Experts are hopeful that a new framework released by the National Institute of Standards and Technology will give agencies a method to evaluate the security of their computing environments against their peers.
As hacking attempts become more complex, governments continue to improve their cybersecurity presence through sophisticated firewalls and expanded procedures. But while high-profile data breaches have focused more state and municipal attention on cyberintrusions, a decidedly old-school problem continues to plague efforts to beef up security — communication.
With a variety of security options available, public-sector agencies often are deploying tools and using strategies that utilize different terminology and principles. These differences can lead to frustration when trying to compare cybersecurity programs and address the latest digital threats across agencies or jurisdictions. Without a standardized language, it’s difficult to gauge how strong another organization’s cybersecurity is.
To illustrate the concept, consider an advertisement for a new hotel. The hotel boasts that it has superior service, amenities and security. The only way to know that for sure, however, is for those claims to be verified. In the lodging industry, organizations like AAA visit hotels and rate them — five-star, four-star, etc. Customers then read those ratings and make a decision on where to stay based on the commonly understood vernacular.
A similar universal baseline evaluation for cybersecurity environments didn’t exist in years past. But experts are hopeful that a new framework released by the National Institute of Standards and Technology (NIST) will give agencies a method to evaluate the security of their computing environments against their peers.
State chief information security officers (CISOs) say the effort to integrate the 41-page federal initiative — officially called the Framework for Improving Critical Infrastructure Cybersecurity — will deliver significant benefits for government agencies in the years ahead. If the majority of organizations adopt the framework’s principles, they’ll be speaking the same language and have an easier time contracting with one another and protecting against cyberthreats.
Instead of a linear plan, the framework uses common fundamentals and a cyclical approach designed to help governments and businesses establish a cybersecurity baseline, find their most glaring vulnerabilities and tackle them at the outset using whatever method works for them. Then further steps can be taken as priorities are outlined and financial resources are available.
“It’s about not reinventing the wheel; there are plenty of good strategies out there — pick one,” Pelgrin said. “Figure out what works best for your organization and move forward.”
The framework is a living document of best practices that users can reference to establish a risk-based approach to improve cybersecurity. It provides a series of actions to anticipate and respond to attacks on systems. Five basic core functions are the foundation of the framework — Identify, Protect, Detect, Respond and Recover.
The functions are meant to be worked on concurrently and continuously. Within them are “implementation tiers” designed to show how mature an organization is in each of the five areas. The tiers range from the lowest level of Partial, followed by Risk Informed, Repeatable and Adaptive. Each tier describes the level of sophistication an organization has with performing each particular cybersecurity practice.
The next level of the framework is “profiles,” which align all the core functions with an agency’s business requirements, resources and risk tolerance. Profiles give organizations a way to describe their current cybersecurity condition and set a goal for where they want to be in the future. That shows where gaps exist, enabling users to address shortcomings and make improvements.
For a state or local government already running a cybersecurity program, adopting the framework may require aligning individual terminology and processes to match what’s in the core functions. But nothing has to be adopted all at once. Agencies can take parts of it and apply them as appropriate.
Work on the framework kicked off with President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity on Feb. 12, 2013. Section 7 of the order charged NIST with incorporating industry best practices and standards “to the fullest extent possible.”
To that end, NIST conducted five workshops throughout the U.S. to gather information and ultimately create the current framework. It took a full year to develop, according to Adam Sedgewick, senior information technology policy adviser for NIST.
Sedgewick explained that the goal was to develop a common cybersecurity language for public- and private-sector organizations to communicate and pull people together to provide analysis and reach agreement on best practices.
“There has been a degree of fracturing where different sectors and organizations rely on different standards, regulations and requirements,” he said. “So what the framework does … is allow people to communicate what their cybersecurity programs look like, and that makes it easier for those organizations to manage risk.”
Virginia’s cybersecurity program has been in place for a while, but the state was one of the initial framework adopters. Mike Watson, the state’s CISO, said integrating the NIST Framework was a smooth process for the state, primarily because it had already implemented NIST Special Publication 800-53 from a few years ago, which contained similar principles. The 800-53 document outlines recommended security and privacy controls for federal agencies.
Watson explained that the state chose to use the federal standards because a number of vendors in the area had begun marketing themselves as compliant with 800-53. As a result, Virginia took steps to map and align its existing standards back to those recommended in 800-53, so that communication was clear between the parties.
Virginia took the same approach with the NIST Framework. Watson said the strength of the framework is that it gives decision-makers a clear understanding of where their cybersecurity program is in comparison to other agencies or entities.
“I want to make sure to use this as a way to see how secure our environment is with all the different pieces and parts,” Watson said. “Adopting a standard language is really the first step in being able to do that.”
