Last month, NIST released their long-awaited new version 1.1 of the Cybersecurity Framework (CSF).
According to the NIST website: “This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
I first wrote about this Cybersecurity Framework topic back in March 2013, when the initial Cybersecurity Framework came out for review from the Obama administration. We have come a long way since that announcement.
Recent NIST details include:
Industry Response to Cybersecurity Framework
Rather than just another business-as-usual update, this new version of the Cybersecurity Framework has received roaring approval around the nation and the world. Wherever I travel, I hear about more and more organizations that have imoplemented, or are or will be implementing this approach to protect their critical systems and networks and people.
Here are just a few of the helpful articles that highlight the growing influence of this plan:
Deeper Dive: An Interview with Ryan Tappis
But in order to take a deeper dive into this topic and get some front-line perspective on what’s in Washington, D.C., and elsewhere, I turned to a trusted colleague who is implementing the Cybersecurity Framework across multiple public- and private-sector organizations.
I met Ryan a few years back at a conference, and I was immediately impressed with his knowledge, experience and cybersecurity insights — especially with relation to government activities in and around D.C.
Ryan Tappis is a managing director and cybersecurity practice lead for Northramp LLC — a management consulting firm based in Reston, Va. In his 15+ year consulting career, Ryan has provided cybersecurity advisory services to clients across the federal government and commercial sector. He is widely recognized as a subject matter expert in all things federal cybersecurity — from Federal Information Security Management Act (FISMA) compliance, to the DHS CDM program, to TIC and the OMB cloud first initiative. With the advent and rapid adoption of the NIST CSF, Ryan has advised federal and commercial clients on how best to use the framework in their organizations.
Ryan holds a master’s degree in Computer Systems Management and is CISSP, CISM, and CRISC certified. He serves as one of 12 worldwide members on the Certified Information Security Manager (CISM) exam writing group — the group responsible for writing the CISM exam, and has been featured as a cybersecurity SME in a number of blogs and journals including the Washington Business Journal.
Here’s the interview:
Dan Lohrmann (DL): Is the new cybersecurity framework hot in the federal government?
Ryan Tappis (RT): Hot is a strong word. I would describe it as quickly gaining momentum in the federal market. There are a lot of competing priorities in the federal government cybersecurity space right now — the DHS CDM program rollout, OMB’s cloud first initiative, DCOI, the HVA program, etc. Couple those initiatives with budgets that have been flatlined, and federal CISOs have their hands full.
But I think that’s where the CSF can provide a ton of value. As federal CISOs are in the weeds trying to meet the initiatives I listed, the CSF can simplify the management of their cybersecurity programs, streamline reporting to management, and prioritize how they spend their time and money.
DL: Is this different that a few years ago? How so?
RT: From the customers and partners we work with, there is certainly an uptick in CSF based reporting and monitoring. As you know, the CSF was originally intended to support the 17 designated critical infrastructure sectors. However, in its adoption, the federal government realized the CSF provided some significant benefit in the way it simplifies cybersecurity. So with leading commercial and private-sector organizations adopting the framework and recognizing its value, the government followed suit. Now through its quarterly and annual FISMA reporting, DHS has aligned its reporting metrics to the CSF functions. I expect more alignment to come.
DL: What are some of the cybersecurity framework differences that your government clients are excited (or not excited) about?
RT: Federal CISOs seem to really gravitate to the CSF’s ease of use and simplicity. I’d say that’s the thing that excites them most about it. The CSF also touches quite a bit on supply chain cybersecurity — an area which has been very much overlooked in the federal world but needs to become more of a focus (SP 800-171 obviously helps here, but that’s a discussion for a different blog!). And most importantly, CISOs love that the CSF helps them better communicate cybersecurity to their CIOs and agency heads.
Not exactly a dislike per se, but I’m still seeing quite a bit of confusion around the difference between the NIST CSF and the NIST Risk Management Framework (RMF). My sense is that if you asked federal cybersecurity SMEs to clearly explain the difference between the two, you’d get a lot of blank stares. That’s not a knock on them; it just means we need to do a better job communicating and teaching. Until we get this confusion sorted out, I don’t think we’ll get the widespread level of CSF adoption that we need. When we’ve pitched the premise of using the CSF as the program security framework and the RMF as the system security framework — the picture suddenly becomes much clearer.
