Twenty-one states and the Multi-State Information Sharing and Analysis Center are currently using the “Framework for Improving Critical Infrastructure Cybersecurity,” also known as the Cybersecurity Framework. States that have not yet implemented it should do so promptly.
Convened by the National Institute of Standards and Technology and developed by a diverse group of stakeholders, the Cybersecurity Framework grants states the balance of a standardized cybersecurity vocabulary with customization for individual organizations. States can measure their cybersecurity progress against standard outcomes, revealing how to improve their security posture.
For instance, the Florida Agency for State Technology has developed a tool to manage cybersecurity risk. The Florida Cybersecurity Standards Risk Assessment Tool helps state organizations to determine threats, likelihood and consequences across the framework’s entire catalog of outcomes.
The California Department of Technology’s Office of Information Security has established the California Cybersecurity Maturity Metrics to assess program maturity and effectiveness across state organizations. CCMM displays weighting and maturity scores for each agency using the structure of the Cybersecurity Framework.
States Can Use the Framework to Assess Cybersecurity Outcomes
Much of the value of the Cybersecurity Framework is derived from five concepts — identify, protect, detect, respond and recover — referred to as “functions.” The functions represent various states of operation that could be summarized as understanding cybersecurity risks, proactively safeguarding against those risks, determining if any risks have manifested, neutralizing active risks and resuming normal operation. The five functions represent the complete breadth of cybersecurity considerations.
The descriptions of the five functions, and a vocabulary of related terms, are presented as cybersecurity outcomes. In other words, the outcomes are determined by answering “yes” or “no” for specific operations. Use the Cybersecurity Framework to determine the most meaningful cybersecurity outcomes to an operation, weighing the objectives, requirements and technical environments.
Since the outcomes are designed to be technology-neutral, they apply across many different technical environments. And the Cybersecurity Framework is designed to be agnostic to all phases of system lifecycle. This makes its outcomes meaningful waypoints for designing, developing, deploying, operating and decommissioning systems.
NIST to Highlight Best Practices for States
With a Version 1.1 update to the Cybersecurity Framework published in April, NIST now turns its attention to highlighting best practices, such as those of the states. NIST will showcase and discuss best practices at its annual gathering of Cybersecurity Framework stakeholders, the NIST Cybersecurity Risk Management Conference, in Baltimore Nov. 7-9. While many approaches to cybersecurity risk management will be discussed, the Cybersecurity Framework remains a focus of the conference.
State governments and supporting organizations are invited to learn more about using the Cybersecurity Framework. In the interim, the Cybersecurity Framework website provides an extensive catalog of quotes, resources and online learning modules for further reading. Visit it at nist.gov/cyberframework.