Unveiling NIST Cybersecurity Framework 2.0 E-Book

Unveiling NIST Cybersecurity Framework 2.0

Secure your organization with the practical applications of CSF

Jason Brown

Unveiling NIST Cybersecurity Framework 2.0

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv J. Kataria

Publishing Product Manager: Neha Sharma

Book Project Manager: Uma Devi Lakshmikanth

Senior Editor: Sujata Tripathi

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Proofreader: Sujata Tripathi

Indexer: Subalakshmi Govindhan

Production Designer: Gokul Raj S.T

DevRel Marketing Coordinator: Marylou D’mello

Business Development Executive: Shruthi Shetty

First published: December 2024

Production reference:1180924

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83546-307-9

www.packtpub.com

To my wife and daughter – words cannot express the love I have for both of you. I am so thankful to have you in my life. I love you both very much.

– Jason Brown

Contributors

About the author

Jason Brown’spassions are data privacy, cybersecurity, and continuing education. Brown has spent his career working with small- to medium-sized businesses to large international organizations, developing robust privacy and cybersecurity programs. Brown has held titles such as chief information security officer, virtual chief information security officer, and data privacy officer.

Brown currently holds many industry-leading certifications, including ISC2’s CISSP, ISACA’s CDPSE and COBIT, and ITIL, and he also holds a bachelor of science degree from Central Michigan University and a master of science degree from Ferris State University.

I want to thank everyone for encouraging me to follow my dreams and allowing me to share my experiences with the world.

About the reviewers

Soufiane Adil is a distinguished information security and cybersecurity compliance expert, specializing in an extensive range of standards, including ISO 27001, ISO 31000, ISO 22301, PCI-DSS, ISO 42001, ISO 21434, NIST 800-171, CMMC, NIST 800-53, HIPAA, PIPEDA, SOC2, FedRamp, CIS, GDPR, and Law/Loi 25. With a proven track record of guiding enterprises through the complexities of cybersecurity frameworks, Soufiane ensures that organizations achieve and maintain rigorous compliance standards. His strategic approach not only addresses regulatory requirements but also enhances the overall security posture of organizations, making him a trusted advisor in the field of cybersecurity compliance.

Thomas Marsland is a cybersecurity leader with a focus on designing systems and processes that embrace security from the ground up while protecting scalability and minimizing technical debt. He enjoys working on problems in operations and technology, delivering value to organizations with a mission-focused mindset. A 22-year veteran of the United States Navy, his work history includes nuclear power, information technology, cybersecurity, and executive leadership in cybersecurity and information technology, including for the US Navy and as the VP of technology at Cloud Range. In his spare time, he leads VetSec, a 501c3 nonprofit with the mission to “create a world where no veteran pursuing a career goes unemployed.”

Rajat Dubey, a cybersecurity expert with 13+ years of experience, safeguards global enterprises. His expertise is risk assessment, compliance, threat modeling, incident response, ethical hacking, digital forensics, cloud security, AI, blockchain, IoT, and quantum computing. He has an MEng in Cybersecurity Policy and Compliance from GWU, USA, and an MBA from Rotman UoT. He works with Fortune 500 clients across industries. He is a senior member of IEEE and a fellow of CSA. He publishes research papers, articles and peer-reviewed books. He is a trusted advisor, navigating complex challenges and developing innovative solutions.

Table of Contents

Preface

Part 1: Why Select the NIST Cybersecurity Framework?

1

Introduction to Cybersecurity Frameworks

What is a framework?

Why the NIST CSF?

The history behind the NIST CSF

Comparing the CSF to other frameworks

CIS

COBIT

ISO/IEC 27001

NIST SP 800-53

NIST CSF success stories

Lower Colorado River Authority

Biological Sciences Division – University of Chicago

Summary

References

2

NIST Cybersecurity Framework Fundamentals

The NIST framework

Govern

Identify

Protect

Detect

Respond

Recover

Tiers

The application of tiers

Continuous improvement

Profiles

Performing an assessment

The current state

The future state

Summary

References

Part 2: NIST Cybersecurity Framework Functions

3

Govern

Technical requirements

Organizational context (GV.OC)

GC.OC-01

GV.OC-02

GV.OC-03

GV.OC-04

GV.OC-05

Risk management strategy (GV.RM)

