This blog post is an excerpt from GovLoop's research brief, "Identifying Agency Risks With the NIST Cybersecurity Framework." Download the full report here.
In light of the president’s executive order, agencies are expected to begin using the NIST Cybersecurity Framework (CSF) to identify, assess and manage cybersecurity risks. As the National Institute of Standards and Technology noted when the CSF was developed, it isn’t designed to replace existing processes.
“An organization can use its current process and overlay it onto the CSF to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement,” according to NIST. “Utilizing the CSF as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”
The “Identify” function of the CSF can be especially helpful in communicating the importance of cybersecurity investments to leaders and ensuring those investments fit into an agency’s security strategy. The Identify function calls on organizations to look at every component of their cybersecurity enterprise, including the hard security assets, such as servers and networks, and soft assets, such as software, data and people. Additionally, agencies are also encouraged to address governance, risk management and how their tools will be used to support the mission.
“The ‘Identify’ function lays the groundwork for all cybersecurity actions,” said Ken Durbin, CISSP, Strategist for Symantec. “After all, it’s only possible to protect what you know exists.”
To successfully protect their assets, agencies must first identify every component in their enterprise. The objective is to ensure that each aspect — whether it be people, processes or technology — meets a certain standard and to fix the areas that are not up to par.
For agencies that have started implementing the CSF, the vast majority — 90 percent — have explored the “Identify” function of the NIST Framework, according to a recent survey of 116 federal employees. To better understand the extent to which agencies are adopting the CSF, GovLoop teamed up with cybersecurity firms Symantec and DLT to get feedback from the federal workforce.
Durbin was impressed to see so many agencies embracing the Identify function, but the numbers aren’t surprising. Consider that the ability to identify what hard and soft assets you have in place, including technology, people and governance, is the foundation for strong cybersecurity. You can’t create a strategy without first understanding the components that make up your enterprise, so the “Identify” function is the first step to better security. “There’s a reason why Identify is the first of the five functions,” he said. “Everything else flows from Identify.”
But one area where agencies are lacking is using the CSF to justify budget requests for cyber tools. Fifty-six percent of respondents said their agencies were not using the NIST Framework for that purpose, despite that being one of the benefits.
“The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices,” NIST said.
A successful implementation of the “Identify” function puts an agency on the path to:
• Define the current state of their enterprise, identify gaps and define a path forward to address them
• Establish mitigation priorities
• Develop processes that are reliable and reproducible
• Meet the needs of all stakeholders
• Manage complex systems with ease
• Create methods for communicating with all critical parties When all stakeholders are involved in cybersecurity discussions and have a clear understanding of the problem and solution for addressing gaps, only then can cybersecurity improve.