Difference between revisions of "User:Shawndouglas/sandbox/sublevel27"

From LIMSWiki
Jump to navigationJump to search
m (Grammar tweaks)
Line 1: Line 1:
==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework==
==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework==
[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed but in the works.<ref name="MillerOMB19">{{cite web |url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ |title=OMB’s regulatory review is creating a backlog of cyber standards |author=Miller, J. |work=Federal News Network - Reporter's Notebook |publisher=Hubbard Radio Washington DC, LLC |date=03 September 2019 |accessdate=19 December 2019}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=19 December 2019}}</ref>  
[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed<ref name="MillerOMB19">{{cite web |url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ |title=OMB’s regulatory review is creating a backlog of cyber standards |author=Miller, J. |work=Federal News Network - Reporter's Notebook |publisher=Hubbard Radio Washington DC, LLC |date=03 September 2019 |accessdate=19 December 2019}}</ref> but in the works.<ref name="NISTSecandPrivRev5Draft20">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft |title=Security and Privacy Controls for Information Systems and Organizations (Final Public Draft) |work=Computer Secutiry Resource Center |author=National Institute of Standards and Technology |date=28 April 2020 |accessdate=28 May 2020}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=19 December 2019}}</ref>  


The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals. The controls are also split out into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.
The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.  
 
The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.


You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.  
You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.  
Line 9: Line 11:


===4.1 NIST Cybersecurity Framework===
===4.1 NIST Cybersecurity Framework===
The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web |url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet |title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience |publisher=U.S. Deapartment of Homeland Security |date=March 2013 |accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53, Revision 4; COBIT 5; and the ISO 27000 series of standards; the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web |url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 |title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 |author=Chang-Gu, A. |work=Praetorian Security Blog |publisher=Praetorian Security, Inc |date=02 March 2015 |accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=19 December 2019}}</ref>
The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web |url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet |title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience |publisher=U.S. Deapartment of Homeland Security |date=March 2013 |accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53 (Revision 4), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web |url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 |title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 |author=Chang-Gu, A. |work=Praetorian Security Blog |publisher=Praetorian Security, Inc |date=02 March 2015 |accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=19 December 2019}}</ref>


Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web |url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 |title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds |author=Dark Reading Staff |work=Dark Reading - Attacks/Breaches |publisher=Informa PLC Informa UK Limited |date=30 March 2016 |accessdate=19 December 2019}}</ref>:
Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web |url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 |title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds |author=Dark Reading Staff |work=Dark Reading - Attacks/Breaches |publisher=Informa PLC Informa UK Limited |date=30 March 2016 |accessdate=19 December 2019}}</ref>:
Line 17: Line 19:
* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.
* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.


However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web |url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity |title=Why a Risk-Based Approach Leads to Effective Cybersecurity |author=BizTech Staff |work=BizTech |publisher=CDW LLC |date=20 December 2017 |accessdate=19 December 2019}}</ref><ref name="DanielSmarter18">{{cite web |url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ |title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds |author=Daniel, M. |work=Cyber Threat Alliance Blog |date=25 January 2018 |accessdate=19 December 2019}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web |url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework |title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=16 April 2018 |accessdate=19 December 2019}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=New to Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=18 November 2019 |accessdate=19 December 2019}}</ref> the framework is likely to be further embraced in some form worldwide.  
However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web |url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity |title=Why a Risk-Based Approach Leads to Effective Cybersecurity |author=BizTech Staff |work=BizTech |publisher=CDW LLC |date=20 December 2017 |accessdate=19 December 2019}}</ref><ref name="DanielSmarter18">{{cite web |url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ |title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds |author=Daniel, M. |work=Cyber Threat Alliance Blog |date=25 January 2018 |accessdate=19 December 2019}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web |url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework |title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=16 April 2018 |accessdate=19 December 2019}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=New to Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=18 November 2019 |accessdate=19 December 2019}}</ref> the framework is likely to be further embraced in some form worldwide.  


It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />
It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />

Revision as of 17:37, 28 May 2020

4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework

National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg

Originally released in 2005, NIST's Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations has since gone through four revisions, with a fifth delayed[1] but in the works.[2] The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."[3]

The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.

The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family Access control has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed NIST Special Publication 800-171, Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.

This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

4.1 NIST Cybersecurity Framework

The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. Executive Order 13636: Improving Critical Infrastructure Cybersecurity.[4] Building off the frameworks of NIST Special Publication 800-53 (Revision 4), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.[5][6]

Version 1.0 of the framework was introduced in 2014, and by 2016[7]:

  • Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
  • Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
  • Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.

However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.[7][8][9] Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.[10] Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"[11] the framework is likely to be further embraced in some form worldwide.

It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.[6] At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.[6]

References

  1. Miller, J. (3 September 2019). "OMB’s regulatory review is creating a backlog of cyber standards". Federal News Network - Reporter's Notebook. Hubbard Radio Washington DC, LLC. https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/. Retrieved 19 December 2019. 
  2. National Institute of Standards and Technology (28 April 2020). "Security and Privacy Controls for Information Systems and Organizations (Final Public Draft)". Computer Secutiry Resource Center. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft. Retrieved 28 May 2020. 
  3. "NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 22 January 2015. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. Retrieved 19 December 2019. 
  4. "Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience". U.S. Deapartment of Homeland Security. March 2013. https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet. Retrieved 19 December 2019. 
  5. Chang-Gu, A. (2 March 2015). "NIST Cybersecurity Framework vs. NIST Special Publication 800-53". Praetorian Security Blog. Praetorian Security, Inc. https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53. Retrieved 19 December 2019. 
  6. 6.0 6.1 6.2 Morgan, J. (4 April 2018). "How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett". Security. BNP Media. https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework. Retrieved 19 December 2019. 
  7. 7.0 7.1 Dark Reading Staff (30 March 2016). "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Dark Reading - Attacks/Breaches. Informa PLC Informa UK Limited. https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901. Retrieved 19 December 2019. 
  8. BizTech Staff (20 December 2017). "Why a Risk-Based Approach Leads to Effective Cybersecurity". BizTech. CDW LLC. https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity. Retrieved 19 December 2019. 
  9. Daniel, M. (25 January 2018). "Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds". Cyber Threat Alliance Blog. https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/. Retrieved 19 December 2019. 
  10. "NIST Releases Version 1.1 of its Popular Cybersecurity Framework". National Institute of Standards and Technology. 16 April 2018. https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework. Retrieved 19 December 2019. 
  11. "New to Framework". Cybersecurity Framework. National Institute of Standards and Technology. 18 November 2019. https://www.nist.gov/cyberframework/new-framework. Retrieved 19 December 2019. 
Retrieved from "https://www.limswiki.org/index.php?title=User:Shawndouglas/sandbox/sublevel27&oldid=39569"