GV.RM-01

GV.RM-02

GV.RM-03

GV.RM-04

GV.RM-05

GV.RM-06

GV.RM-07

C-SCRM (GV.SC)

GV.SC-01

GV.SC-02

GV.SC-03

GV.SC-04

GV.SC-05

GV.SC-06

GV.SC-07

GV.SC-08

GV.SC-09

GV.SC-10

Roles, responsibilities, and authorities (GV.RR)

GV.RR-01

GV.RR-02

GV.RR-03

GV.RR-04

Policy (GV.PO)

GV.PO-01

GV.PO-02

Oversight (GV.OV)

GV.OV-01

GV.OV-02

GV.OV-03

Summary

References

4

Identify

Asset management (ID.AM)

ID.AM-01

ID.AM-02

ID.AM-03

ID.AM-04

ID.AM-05

ID.AM-07

ID.AM-08

Risk assessment (ID.RA)

ID.RA-01

ID.RA-02

ID.RA-03

ID.RA-04

ID.RA-05

ID.RA-06

ID.RA-07

ID.RA-08

ID.RA-09

ID.RA-10

Improvement (ID.IM)

ID.IM-01

ID.AM-02

ID.AM-03

ID.AM-04

Summary

References

5

Protect

Identity Management, Authentication, and Access Control (PR.AA)

PR.AA-01

PR.AA-02

PR.AA-03

PR.AA-04

PR.AA-05

PR.AA-06

Awareness and Training (PR.AT)

PR.AT-01

PR.AT-02

Data Security (PR.DS)

PR.DS-01

PR.DS-02

PR.DS-10

PR.DS-11

Platform Security (PR.PS)

PR.PS-01

PR.PS-02

PR.PS-03

PR.PS-04

PR.PS-05

PR.PS-06

Technology Infrastructure Resilience (PR.IP)

PR.IP-01

PR.IP-02

PR.IP-03

PR.IP-04

Summary

References

6

Detect

Continuous monitoring (DE.CM)

DE.CM-01

DE.CM-02

DE.CM-03

DE.CM-06

DE.CM-09

Adverse event analysis (DE.AE)

DE.AE-02

DE.AE-03

DE.AE-04

DE.AE-06

DE.AE-07

DE.AE-08

Summary

7

Respond

Incident management (RS.MA)

RS.MA-01

RS.MA-02

RS.MA-03

RS.MA-04

RS.MA-05

Incident analysis (RS.AN)

RS.AN-03

RS.AN-06

RS.AN-07

RS.AN-08

Incident response reporting and communication (RS.CO)

RS.CO-02

RS.CO-03

Incident mitigation (RS.MI)

RS.MI-01

RS.MI-02

Summary

References

8

Recover

Incident recovery plan execution (RC.RP)

RC.RP-01

RC.RP-02

RC.RP-03

RC.RP-04

RC.RP-05

RC.RP-06

Incident recovery communication (RC.CO)

RC.CO-03

RC.CO-04

Summary

Part 3: Applying the Framework

9

How to Deal with Cyber Risk

Exploring IT risks

NIST RMF

Tier 1

Tier 2

Tier 3

Risk management framework

Prepare

Categorize

Select

Implement

Assess

Authorize

Monitor

How to apply risk management to IT resources

Framing risk

Summary

10

Policies, Standards, and Procedures

The importance of governance

Policy workflow

Policy creation

Reviewing policies and procedures

Framework structure

Policies

Standards

Procedures

Policy document format

Policy control families

Summary

References

11

Assessment

Performing the assessment

First-party assessments

Second-party assessments

Third-party assessments

Performing a self-assessment

Capturing the current state

Creating your future roadmap

SMART goals

Future state scoring model

Summary

Index

Other Books You May Enjoy

Preface

As cybersecurity continuously evolves, so too do your adversaries. The tactics and techniques they use today may not be the same that they use tomorrow. Would you know how to fend them off or respond to an incident if one were to occur? Frameworks are developed by industry experts to help you and your team align a cybersecurity program with a given standard.

This book will take you step by step through building out various aspects of your program. From identifying devices plugged into your network to establishing governance, and how to respond to an incident, a framework is meant to provide guidance for how to build these programs for your organization.

