Identifying Agency Risks with the NIST Cybersecurity Framework Research Brief
Executive Summary When the National Institute of Standards and Technology partnered with other federal agencies and the private sector to develop the first iteration of the NIST Cybersecurity Framework (CSF), the focus was on protecting our nation’s most critical assets. The primary audience was entities that own and operate critical infrastructure vital to our public safety and national security, such as utilities, telecommunications, transportation and healthcare. But since the 2014 release of the NIST CSF, all types of organizations —big and small — are using the CSF to shape their cyber operations. And under the current administration, the expectation is that federal agencies will also benefit from the standards, guidelines and practices developed collaboratively by industry and government. In May, the administration released a cybersecurity executive order that requires agency leaders to adopt the NIST Cybersecurity Framework, which was initially developed as voluntary standards. The executive order states that agencies should use the CSF to manage their cybersecurity risk. “The Executive Order mandates the use of the CSF because there is a proven benefit to managing risk. The broad adoption of the CSF in the private sector points to its benefits,” said Ken Durbin, CISSP, Strategist for Symantec. As security threats grow in frequency and intensity, agencies must bolster their cyber defenses to keep government data secure. They need a strategy that prioritizes top
2 Research Brief
cybersecurity talent and automated tools that can help agencies continuously monitor their networks. One way that agencies can ensure the rigor of their strategy is by aligning it with the CSF. To better understand the extent to which agencies are adopting the CSF, GovLoop teamed up with cybersecurity firms Symantec and DLT to survey 116 federal employees. The survey specifically focused on whether agencies are taking advantage of the “Identify” function in the CSF. “This function calls on organizations to look at every component of their cybersecurity enterprise”, Durbin said. That includes hard security assets, such as servers and networks, as well as soft assets, such as software, data and people. It also addresses concerns like governance, riskmanagement approach and business use. In this research brief, we discuss common barriers to identifying what security tools your agency has in place, procuring new solutions that align to your cyber strategy and how the CSF’s “Identify” function can help you address those issues. To gain additional insights on how industry can help government with these challenges, we interviewed security experts Don Maclean, CISSP, Chief Cybersecurity Technologist at DLT and Symantec’s Ken Durbin. Before we take a deep dive into those topics, let’s discuss where agencies stand in their efforts to adopt the NIST Cybersecurity Framework.
Government Adoption of the NIST Framework The recent mandate for agencies to use the NIST Cybersecurity Framework by no means marked the start of government wide adoption. “In fact, prior to the executive order there were agencies that saw the benefit of using the Cybersecurity Framework, and started implementing it before they had to,” Durbin said. For example, the Office of Management and Budget and the Homeland Security Department had already worked with federal chief information officers and inspectors general across the executive branch to align Federal Information Security Modernization Act (FISMA) metrics to the CSF’s functional areas. In terms of federal adoption, 61 percent of respondents said they have started implementing the CSF, per the president’s cybersecurity executive order (Figure 1). To put that number into context, in 2016 some 30 percent of all U.S. organizations were using the CSF, according to IT research firm Gartner. That number is expected to reach 50 percent by 2020.
“To increase consistency regarding cybersecurity capabilities and budgeting activities, OMB also aligned the Information Technology (IT) Security portion of the [fiscal] 2018 IT Budget Capital Planning Guidance with the Framework,” OMB Director Mick Mulvaney said in a follow-up memo to the cybersecurity executive order. “This alignment has helped to standardize common vocabulary and the fundamental definitions used in security, mirroring the standardization that is increasingly necessary and useful with private sector suppliers, vendors, and industry partners.” The memo explains that the ultimate goal is to foster greater sharing of best practices across government and with industry, increase alignment of IT security requirements and capabilities and enhance efforts to improve the state of cybersecurity risk in the public and private sectors.
Figure 1 Per the recent Executive Order on Cybersecurity have you started implementing the NIST Cybersecurity Framework?
