Wednesday, March 5, 2014

Why I like the new NIST Framework. It is simple and doesn't cover anything.



Ever since the new NIST Cyber Security framework came out, it has caused a lot of discussion in cybersecurity and IT Risk management circles. (Officially named ‘Framework for Improving Critical Infrastructure Cybersecurity’)

Some people opined that this is a step in the right direction and thanked the NIST, the DHS and the C(3) community for all of their volunteer work. 

Others claimed it didn't go far enough, and compared it to the ISO27000 Information Systems Management System. 

My opinion is that the NIST framework is a step in the right direction.  ISO27000, NIST-800-53 or CoBIT   are large and comprehensive and designed to be that way.  I believe the NIST framework can be used to compliment the larger systems of controls as well as present a more understandable snapshot to upper management.

Let’s look at ‘Framework’.  A Framework is not a bridge.  It is not a building, it is not even a platform.  The NIST framework isn't a bridge to compliance, we are not building cybersecurity controls with it, and it isn't even a platform to hold up or support an existing or proposed solution.

It is a framework.  Small, light, and is designed to eventually support the bridge, building, platform and controls that you layer on top of it.  Smaller companies may only have time and resources to bolt a couple of controls on to it.

The NIST framework will allow the IT Risk/CyberSecurity group to provide concise periodic feedback to upper management.  Sending a CoBIT Gap analysis document, or ISO2700x report to the CEO or CFO might look impressive, 750 pages of your finest work, months of collecting statistics, documents and measuring controls and their effectiveness, but this collection of three rings binders will do nothing but collect dust.  You already know that.  They won't read it and you will be frustrated.

I am not saying you should not do this work. If you have selected CoBIT/RiskIT, ISO27000 or NIST-800-53, it is my opinion that the NIST framework can also be used to distill your findings, gaps, risks, vulnerabilities, exposures and controls in a smaller, easier to grasp concept.  “And it is government approved”.

Lastly, my only worry is that this framework will be used INSTEAD of a more comprehensive system - that it will be used as an excuse, or as the only basis for measuring the effectiveness of your Cyber Security controls.

Below are reference links:
[Update, March 23:  DOD Abandons DIACAP in favor of NIST Framework ]
http://www.fiercegovernmentit.com/story/dod-abandons-diacap-favor-nist-risk-management-framework/2014-03-18