Who this book is for

This book is meant for those who are new to cybersecurity or who have never worked with the NIST Cybersecurity Framework before.

What this book covers

Chapter 1, Introduction to Cybersecurity Frameworks, will discuss what a framework is.

Chapter 2, NIST Cybersecurity Framework Fundamentals, will talk about the NIST Cybersecurity Framework and why you should use it.

Chapter 3, Govern, will review why governance is so important to a cybersecurity program.

Chapter 4, Identify, will highlight why you cannot protect what you cannot see, which is why identifying hardware and software is a key component of your program.

Chapter 5, Protect, will talk about protecting your environment and the sensitive data that resides in it, now that we have identified everything in our environment.

Chapter 6, Detect, will discuss how most IT resources generate logs for events. You must have a game plan for what you do with those logs and where they are placed.

Chapter 7, Respond, will teach how to respond to an incident when one occurs.

Chapter 8, Recover, will discuss best practices for recovering your IT resources after an incident has occurred.

Chapter 9, How to Deal with Cyber Risk, will explain how to reduce cyber risk throughout your organization.

Chapter 10, Policies, Standards, and Procedures, will talk about how policies need structure, help you to develop an easy-to-use method for creating policies, standards, and procedures, and discuss how they are arranged.

Chapter 11, Assessment, will give an overview of how to perform an assessment to better understand your current state, whether you are by yourself or you have a team of auditors.

To get the most out of this book

There are no technical requirements to get the most out of the book. You should have basic knowledge and understanding of IT and networking concepts.

Software/hardware covered in the book

Operating system requirements

Angular 9

Windows, macOS, or Linux

TypeScript 3.7

ECMAScript 11

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “If we were to change the contents of the file to, This is a hashed file!, the new results would be: 10b481d359a851de7efb58b1cc4f0b237014e37be60936ae22da52ac10eb7388.”

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Even though you know you have to click the Next button 10 times to install a piece of software, state that.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Unveiling NIST Cybersecurity Framework 2.0, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/978-1-83546-307-9

Part 1:Why Select the NIST Cybersecurity Framework?

To make progress in your cybersecurity journey, you need to align your program against a set of best practices. Frameworks are developed by industry leaders who come from different technological backgrounds. The NIST Cybersecurity Framework is no different. It was created by experts who work for the US federal government. In this section, we will discuss the reasons for its development and the need to align your program with it.

This part has the following chapters:

1

Introduction to Cybersecurity Frameworks

In this book, we take a deep dive into a framework developed by the National Institute of Standards and Technology (NIST) called the Cybersecurity Framework (CSF). This framework was originally developed to better protect critical infrastructure businesses from threats, identify and handle information technology (IT) risks, and build resiliency into your IT and cybersecurity program.

In this chapter, we will take a look at the following topics:

What is a framework?

There are many ways to get a cybersecurity program off the ground, but where should you start? This can be intimidating to many IT professionals as cybersecurity has its own language. Frameworks are developed to assist organizations with this endeavor. A framework is used to align a program against best practices. It can also be a set of requirements that one must implement to perform a particular function.

Frameworks do not necessarily tell you how to implement a particular control, only that you should have it in place. For instance, a framework may state that you should implement multi-factor authentication (MFA); however, it may not state how or where to implement it. The framework may state that you ensure proper auditing and logging is configured, but not state how to do it or how long you should keep the logs.

A framework is a document used to help the organization implement best practices. You, or the head of security, may decide that you do not intend to implement a control or a family of controls. That is perfectly fine; however, you must decide the level of risk you and the organization are willing to accept by not implementing a particular control or a control family. More on cybersecurity risk in Chapter 9.

Organizations such as the International Organization for Standardization (ISO) have produced frameworks to align organizations with cybersecurity best practices. ISO 27001/27002 are standards used by many international organizations to align themselves to cybersecurity best practices. Governments have also created cybersecurity standards used to protect them from adversaries who intend to do harm.

NIST is an agency within the US federal government. This agency has been directed to create several standards and frameworks, including frameworks used for cybersecurity. Australia has the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). Canada has the Centre for Cyber Security. Each of these government institutions has developed its own cybersecurity frameworks. There are also plenty of frameworks that align with regulatory requirements. While they too align with best practices, these are required frameworks that you must use. For example, the healthcare industry must abide by the Health Insurance Portability and Accountability Act (HIPAA). If you take credit cards for payment purposes, then the Payment Card Industry Data Security Standard (PCI DSS) is the one for you. If you do not have to align with regulatory requirements, then there is no right or wrong framework to choose. However, you must first understand your business objectives and then choose a framework.

As you review which framework or frameworks you want to choose for your organization, you must understand the business objectives. This means that even though you chose a particular framework to implement, it could be quite possible that the business has requirements imposed on it. Those organizations are required to implement additional controls on top of what they already have in place.

For example, your organization has decided it wants to implement ISO 27001 as they are an international company. This is the baseline standard that has been chosen for your organization. The organization has decided that it also wants to process, store, and transmit credit card numbers as it sells products both in person and online. This also requires the organization to become compliant with PCI DSS) – yet another framework. The organization also conducts business in the European Union (EU), which carries the requirement of the General Data Protection Regulation (GDPR). GDPR dictates how organizations can process, store, and transmit highly sensitive personally identifiable information (PII).

Maybe your organization performs work with the US federal government. According to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, there are requirements that must be followed, which are set out in the Special Publication (SP) 800-171 framework. It may also require that any Software-as-a-Service (SaaS) application used as part of the government program be housed in a highly regulated environment such as the Federal Risk and Authorization Management Program (FedRAMP).

You are now probably saying to yourself, “This is great and all, but how does NIST fit into this picture?”

Why not dive right in?

Why the NIST CSF?

The NIST CSF is a wonderful cybersecurity framework to start off with. It was meant for organizations that are considered critical infrastructure to assist in implementing cybersecurity controls. Also, it is free to consume. Well, it is not necessarily free – I mean if you are a US citizen, then your tax dollars paid for it to be developed.

Though it was originally written for critical infrastructure businesses, the NIST CSF 2.0 is meant to be easily adopted and used for small to medium-sized, even larger, organizations. The framework was written in such a way that it can be customizable when implemented. As you will see later on in this chapter, organizations that adopted other frameworks migrated to the CSF because they were hard to implement.

As mentioned, the CSF is a framework that is easy to understand, easy to maintain, and easy to score and show progress of how your cybersecurity program is maturing. It also sets you and your organization up for success if and when you decide to adopt another framework such as NIST’s SP 800-53, the Center for Internet Security Critical Security Controls (CIS Controls), Control Objectives for Information and Related Technologies (COBIT), and ISO 27001.

The NIST CSF 2.0 is broken down into six main core functions:

These six functions, explained in more detail in Chapter 2, are further broken down into categories and subcategories. The functions represent a common theme or family of controls used to protect the organization or build resiliency in the program. As an example, the Identify function has the following categories:

Each of these categories is further broken down into controls that should be implemented.

The history behind the NIST CSF

The 2000s and 2010s were a mess for IT and cybersecurity. Though the thought of implementing a cybersecurity program was far from people’s minds, the concept started to grow. During the 2000s, we had viruses such as SQL Slammer, Code Red, Blaster, and Conficker, to name a few. These computer viruses wreaked havoc across many organizations, governments, and higher education institutions. When the 2010s came around, we had Stuxnet and Flame. However, in 2013, we began to see ransomware take hold with CryptoLocker.

Due to businesses being hit by malicious payloads, and many not knowing what to do or how to protect themselves, the Obama administration stepped in. In February 2013, the president signed Executive Order 13636, named “Improving Critical Infrastructure Cybersecurity,” directing NIST to develop a new framework for cybersecurity. In 2014, we saw the first edition of the CSF.

The early version of the CSF was aimed specifically toward those who owned and operated critical infrastructure. Though the framework was and is voluntary, these sectors are what the US considers critical to its operations:

These are just a few of the types of organizations that are considered crucial under the critical infrastructure protection program.

Version 1.1 came out 4 years later with several improvements. A few of the improvements included the following:

Version 2.0 was released in 2024. The new version kept the original five functions – Identify, Protect, Detect, Respond, and Recover. However, in version 2.0, a new function was introduced - Govern. Govern is meant to build in governance throughout the organization, governing builds in enterprise risk management (ERM), along with an emphasis on cybersecurity supply chain risk management.

Comparing the CSF to other frameworks

As mentioned previously, there are several different cybersecurity frameworks to choose from. Each category and subcategory found in the NIST CSF aligns with other frameworks as well. There is an information reference that correlates to every subcategory. Why is that important?

Maybe you received an inquiry about how you and your organization have implemented its security controls. The inquiry is based on ISO or SP 800-53, but wait a minute – you are using the CSF; how can those match up?

There is a matrix for each control and how that aligns with other frameworks. This is to assist in answering questions regarding the CSF as compared with other frameworks. It is also meant to assist you if you decide to adopt a different framework. The point is, if you start off with the CSF and decide to jump to another one, all is not lost. I am not, by any means, saying that you should start with the CSF and then naturally jump to a different framework. You can utilize the NIST CSF for all or a majority of the organization or partially implement the framework in the organization.

Business objectives do change, and with that, so do the cybersecurity controls that you implement. Let’s take a look at the other frameworks referenced in the NIST CSF.

CIS

There have been several iterations of the CIS Controls. They were originally developed by the SANS Institute; however, they are now maintained by CIS. CIS has maintained that list for several years, changing the control families over time due to feedback from industry leaders. The list is constructed from the most to least important. In version 8, CIS developed implementation groups (IGs), which define the controls to implement based on the resources an organization has.

CIS has also slimmed down the CIS Controls from 20 to 18. These categories comprise the following:

The framework has listed the controls from most to least important. This means that an organization should review its current processes for the discovery and documentation of IT resources within the environment. Quite honestly, if an organization performs a penetration test prior to the implementation of other controls, they are wasting time, money, and effort. A penetration test at the stage of getting your cybersecurity program going will provide you with information that you already know.

COBIT

COBIT 5 is based upon five different governance and management controls:

COBIT is an enterprise governance and management framework used for IT. The framework takes you through how to implement the program and execute those plans. Then, you review the progress, evaluate your success criteria against the outcome, make a project plan for remediation, and start the process over again. This is an effective way to initiate a new project or for continuous improvement of IT.

ISO/IEC 27001

Created by ISO, ISO/IEC 27001 is an international standard used to baseline and secure IT assets and evaluate risk. The basis of the 27001 framework is to ensure that security controls are in place by adopting and applying the confidentiality, integrity, and availability (CIA) triad.

In addition to the CIA triad, it also specifies the use of an information security management system (ISMS). The ISMS is used to capture security controls implemented within the environment. The CIA triad is defined by the following:

Organizations and individuals can also get ISO 27001 certified. Organizations use the certification to prove to customers that they have a dedicated cybersecurity program in place. Individuals can also be certified, which will allow them to perform certification assessments for their company or other organizations.

NIST SP 800-53

One of the more widely used cybersecurity frameworks out there is NIST’s SP 800-53. The framework consists of 20 privacy and security control families with an estimated 1,000 separate controls. The US federal government is required by the Federal Information Security Management Act (FISMA) to implement the controls across all federal IT resources.

The control families are depicted in Table 1.1:

ID

Family

ID

Family

AC

Access Control

PE

Physical and Environmental Protection

AT

Awareness and Training

PL

Planning

AU

Audit and Accountability

PM

Program Management

CA

Assessment, Authorization, and Monitoring

PS

Personnel Control

CM

Configuration Management

PT

Personal Identifiable Information and Transparency

CP

Contingency Planning

RA

Risk Assessment

IA

Identification and Authentication

SA

System and Services Acquisition

IR

Incident Response

SC

System and Communications Protection

MA

Maintenance

SI

System and Information Integrity

MP

Media Protection

SR

Supply Chain Risk Management

Table 1.1 – NIST 800-53 control families

These are by no means an exhaustive list of cybersecurity frameworks, only the ones found in the Informative References section of the CSF. There are several frameworks that are just as important as the frameworks previously discussed. It is encouraged to review other frameworks and see if they align with your business needs and objectives.

NIST CSF success stories

Organizations have the freedom to use and implement the NIST CSF to best fit their needs. The beauty of the framework is in its flexibility in implementing the necessary cybersecurity controls. Plenty of organizations have achieved their goals of reducing overall cyber risk through its use, but do not take my word for it. The following is a set of success stories of other organizations that have implemented the CSF.