In terms of government adoption, Durbin said agencies are off to a strong start, considering the mandate was issued only a few months ago. He’s also hopeful that by implementing the CSF, agencies will view it as something they want to do because it is effective and not just something they have to do. The work under way by OMB and DHS aims to join federal requirements for safeguarding IT systems and data with the key five Functions of the CSF: Identify, Protect, Detect, Respond and Recover. According to NIST, these functions help organizations express how they manage cybersecurity risk by:
• Organizing information • Enabling risk-management decisions • Addressing threats • Improving by learning from previous activities
yes (61%) no (39%)
5
key functions of the CSF
Detect
Identify
Respond
Protect
Recover
Identifying Agency Risks With the NIST Cybersecurity Framework 3
Cybersecurity Compliance vs. Risk Management The fact that federal CIOs and IGs are coming together to embrace the CSF is a major step in government cybersecurity. One issue has been that the tech and auditor communities have not always interpreted and prioritized cybersecurity guidance the same way. On one hand, agencies have been encouraged to take a risk-based approach to security, which means prioritizing what security standards will be most effective in defending against threats. That approach can be in conflict with the old way of doing business, where agencies met a checklist of requirements to show auditors they were compliant. Balancing the two approaches is still a struggle for agencies today. To better understand the focus of agencies’ cybersecurity efforts, we asked whether they are more focused on being compliant, improving security capabilities or both. Although 35 percent prioritize both cybersecurity and compliance, 32 percent are mainly focused on compliance (Figure 2). “Although things are improving, there’s still a heavy overemphasis on the compliance aspect of security in the federal government,” Maclean said. “That needs to change, at least from a budget perspective. The money needs to go where it’s really needed.” Compliance efforts are still too resource-intensive, but Maclean expects that will change as more agencies adopt the Cybersecurity Framework. CSF will push people to implement security measures that truly prevent attacks and mitigate risk, rather than simply complying with standards to check a box and appease auditors.
Figure 2 Are your agency’s cybersecurity efforts more focused on being compliant or improving its cybersecurity capabilities? equal (35%) improving cyber capabilities (33%) compliance (32%)
4 Research Brief
How Maturity Models Aid Framework Adoption
or families that agencies must take into account when deploying IT systems.
One approach that agencies are using to move in that direction is the adoption of a cybersecurity maturity model. An effective model provides a structure for organizations to document their current cybersecurity capabilities and establish a foundation for consistent evaluation. For example, the Energy Department developed a maturity model known as the Cybersecurity Capability Maturity Model (C2M2). It provides a methodology and toolkit for doing self-evaluations to measure and improve cybersecurity programs. The model enables Energy to evaluate cybersecurity capabilities consistently, communicate capability levels in meaningful terms and prioritize cybersecurity investments. One of the benefits of using a maturity model like C2M2 is that it can be easily scaled and adapted to implement the NIST Cybersecurity Framework. Nearly three-fourths of those surveyed said they are following a maturity model at their agency, which should help them meet and adhere to the executive order’s mandates (Figure 3).
The Cybersecurity Framework reorders those FISMA controls so they are grouped in a way that shows agencies how they are performing in a particular area of cybersecurity, such as asset management. “You’re using the same data that you’re using with FISMA, but it’s regrouped in order to show you gaps you may not have seen,” Durbin said. The hope is that over time, agencies will see the benefit of using the CSF to justify the investments they need to mitigate those gaps. They can also use the CSF to explain how those purchases fit in to their agencies’ technology roadmap for the future. For some agencies, keeping tabs on the tools they’ve already purchased can be a challenge. In the next section, we discuss some of the barriers that agencies face when procuring cybersecurity tools as well as the root causes of those challenges.
Figure 3 Do you follow a cybersecurity maturity model at your agency?
Agencies that have started implementing the Cybersecurity Framework are still working to take full advantage of all the CSF has to offer. Nearly 50 percent of respondents who said they are implementing the CSF also said they are not using it to decide what cybersecurity solutions to buy (Figure 4). And slightly more — 54 percent — said they are not using the CSF to develop a technology roadmap (Figure 5).
yes (72%) no (28%)
Figure 4 Are you using the CSF to decide what cybersecurity solutions you are buying?
The reasons agencies aren’t maximizing the CSF’s capabilities vary, but one simple explanation is that they have not yet tried using the CSF in these ways, Durbin said. They may not have heard the anecdotal evidence of the CSF helping other agencies with procurement and long-term technology strategies. Another reason is that some agencies assume if they are adhering to the Federal Information Security Management Act (FISMA), then they have identified all of their security gaps, Durbin said. Then the question becomes: Why do I need to use the Cybersecurity Framework? That’s a common question with a simple answer: The CSF provides agencies with a fresh look at their data. Consider that in response to FISMA, NIST published a catalogue of 256 security controls grouped across 18 categories
yes (52%) no (48%)
Figure 5 Are you using the CSF to develop a technology roadmap? no (54%) yes (46%)
Identifying Agency Risks With the NIST Cybersecurity Framework 5
Common Barriers to Cybersecurity and Procurement It’s often noted that basic cybersecurity hygiene practices could prevent about 80 percent of the attacks organizations face today. One of those basics practices for government agencies is to understand what security tools have already been purchased and how those investments can be used to mitigate risks. The good news is most agencies have a grasp on what they are buying, but there is still plenty of room for improvement. Forty-one percent said their agencies are fully aware of all cybersecurity tools at their disposal, however, an equal number of respondents said their agencies are aware of most of the tools they buy but likely not all of them (Figure 6). Seventeen percent acknowledged their agency does not have a handle on its inventory of cybersecurity tools. The size of an organization can be a determining factor in how well agencies track their tool inventory. “Small organizations are more likely to know what’s going on,” Maclean said. “In a large organization, it’s more likely that the left arm won’t know what the right arm is doing.”