Pennsylvania is in a similar position to Virginia, as it had already been complying with 800-53 as well. But when adopting the NIST Framework, Pennsylvania CISO Erik Avakian also made it a priority to take note of the cybersecurity call for action the National Governors Association (NGA) announced last year.
The NGA debuted a five-point plan to help states better protect themselves from cyberattacks, which includes states establishing an authority structure to handle cybersecurity issues; conducting risk assessments; implementing vulnerability assessments and threat mitigation practices; complying with current security methodologies; and creating a culture of risk-awareness.
Avakian threw everything into a blender and developed a cybersecurity road map for Pennsylvania that aligns with both the NIST Framework and the NGA’s principles. He agreed with Watson that the biggest benefit of the NIST Framework is that it supplies a standard language for all parties across multiple industries to use. But he’s also enamored with the flexibility the framework provides.
“The NIST Framework is not trying to change what you’re doing from a cybersecurity perspective — it augments it,” Avakian said.
Watson said the first step for Virginia was just refining its process for gathering information and identifying the major metric points and risk indicators to support both what the state had in place previously and the NIST Framework.
The path for Pennsylvania was similar. Avakian and his team took everything in the framework, mapped it and then implemented it into the state’s enterprise governance, and risk and compliance solution. Avakian said the move has been successful and sees a similar approach working well for other public-sector organizations.
The Pennsylvania CISO noted that because the framework shows on a granular level where an agency is, and where it needs to get to, it helps everyone stay ahead of cyberthreats. The key, he added, was a two-pronged communication approach.
“You need something for both the technical and the business sides of the organization,” Avakian said, regarding what cyber-risks exist and how to mitigate them. “If you only do one or the other, you’re not going to be able to clearly communicate to either of those groups.”
Sedgewick admitted that the framework’s overall complexity was one of the major developmental challenges early on. Because the goal was to create a framework that can be adopted by companies and organizations of all different sizes and preparedness levels, providing the appropriate level of detail was critical.
If the framework was too detailed, then it would run counter to the basic tenets of Obama’s executive order, as not all organizations have an advanced cybersecurity plan in place. But the framework still needed to have enough guidance to also help agencies and companies that were already at a high level.
But Sedgewick said NIST and its stakeholders struck the right balance that considers small local government operations and other potential adopters that may not have the funds to invest in cybersecurity efforts.
“One thing that we want to be clear about is that we don’t necessarily think this is just about finding the resources — it’s about general practices that people can do with the resources they already have,” Sedgewick said. “And so if you look at the framework itself, part of the structure that stakeholders came up with, was an effort to help simplify and better articulate what the essential elements of a good cybersecurity program are.”
While there are plenty of benefits in adopting the NIST Framework, it still presents a number of challenges for organizations. The most obvious is financial investment to establish a baseline and have a minimum level of threat monitoring, particularly for agencies that don’t have an active cybersecurity program.
For Pennsylvania and Virginia, there wasn’t a significant cost outlay, as both states already had security measures and response systems in place. But Watson said agencies should expect to spend some dollars to get up to speed.
Avakian agreed that doing things like risk assessments — which the framework relies on — takes resources. But he noted that unlike years past, there now are a number of free services available for public-sector agencies to be proactive regarding cybersecurity.
For example, the Multi-State Information Sharing and Analysis Center (MS-ISAC) offers free managed security and advanced monitoring services, while the U.S. Department of Homeland Security provides cyber-resiliency assessments at no cost, according to Avakian. Those opportunities didn’t exist years ago, and Avakian thinks agencies should take advantage of them as they consider adopting the NIST Framework.
Watson is concerned about just how much the federal government is going to push the private sector to adopt the framework. It could be an important factor in the long run, since working from a common language is one of the framework’s largest benefits. Watson added that he also thinks NIST should give agencies more guidance on how to measure compliance within each of the framework’s categories.
Sedgewick was aware of the concerns, but noted that the framework is not a checklist, but rather a living document intended to be built upon by users. He said the idea is for people to look across the entirety of the framework and think about advanced capabilities that can support the outcomes that make organizations more secure.
In addition, Sedgewick explained that people shouldn’t go through the framework and think they have to “implement every single word.” Instead, they should use it as a tool to improve the cybersecurity position of their organizations.
Avakian called the NIST Framework a great start that encompasses most cybersecurity needs. He said that time will tell whether additional components are needed, but so far, there are no glaring omissions.
Pelgrin agreed, adding that there’s something in the framework for everyone regardless of where an organization is on the cybersecurity maturity spectrum.
“It’s really an opportunity to raise the bar across all sectors,” he said. “The breadth and depth of sectors using it is impressive. It’s not about the technology; it’s about the behavior of implementing an effective process.”