Lower Colorado River Authority

Serving the residents of Texas, the Lower Colorado River Authority (LCRA) has a tough job. LCRA ensures water coming from the river is safe to use for the millions of residents of that state. The river authority is considered a critical infrastructure and must ensure that its IT and operational technology (OT) are secured.

LCRA initially adopted NIST’s SP 800-53 to implement cybersecurity controls. Due to its massive size, this caused serious problems with the framework rollout. LCRA required a framework that was agile and customizable due to its decentralization and the size of the organization. LCRA eventually abandoned SP 800-53 in favor of the CSF. This allowed them to apply a common framework across the entire organization. [1]

Biological Sciences Division – University of Chicago

Founded in 1890, the University of Chicago (UoC) has been serving its students for well over a century. The Biological Sciences Division (BSD) is one of the larger schools within UoC with 23 departments and 5,000 faculty and staff. The school requires multiple frameworks to be used to maintain compliance, including HIPAA and FedRAMP. Due to its decentralization, the school struggled to maintain a common security posture across all departments.

BSD gathered framework subject-matter experts (SMEs) to assist in the rollout of the framework. The organization developed a four-stage process that allowed them to achieve their goals in evaluating and reducing cyber risk effectively. Their four-stage approach involved the following:

The team created a scoring system from 0-4 to establish a measurement of success between the two profiles. The BSD then went on to create training seminars for staff to better understand how to use the framework. [2]

Though these two success stories depict how they accomplished rolling out the NIST CSF across their organizations, how will you achieve the same goals? Where should you start, and how will you get there? The following chapters will answer those questions and much more.

Summary

In this chapter, we reviewed what a framework is and why it is important. Frameworks were developed to assist organizations in filling in the blanks of building a cybersecurity program. The NIST CSF is a framework that can be applied to your organization with little effort.

As cyber-attacks took hold during the early 2000s, we needed to rapidly increase our security posture. Cybersecurity frameworks were created to assist organizations in doing just that. Many may think that IT and cybersecurity are identical, but they are not. As we learned, cybersecurity has its own language and way of implementing solutions.

As we saw in the success stories, several organizations had come from other frameworks and began to use the CSF due to its flexibility in allowing for agility across multiple business functions.

In the next chapter, we will dive deeper into the CSF and review the framework core, tiers, and profiles. We will then look at how to evaluate and reduce risk. More to come!

References

https://www.nist.gov/system/files/documents/2021/10/26/LCRA%20CSF%20Success%20Story_Comments%20Incorporated%5B53%5D.pdf

https://www.nist.gov/system/files/documents/2020/07/23/University%20of%20Chicago%20Success%20Story%20062920%20508.pdf

2

NIST Cybersecurity Framework Fundamentals

In the previous chapter, we learned about what cybersecurity frameworks are and some of their differences. We know that cybersecurity frameworks help align us and our organizations to best practices. Frameworks provide a taxonomy and a common language for complex architecture and terminology.

We were briefly introduced to the NIST Cybersecurity Framework (CSF). The NIST CSF is a robust, agile framework that can be implemented in any organization. As we saw in the last chapter, several organizations have adopted other frameworks only to find out, months or years later, that the chosen framework does not meet their needs.

In this chapter, we will dive into the framework. We will look at the framework’s Core, Tiers, and Profiles. We will discuss what each of these means so that you have a general understanding of the topics being discussed. In later chapters, we will go further into the Core and examine each of its six functions – govern, identify, protect, detect, respond, and recover.

This chapter will cover the following topics:

Let’s dive in!

The NIST framework

This framework is made up of three separate modules – Core, Tiers, and Profiles. The Core is made up of six functions that are used to reduce cybersecurity risk in an organization:

Each control is numbered so that we easily know how the controls align together. As an example, an inventory of physical devices would be ID.AM-01, software inventory would be ID.AM-02, and so on:

Function.Category-subcategory

ID.AM-01

We will discuss the individual controls further in later chapters; for now, let’s dive right into what each of the six functions means.

Govern

Govern is meant to establish governance throughout a cyber program. This is why the Govern function is at the center of all other functions. It is used to set a risk management strategy, policies, and standards, ensuring that these documents are well written and communicated. Govern is especially important when it comes to enterprise risk management.