managing security risks across their organizations. This includes ensuring that federal IT systems and data are protected from unauthorized access and other cyber threats, and that the agency can detect suspicious activity on government networks, as well as respond to and recover from an attack. To comply with these requirements, agencies will need greater visibility of the tools they have and what they’re buying in the future. Another issue that contributes to an incomplete picture of what tools agencies have in place is the insufficient number of skilled cyber professionals, as well as an illequipped workforce in the cybersecurity arena, Maclean said. Those sentiments were also reflected in our survey, with 26 percent citing a lack of personnel as the reason for not fully understanding what tools they have in-house (Figure 7).
Maclean thinks the cybersecurity executive order may help to change that. The order makes clear that the heads of government agencies will be held accountable for
“We also see that there’s just a lack of the basics,” he said. “Neighboring entities don’t even know what applications, devices and data they have. They haven’t implemented patch configuration. They haven’t done the basic blocking and tackling, so I suspect security groups aren’t aware of the high-level, fancy new security system that their management bought because it sounded good in the sales presentation.”
Figure 6
Figure 7 Is your agency fully aware of all procured cybersecurity tools at their disposal? most tools, but likely not all of them (42%) yes (41%) no (17%)
If no, why not? lack of unified strategy and awareness about overall cybersecurity efforts (37%) lack of personnel (26%) siloed departments (16%) other - write in (13%) they were purchased without true understanding of what they did (8%)
6 Research Brief
For 8 percent of respondents, tools at their agencies were purchased without a true understanding of what they did. Sixteen percent said siloed departments were to blame for the lack of clarity around the cybersecurity tools at their disposal. But the top reason respondents cited was the lack of a unified strategy and awareness about overall cybersecurity efforts. “An effective cybersecurity strategy starts with buy-in from all key personnel and departments,” Durbin said. “If this [strategy] is just assigned to IT, chances are it is not going to be very effective.” The Cybersecurity Framework can help in this area, he explained. He highlighted the seven steps outlined in the CSF that are meant to help agencies create a new cybersecurity program or improve an existing program. For example, the first step is “prioritize and scope.” The focus there is for agencies to identify their mission priorities and the systems that support those functions. This exercise helps agencies make strategic decisions about how to allocate their resources. During this planning process, agencies should include everyone who will be impacted and ensure they are on the same page. Before decisions are made to buy a new tool or service, agencies should ensure those investments align with their cybersecurity strategy, Durbin said. For most agencies that are fully aware of the tools they procure, that seems to be the case. Seventy-six percent said cybersecurity tool procurements are made based on an understanding of
Figure 8
their business and mission value, as well as their role in their organization’s cybersecurity strategy (Figure 8). But it isn’t enough for individuals to have their own understanding of the mission value that technology purchases provide. There must be an open dialogue between agency leaders and business owners so agencies can make risk-based decisions about security and properly allocate funding. One function of the Cybersecurity Framework in particular that can provide agencies with end-to-end visibility across their enterprise is the “Identify” function. In the next section, we delve into the importance of this capability for communicating the benefits of security investments to agency leaders.
“An effective cybersecurity strategy starts with buy-in from all key personnel and departments. If this [strategy] is just assigned to IT, chances are it is not going to be very effective.” Ken Durbin, CISSP, Strategist for Symantec
Figure 9 Are cybersecurity tool procurements made based on an understanding of their business/mission value and their role in your agencies overall cybersecurity strategy?
If yes, has your agency explored the “identify” function of the NIST Framework? yes (91%) no (9%)
yes (76%) no (24%)
Identifying Agency Risks With the NIST Cybersecurity Framework 7
Using the CSF’s Identify Function to Improve Security In light of the president’s executive order, agencies are expected to begin using the CSF to identify, assess and manage cybersecurity risks. As NIST noted when the CSF was developed, it isn’t designed to replace existing processes. “An organization can use its current process and overlay it onto the CSF to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement,” according to NIST. “Utilizing the CSF as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.” The “Identify” function of the CSF can be especially helpful in communicating the importance of cybersecurity investments to leaders and ensuring those investments fit into an agency’s security strategy. The Identify function calls on organizations to look at every component of their cybersecurity enterprise, including the hard security assets, such as servers and networks, and soft assets, such as software, data and people. Additionally, agencies are also encouraged to address governance, risk management and how their tools will be used to support the mission. “The ‘Identify’ function lays the groundwork for all cybersecurity actions,” Durbin said. “After all, it’s only possible to protect what you know exists.” To successfully protect their assets, agencies must first identify every component in their enterprise. The objective is to ensure that each aspect — whether it be people, processes or technology — meets a certain standard and to fix the areas that are not up to par. For agencies that have started implementing the CSF, the vast majority — 90 percent — have explored the “Identify” function of the NIST Framework (Figure 9). Both Durbin and Maclean were impressed to see so many agencies embracing the Identify function, but the numbers aren’t surprising. Consider that the ability to identify what hard and soft assets you have in place, including technology, people and governance, is the foundation for strong cybersecurity. You can’t create a strategy without first understanding the components that make up your enterprise, so the “Identify” function is the first step to better security. “There’s a reason why Identify is the first of the five functions,” Durbin said. “Everything else flows from Identify.”
