise in totality results in confounding complexity.

For example, firewall access rules are usually very wide to include as many applications as possible inside the corporate network. Yet, when we applied rules to each server running a specific application suite, firewall access rules could become very narrow and specific.

Step four

The fourth and final step in the process was to convene the enterprise IT teams responsible for networks administration, release control, and infrastructure change control to consolidate the manuals from each team.

Outcome/Results

The SaaS company was able to use the NIST Cybersecurity Framework as a map to the compliance areas that matter most to their organization. This approach to applying the NIST Framework helped them achieve cost savings and process simplicity.

With this holistic knowledge as a guide to the individual standards, by delegating the process, and focusing in on the security of individual application sets, the company was able to respond to each request for security information with a consistent package of answers. Since our work, the client has used this approach for penetration tests and compliance auditing. At the time of publication, the audits were pending, but the client has passed initial tests.

Subscribe to the Cybersecurity War Stories publication on Medium to get more from me and other IT security professionals in the trenches.