As nefarious actors gain capabilities, the threat of a massive cyberattack becomes more and more real for governments. In order to better protect themselves, the National Institute of Standards and Technology (NIST) created a Cybersecurity Framework to help agencies implement standard cybersecurity best practices.
The Framework is a set of standards, guidelines and best practices to promote the protection of critical infrastructure and improve cybersecurity across government. But if you are a federal employee you are probably wondering what the Framework means for you.
In order to better understand how different roles fit into the NSIT Framework, GovLoop and Symantec brought together experts from across the cyber realm to discuss next steps in implementing the Framework during the, Understanding Your Role in the NIST Cyber Framework Roundtable. Matthew Barrett, Program Manager, NIST Cyber Framework; Alen Kirkorian, Division Chief, Solutions Architecture and Security, office of the Chief Architect, Department of State; and Kevin McPeak, CISSP, ITILv3, Principal Cyber Architect, U.S. Federal Public Sector led a discussion where three trends became clear:
The Framework is designed to work for you. The main feature of the Framework is that it offers the ability to translate and simplify cyber best practices from a complex language that only cybersecurity professionals understand to something that everyone can understand. Promoting a unified understanding of cybersecurity throughout government is key to improving cyber posture but, it is also clear that cybersecurity solutions are not one size fit all. Barrett explained that the framework accounts for this and offers a standardized set of cybersecurity outcomes with the mechanism for customization across agencies and the private sector.
Implementing the Framework starts out with an initial analysis that establishes an agency’s cyber profile. “The analysis establishes what key stakeholders are involved, business objectives of the agency, and the current cyber defense posture,” McPeak explained. From there, agencies can work on implementing the five elements of the Framework Core: identify, protect, detect respond, and recover. McPeak emphasized, “the NIST Framework gives agencies a different perspective and allows you to identify your initial framework profile and evolve it to reach your target profile.”
At the State Department, Kirkorian uses the Framework as a guide towards an improved cybersecurity posture. However, he has faced challenges in promoting cybersecurity efforts to agency leadership. “CIOs are under pressure to meet the business mission,” he explained. “Often times they are going to choose business over security so it is important to make sure that agency leadership really understands the cyber risks we face.” The Framework allows cyber professionals to customize their cybersecurity plan and explain it in simple terms, making it easier to promote buy-in from up and down the agency leadership.
The Framework is scalable. Barrett explained that the Framework was initially chartered to protect critical infrastructure but has become something that is being appropriately applied much more broadly. “The framework is customizable so that means it is scalable across business sizes and missions,” he said. This means that the Framework can be easily adopted across all state, local, tribal, and federal levels of government as well as in the private sector. Barrett also emphasized that NIST is supportive of how agencies choose to use the Framework and want to work with organizations to maximize its value. Essentially, the Framework can and should be used as a starting point for agencies who can then go and add their own requirements on top of it.
The Framework can help solve the big and little problems. In cybersecurity, some of the biggest problems require the smallest actions. For example, setting your password as Password01 or clicking on a bad link in an email are easily fixable and avoidable. Barrett emphasized that in order to solve smaller issues, “we need to make doing the right things easy and doing the wrong things hard.” He continued that the Framework helps agencies balance all cyber, physical, and personnel priorities against each other to provide the entire breadth of consideration.
However, the other experts explained that you need to be able to accurately identify when to go after low hanging fruit and when to go after bigger problems. “You have to hit the right balance of automation in processes that still promotes mission success,” McPeak explained. Kirkorian added, “sometimes business needs are paramount to fixing legacy systems that make it difficult to implement the Framework.” As a result, agencies have to work to adopt the Framework in a way that works for them and allow it to facilitate problem solving where the agency is at in their cybersecurity profile.
Looking forward, agencies should look to embrace the Framework in a way that works for them. Kirkorian concluded, “we need to be planning and using the resources that are out there to embrace technology and leverage the Framework to drive the business model of our agencies.”
For more information on how government is using the Framework check out this infographic.