It’s been a year since the Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” was issued on Feb. 12, 2013, and I’m happy to say it has finally arrived. The National Institute of Standards and Technology (NIST) released the Cybersecurity Framework (CSF) 1.0 on February 12, 2014 along with the associated NIST Roadmap for Improving Critical Infrastructure Cybersecurity.
Whether you believe the NIST CSF will truly “enhance the security and resilience of the Nation’s critical infrastructure…” (EO 13636) or not, there is something to be said about the ongoing discussion and collaboration within the public and private sectors. This national conversation makes it a great time to be a part of a company that develops its technology from the ground up with continuous monitoring (CM) and a solid cybersecurity framework in mind. As an information security practitioner, I am sure you are also following along with the Department of Homeland Security (DHS) Continuous Diagnostic & Mitigation (CDM) initiative that is very similar in nature but rather more technical than the NIST CSF.
The NIST CSF 1.0 and DHS CDM efforts are great for instituting best practices and solving for the basic “low hanging fruit” issues, but what about solving for the more advance problems such as lack of visibility, collaboration, automation and control? Frameworks are helpful and best practices are a must, but there are plenty of studies and evidence that proves the bad guys are exploiting the security “gaps” and “dependencies” of our best practices and frameworks. The key to today’s layered security approach is instituting technologies designed to catch the outliers and close the gaps in a way that has minimal dependencies while fostering interoperability and information sharing.
The NIST Cybersecurity Framework focuses on aligning business drivers to common cybersecurity activities within the overall organizational risk management structure. The framework consists of the Framework Core, Framework Profile and Framework Implementation tiers.
In my next blog, we’ll focus our attention to the first 4 of the 5 Framework Core elements: Identify, Protect, Detect, and Respond. I will draw a parallel between them and Forescout CounterACT, which will help security practitioners to understand how solving for the lack of visibility, collaboration, automation and control is paramount to any security program and/or framework.