This function also requires that you start discussing risk and risk management with everyone in your organization. Risk tolerance must start at the top with the executive leadership team and trickle down through middle management to your analysts. There should also be a feedback loop that allows risk mitigation efforts to ascend from the bottom up too. This is needed to better understand whether any risk tolerances that were established still work as intended.

Identify

The Identify function was created to help locate systems, software, and external services, such as Software-as-a-Service (SaaS). This includes where your company is purchasing software and hardware and the use of third-party service(s). The identify function also exposes risk identification and management and helps create policies, standards, and procedures. These categories are used to assist in highlighting risks throughout the organization.

The first two control families of the Critical Controls provided by the Center for Internet Security also have visibility of hardware and software at the top of their list. An organization must have a grasp on inventorying all assets, both on-premises and in the cloud, to adequately protect them. Once they are identified, we can scan for vulnerabilities and apply security patches to keep IT resources secured.

An organization must document what is not in an environment for the following reasons:

The Identity Function also requires a strategy for how you want to identify and record your SaaS applications for the same reasons.

Protect

As you might have guessed, the Protect function is all about safeguarding identities, data, baselining systems, maintenance, auditing, and logging. According to NIST, the protect function is also meant to limit or contain cybersecurity incidents.

In a 2023 study performed by BeyondTrust, the following are the top identity-based attacks that organizations face [1]:

It is no surprise that users and their digital identities are cybersecurity’s weakest link. The protect function goes into detail about how to protect users by implementing a robust identity and access management system, along with security and awareness end-user training.

This function also ensures that data is secured. This is done using encryption, both in flight and at rest. At rest means the hard drives of laptops, desktops, servers, databases, and so on should be encrypted.

This can be easily accomplished by leveraging the built-in encryption tools used by each of the operating systems. Microsoft developed BitLocker, Apple has FileVault, and for Linux, there is Linux Unified Key Setup (LUKS) Each encryption scheme used by the operating system manufacturers has its advantages and disadvantages. Pay close attention to how you store the backup keys for each device that has been encrypted. Without storing the keys, you could lose all access to the information stored on the drive.

Detect

The Detect function is all about processes that you and your team develop to highlight threats, vulnerabilities, and viruses and monitor user behavior. This function is also about creating baselines of systems and the network to determine anomalies.

We start with anomalies and events. This is where baselines come in to discover unusual activity. To do this, monitoring needs to be in place. Typically, this is performed using the Simple Network Monitoring Protocol (SNMP). SNMP allows your team to poll usage statistics at a given interval (usually every minute), and those stats are stored in some type of flat file or database for historical review. Systems may also allow you to track malicious traffic and display it on a graph.

Another crucial step to take in monitoring is log aggregation. This involves a collection of logs from all systems in an environment, including firewalls, IT systems, network devices, and databases. This will allow you to monitor systems and services to detect malicious activity throughout the environment.

Lastly, we need to document detection processes and establish roles and responsibilities. This is a necessary step to determine who is responsible for detecting and remediating an incident if one occurs.

Respond

How do we respond to an incident? Who is responsible for what? How are events communicated? This will require the creation of an incident response and communication plan. Not all incidents need to be communicated; however, you will need a plan in place for who to speak with and when.

Analysis of an incident is also part of the Respond function. This requires knowing the types of threats that are out there, especially those that are executed in the wild. There are plenty of threat intelligence lists to choose from. Some you must pay for, and some are generally free to consume. The Cybersecurity and Infrastructure Security Agency (CISA) produces a list of known exploits that are actively used in the wild, called the Known Exploited Vulnerabilities (KEV). This is a free service that sends out email notifications and produces lists of known exploits on its website.

Documentation is key to the success of this function. You will not only need to document policies and standards for how to respond to an incident; you will also need to document everything during the event. This involves recording the response to the incident so that you can respond faster to it the next time, which is performed through an after-action review.

Recover

There are only two categories in the Recover function – Incident Recover Plan Execution and Incident Recovery Communication. While the respond function also contains a communication category, this control deals with communication with external stakeholders.

When an incident occurs, you must follow the steps laid out in the response plan. If you or your team did not follow the steps, why? Was the plan not well formed for the incident? Were there steps missing? This all gets discussed during the after-action review to make improvements to the plan itself.