DL: What are the main drivers of the surge in adoption? Are organizations moving from some other security framework(s)?
RT: President Trump’s Cybersecurity Effective Order in 2017 obviously put some real weight behind the CSF and accelerated its adoption in the federal space. I also think mapping FISMA reporting to the CSF functions really forced the issue on its adoption in the federal sector. Federal CISOs take FISMA reporting very seriously — scores are publicly available and they’re evaluated against their peers. In general, anything that shows up as a reportable metric in a FISMA report receives a lot of focus.
On the private-sector side, the CSF crosswalks have proven to be really valuable. We’ve had several clients that have already invested in COBIT and ISO translate their frameworks to the simpler CSF very cheaply by taking advantage of the crosswalks. Of course, simpler isn’t always better. Having worked in the federal government space for so long and working through the C&A era, the cynic in me is scared that any surge in CSF adoption is because it’s just easier to say "I've checked all the CSF boxes, I'm secure.”
DL: Do you believe that this trend will continue? What do you see happening over the coming one to three years?
RT: I see additional adoption across the federal and commercial sectors. The Gartner projection of 50 percent of U.S. companies adopting the CSF by 2020 seems right to me. I could see the government adoption rate being significantly higher by 2020. I also see additional improvement and refinement beyond the recently published 1.1 version of the framework as there are still some holes. For example, I’d love to see some more formality and process around measuring effectiveness of the CSF functions. Last, I predict we’ll see a marketplace explode around the framework. Given its saturation in the private sector, companies will be eager to develop CSF-based tools and provide CSF-centered auditing services.
I also think (and hope!) there will be much better alignment and clarity around the CSF versus the RMF. In the government world, the IG offices drive a lot of the accountability and compliance measures. I’m still seeing the overwhelming majority of IG FISMA audits conducted against the RMF as opposed to the CSF. Do a quick Google search on “IG Audit and CSF.” Then compare the results to “IG Audit and RMF.” It’s night and day. Given that the audits are traditionally at the enterprise level, it would make a lot of sense for IGs to align their auditing approaches to the CSF. Hopefully that can evolve over in the near term.
DL: Is there anything else you’d like to tell us about the new cybersecurity framework?
RT: I am excited. Over the course of my career, one of the biggest challenges I’ve seen the cybersecurity field struggle with is communicating the very complex cyberspace to non-security-minded individuals. To me, the CSF is a big step in solving that challenge and simplifying the complexity of our trade. The CSF’s five functions are simple, brilliant and digestible by decision-makers all the way up the corporate ladder. For our private sector clients, that’s where they’re seeing the biggest value in the CSF. We have clients that leverage the CSF functions to report cybersecurity maturity to their corporate boards due to its simplicity. Taking it one step further, we’re helping organizations tie those five functions to business impact and ROI to find even greater value in the framework.
With all these positives, there is of course, more work to be done. We need improved awareness and outreach of the CSF, especially in the federal sector. We need better measurement mechanisms. We need more adoption. Like most things, the more users and the more feedback cycles, the better future iterations of the CSF will be.
DL: Thank you, Ryan, for providing this inside look into how the Cybersecurity Framework is playing-out with our security industry. I truly appreciate you taking the time to offer your expertise to my readers.
Once again, I urge readers to take a close look at the new Cybersecurity Framework, and how it can be adopted by your enterprise. The new CSF Version 1.1 has been several years in the making, and if you already use the CSF, you probably want to tweak your approach and/or policies and procedures using the updates.
In addition, I like the fact that the CSF covers people, process and technology — this is not just about technology and process. There are new sections on self-assessing cybersecurity risk.
This paragraph from page v of the executive summary sums the CSF up well:
“While this document was developed to improve cybersecurity risk management in critical infrastructure, the Framework can be used by organizations in any sector or community. The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving security and resilience.”