8 Research Brief
But one area where agencies are lacking is using the CSF to justify budget requests for cyber tools. Fifty-six percent of respondents said their agencies were not using the NIST Framework for that purpose, despite that being one of the benefits (Figure 10). “The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices,” NIST said. A successful implementation of the “Identify” function puts an agency on the path to:
• Define the current state of their enterprise, identify gaps and define a path forward to address them • Establish mitigation priorities • Develop processes that are reliable and reproducible • Meet the needs of all stakeholders • Manage complex systems with ease
• Create methods for communicating with all critical parties When all stakeholders are involved in cybersecurity discussions and have a clear understanding of the problem and solution for addressing gaps, only then can cybersecurity improve.
Figure 10 Are you using the CSF to justify budget requests for cyber tools? no (56%) yes (44%)
How Symantec and DLT Can Help When it comes to helping agencies take full advantage of all the CSF has to offer, one of the key areas where Symantec is adding value is educating the government community. Symantec offers a wealth of resources that explain how the CSF applies to various organizations, including the government sector. “Because Symantec saw the value of CSF early on, we took the time to go through all 98 subcategories, and mapped our solutions to the appropriate subcategories,” Durbin said. The NIST Cybersecurity Framework is organized into five functions and 22 categories and 98 subcategories, all of which are matched to existing cybersecurity standards, guidelines and practices. For example, the “Identify” function touches on several categories that agencies should address, including asset management, governance and risk management.
Agencies can use the categories and subcategories to define their current profile, or cybersecurity outcomes that are currently being achieved, and determine how well they align with the CSF functions. A target profile shows agencies the outcomes needed to achieve their cybersecurity risk management goals. The gap between the current profile and the target profile should dictate agencies’ roadmaps for improving their cybersecurity roadmap capabilities, Durbin said. For agencies using Symantec solutions, the company’s cybersecurity experts can help them understand how their investments align with the NIST Cybersecurity Framework. “If they’re evaluating a purchase, we can show them where our solutions map [to the Framework] and show them the full benefit to their cybersecurity program,” he said. DLT is using a similar approach to educate agencies on the CSF. As a partner with Symantec, DLT maps its solutions to the five functions in the NIST Framework.
Identifying Agency Risks With the NIST Cybersecurity Framework 9
Conclusion As agencies make strides to adopt the NIST Cybersecurity Framework, communication and education across all levels of the organization must be a priority. There will likely be changes in processes and even technology as they work to mitigate risks and strengthen security strategies. And during those times of change, it’s important that senior leaders and the employees they serve understand the current state of cyber operations, how the CSF can help and what it will take to reach their desired end state. What makes the CSF such a valuable resource is there are measurable benefits. For example, using the “Identify” function of the Cybersecurity Framework can help agencies understand what security tools they have and whether they align with their mission and business values. Communicating the benefits of any investment in these terms provides clarity for leadership and other agency stakeholders. But agencies can’t stop there. Once cybersecurity investments are designated a priority, the appropriate budget must be in place to fund those initiatives. That’s a key area where the CSF can help, by enabling agency leaders, finance and cybersecurity professionals to speak the same language when talking about security and to properly fund those efforts. “The Cybersecurity Framework provides a very solid way of looking at security that’s simple but effective,” Maclean said.
10 Research Brief
About Symantec Symantec helps federal agencies develop and implement comprehensive and resilient security strategies to reduce risk and meet Cross-Agency Priority Goals, the NIST Cybersecurity Framework, the Joint Information Environment and other federal mandates. To learn more, visit: www.symantec.com/solutions/federal-gov
About DLT
For 25 years, DLT Solutions has been dedicated to solving public sector IT challenges. Guided by our relentless focus, we have grown to be one of the nation’s top providers of world-class IT solutions. Leveraging our strategic partnerships with top IT companies, we develop best-fit solutions for our customers. Our sales, integration, and support experts have the certifications and experience in helping customers at any level of any agency. We have both deep subject matter expertise and in-depth knowledge of government mandated requirements and initiatives in areas such as a cloud computing, cybersecurity, and consolidation. To learn more visit, www.dlt.com/government-products/symantec
About GovLoop
GovLoop’s mission is to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross- government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to the public sector. For more information about this report, please reach out to info@govloop.com. govloop.com | @govloop
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop