While the Federal Cyber Security Framework (CSF) drafting process has been one of the better collaboration exercises the government and private sector have engaged in for quite some time, it has also put the spot light on the many challenges associated with critical infrastructure cyber security.
The CSF is the result of industry stakeholders and the National Institute of Standards and Technology (NIST) collaborating on the selection of key security controls from various existing frameworks like the Top 20 Critical Controls, ISO 27k, NERC CIP, COBIT and more, along with industry input.
The effort is aimed at consolidating these controls into one streamlined document to produce a security capability maturity model propelled by stakeholder incentives to encourage adherence to parameters which are currently unknown.
The initiative was prompted by President Obama’s Executive Order issued in February of this year, and is scheduled to be finalized by February, 2014, and is intended to be a broadly applicable “living document” that allows for flexibility to accommodate a range of industries already subject to numerous regulatory mandates.
When the final version of the CSF is eventually realized, the biggest obstacle for many organizations will be determining exactly where to begin implementation and how to do so within strict budget constraints.
To better understand the dynamics involved adoption of the CSF, we caught up with Adam Meyer, currently the Chief Information Security Officer for one of the largest public transportation systems in the United States.
Additionally, Meyer provides specialized training and consulting services as the President of CyberWise Advantage Inc. in the areas of Business Resiliency, Data Governance, Risk Management and Systems Security Engineering.
In Meyer’s view, although the CSF has proven to be a valuable collaboration exercise in the spirit of expanding the public/private partnership, there are still glaring holes in the strategy when attempting to translate it to the operational world, where the risks are very real and security budgets are far from infinite.
“The framework has several deficiencies that many organizations will need to account for when building out or modifying their current cyber security practices,” Meyer said.
To help translate the CSF to an operational view, Meyer has created a “mind map” style document (click link to open PDF file) that provides much needed visibility when organizations begin the arduous task of translating the CSF to their operations.
“The theory was that if an organization was in the critical infrastructure sector and new to this game, they likely wouldn’t have the time or budget to navigate all of these compliance frameworks, and might just need an instructional guide on how to get these things done,” said Meyer.
“I started the mind map as a basis for outlining all of the products and services that would be required, and then tried to bucket them into people, processes and products,” he said.
Meyer has long said that “compliance does not result in good security, but good security does result in compliance,” and NIST even referenced Meyer’s quote during the CSF drafting process, but to his dismay, in the end everyone is still worried about compliance issues rather than how to the job of security done.
“I built this mind mas as a starting point so that if I walked through the door of an organization who had nothing in place, we could just print it out, lay it on a table, and start pulling services together to do a gap assessment based on sound tactical practices, rather than having to research all of the confusing compliance frameworks out there,” Meyer said.
“Over time the mind map will become more interactive as each topic area will be linked to best practices, artifacts and tools to help them solve that particular area, I hope to post a web based interactive version in the future.”
Meyer notes that systems are inherently vulnerable simply because we continue to deploy vulnerable systems, a fact that points to the lack of systems security engineering best practices with a focus on resiliency and reliability.
“These are two areas that are regularly removed from most compliance frameworks, perpetuating the cycle of deploying vulnerable systems,” Meyer said. “So resiliency and reliability have been added to this mind map under Secure Architecture as well as the CERT-RMM model under Risk.”
The end goal, Meyer says, is to take the compliance-based CSF and translate it into defined products and services areas where people, process and products can be more easily identified.
A gap analysis can then be completed based on capability maturity, Meyer says, and the end result should translate into: Know who is accountable for what; which data has what value; how resilient an organization is; and how much would it could cost to maintain that level of resilience while being compliant with any applicable regulatory requirements.
Meyer provided the following summary to aid in understanding his mind map’s structure:
1. All of the Data Security areas should normally be handled over in the Data and Information Governance efforts where Privacy, HIPPA, Financial, Law Enforcement and other sensitive data requirements would be identified.
2. Instead of breaking up Detect/Respond and Protective Technology, which are things a NOC/SOC would be tasked with, bring them all together under Security Operations.
3. Availability/Recovery/Reliability should be a function of good engineering, so they have been moved to Secure Architecture
4. Business Environment is going to be really tough for many organizations, especially on the private side, so the whole “Identify” category will be a challenge for many.
5. Also take note that almost the entire “Identify” area has nothing to do with IT services, and requires multiple stakeholders to “identify business value of workforce functions by role” and “identify third-party stakeholders (business partners, suppliers, customers) and interdependencies among those relationships” which will elicit negative feedback, so in order for this to really happen incentives will need to be pretty darn appealing.
While the decision to implement and adhere to the CSF is thus far completely at the discretionary, Meyer points out that the initiative has enough momentum and credibility that it will most certainly be a game changer, and have a deep impact for every organization.
“It is in every organizations best interest to assume that the CSF will establish itself as the basis for assessing due diligence in any post-incident litigation, regardless of whether this Framework remains voluntary or not,” Meyer said.
- Don’t Reinvent the Wheel: Phil Agcaoili on the Cyber Security Framework
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- Enterprise Insurance Policies and the 20 Critical Security Controls
- NERC CIP Version 5: One Giant Leap
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock