Leveraging NIST for Your Cybersecurity Risk Assessment

NIST’s cybersecurity and risk material is awesome but its size and detail can be overwhelming.

You make your way through one of their long, in-depth publications. You feel that satisfaction of having taken the time to really sit down and understand a topic from one of the leading authorities, and you figure you are just about ready to get started on your assessment. Then you come to a reference to another (similarly named) publication, then another, then another… then you realize you are into a 10-volume series on this one specific topic. And you might be one week into your assessment project – shouldn’t you be halfway finished this assessment by now?

This is the kind of experience I had going through the NIST risk management and cyber security material. In this post I’ll talk through an overview of the publications and how I see them fitting together, taking the perspective of someone who is looking to conduct cybersecurity risk assessments using NIST as a guide.

Overview

We’ll cover the following publications:

  1. Cybersecurity Framework (CSF) (version 1.1)
  2. Minimum Security Requirements for Federal Information and Information Systems (800-200)
  3. Recommended Security Controls for Federal Information Systems and Organizations (800-53r4)
  4. Guide for Assessing the Security Controls in Federal Information Systems and Organizations (800-53Ar4)
  5. Guide for Conducting Risk Assessments (800-30)

NIST Publications and length (pages)

This gives you a sense of the girth of each of these publications.

The overall cybersecurity assessment process envisioned here is guided by the CSF with support from other publications as shown below:

Cybersecurity Framework (CSF)

Like all these publications, they were created in the U.S. environment but are generally applicable to any organization. The CSF can help organizations of any size to analyze and improve their cybersecurity posture.

The CSF is a different type of beast compared to the more formal 800-* publications. Whereas 800-53 is a regulatory document meant to help US government departments comply with FIPS 200 (a set of minimum security standards), the CSF is voluntary, higher-level, and was designed for both public and private sector organizations. It brings together and references several more detailed standards/methodologies, including CIS CSC (Centre for Internet Security Critical Security controls), COBIT, ISA, ISO/IEC, and NIST 800-30.

In its Framework Core it lays out five core functions of any cybersecurity program: identify, protect, detect, respond, and recover. These are decomposed further into categories and subcategories.

It goes on to define a set of tiers that describe an organization’s overall view on cybersecurity risk and the processes that are in place to support it. Values can be partial, risk-informed, repeatable, and adaptive. They explicitly make the point that this is not meant as a maturity scale, but it is hard not to think of it in that way.

Lastly, it describes the concept of a profile, which is essentially a scorecard across of the controls you’ve identified as in-place and/or required for your organization. You would have your current state profile and the future state profile you want to reach, and from that you can identify the gaps and then work on how to close those gaps.

FIPS 200 – NIST Minimum Security Requirements for Federal Information and Information Systems

This document is only 11 pages excluding appendices making it quite digestible and a good introduction to the complete 800-53 documentation. If nothing else, it is simply a good checklist for an organization to go through to check that they’ve given attention to the fundamentals.

It uses the same terminology as 800-53 and goes through each “family” and gives a few key “must” statements. For example:

  • Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
  • Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

800-53 Security and Privacy Controls for Federal Information Systems and Organizations

Provides “guidelines for selecting and specifying security controls for organizations and information systems”. It was created to support US government organizations in meeting the security requirements in Federal Information Processing Standard (FIPS) 200.

Similar to ISO 27002, it provides a large catalog of security and privacy controls covering all aspects of an organization. It presents the universe of controls you could implement, and the bulk of the document is taken up by the detailed list of controls (Appendix F). These controls are organized by the families mentioned in the earlier section on the FIPS 200 publication..

These controls fit into NIST’s three-tiered risk management approach (organization, mission/business processes, and information systems). They are vendor-neutral and designed to be flexible and adaptable for various organizations.

As you analyze each area of the CSF you can follow it’s references to the 800-53 document to provide detailed controls that can be candidates for the organization.

800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations

Whereas 800-53 takes you through what you might implement for security and privacy controls,  the 800-53A publication takes you through how to analyze the presence and effectiveness of your controls.

It defines three broad methods for assessments:

  • Examine – reviewing documentation and observing system operation
  • Interview – talking to a range of people including executives and system administrators
  • Test – for example, testing access control or conducting penetration tests

It goes on to define two dimensions by which to describe an assessment method: depth and coverage. Both dimensions can have values of: basic, focused, or comprehensive.

So for example, a basic examination would be a high-level desktop review of documentation such as design specifications and process maps. The focused form would be a more detailed review covering additional documentation that would include any referenced documents. The comprehensive level adds more detail, and more importantly introduces the requirement that any controls are operating correctly and are continuously improved.

The terminology can be ambiguous and open to interpretation. For example, in describing depth they talk about “limited”, “substantial”, and “extensive” bodies of evidence at the different levels. In such cases it may be helpful to focus on its usefulness as a relative scale, rather than anything close to an absolute scale. But note that there are aspects that are more concrete, such as point-in-time vs. continuous assessment, or the use of a questionnaire vs. in-person interview, that  provide better distinction between the different methods and their depth.

Guide for Conducting Risk Assessments (800-30)

This publication provides guidance on how to perform a risk assessment and specifically how to:

  • Prepare for risk assessments
  • Conduct them
  • Communicate results
  • Maintain over time

Another purpose this document can serve is to provide some standard fundamental terminology. While people generally have a decent grasp of concepts such as threat, vulnerability, and impact, there are some important nuances that can lead to trouble later on if there isn’t a set of commonly-understood and agreed-upon definitions.

The 800-30 publication defines a risk calculation methodology that is similar to most approaches: essentially risk = impact * likelihood.

I think of the linkage between the CSF and the risk assessment step as follows:

The “Create a Current Profile” step will identify a set of missing or partial controls that will drive the risk assessment. The risk assessment will take these missing or partial controls and will derive a set of vulnerabilities that may allow certain threat events to occur. Asset values and threat sources are of course part of this process, but overall it is guided by the set of controls in each section of the CSF core.

Summary

What I’ve covered here provides an overview of the essential documents for an organization looking to start leveraging NIST best-practices for their cyber security assessments. In short:

  • use the CSF as the overall guide
  • leverage the 800-53 publication for detailed controls, following the references provides in the CSF Core (i.e., identity, protect, etc.), to analyze the current security posture
  • conduct the risk assessment following the guidance in NIST’s 800-30 publication, taking missing or partial controls as a primary input to uncovering risks
  • frame the recommendations from the risk assessment in terms of a future-state set of controls, again following the CSF Core