[BreachExchange] How to Choose the Right Cybersecurity Framework

[Destry Winant]

https://www.darkreading.com/risk/how-to-choose-the-right-cybersecurity-framework/a/d-id/1340319?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybersecurity frameworks can help reduce your risk of supply chain
attacks and increase your competitive advantage.

The dramatic rise in ransomware attacks and the SolarWinds Orion hack
have thrust cybersecurity back into the spotlight. With everyone a
target, it's time for organizations to implement cybersecurity
frameworks like those provided by the National Institute of Standards
and Technology (NIST), which can help you set a bar for measuring your
cybersecurity effectiveness.

Taking Your First Steps
Start by setting goals for your cybersecurity program that align with
the business's needs. Stakeholders from across the organization — from
the C-suite and upper management to support teams and IT — should be
involved in the initial risk-assessment process and setting a
risk-tolerance level.


While deciding where to start your implementation can feel like trying
to boil the ocean, one way to make it less intimidating is to run a
pilot program focused on a single department. This can help uncover
lessons about what does and doesn't work, what tools will help you
succeed, and best practices for a wider rollout.

>From there, identify the type of data the organization processes and
map out its life cycle. A simple model will help lay a foundation for
understanding the organization's cybersecurity risk and identify
points along the supply chain to invest more time and resources.
Business tools and software are often important sources and collectors
of data, so ask vendors about their data privacy policies to ensure
they reflect your goals.

With a basic understanding of the goals, project scope, and current
data privacy and life-cycle processes, it will be much easier to
select a cybersecurity framework.

Picking the Right Security Framework
A good cybersecurity framework will help you identify risks, protect
company assets (including customer data), and put steps in place to
detect, respond, and recover from a cybersecurity event. There are
many frameworks, but the following three stand out as especially
relevant to the types of attacks, like ransomware and supply chain
attacks, that are accelerating in use.

NIST Cybersecurity Framework (CSF Rev 1.1)
The NIST Cybersecurity Framework (NIST CSF) was developed in 2014 for
private sector critical infrastructure like utilities, water supply,
telecommunications, financial services, and healthcare. As a voluntary
set of guidelines that outlines a series of policies and controls, the
framework guides cybersecurity activities through a lens of aligning
risk management with business needs.

The NIST CSF consists of three parts: the Core, the Implementation
Tiers, and the Framework Profiles, and it was designed so that any
organization can apply the principles and best practices. The
framework is widely recognized as a definitive set of security best
practices.

The NIST CSF is not one-size-fits-all, and it offers versatility by
dividing the Core into five functions: Identify, Protect, Detect,
Respond, and Recover. With the NIST 800-171 framework as part of its
structure, organizations can focus on implementing the NIST CSF
controls that are critical to service delivery now and make plans for
implementing other controls as requirements arise. Ultimately, even if
an organization deploys a partial set of the NIST CSF's controls, it
still reduces cybersecurity risk while increasing management efficacy.

NIST 800-53 (Rev. 5)
The NIST 800-53 framework originated in 2005 and applies to all
federal information systems per the Federal Information Processing
Standard 200 (FIPS 200) cybersecurity requirements. However, the
framework does not apply to National Security Systems (NSS), which
rely on an even higher standard for determining a high-water mark
(HWM) on the potential impact of security incidents. Now in its fifth
revision, the framework outlines a series of security and privacy
controls that cover aspects of policy, oversight, manual processes,
and automated mechanisms implemented by systems or individuals and
applicable to both the federal and private sector.

The controls are organized into 20 families, with each family relating
to a specific topic like awareness and training, identification and
authentication, or supply chain risk management. As it was originally
designed for federal information systems, NIST 800-53 offers an
incredibly robust set of standard controls for the collection,
processing, storage, transfer, and protection of sensitive
information. From providing step-by-step guidelines for developing
cybersecurity literacy and awareness training programs to combat
phishing, to securing servers and Web services to prevent external
hackers, NIST 800-53 offers many easy and effective ways to improve
cybersecurity.

Cybersecurity Maturity Model Certification & NIST 800-171 (Rev. 2)
In December 2020, the Department of Defense (DoD) officially
introduced a new cybersecurity certification requirement for its
contractors and subcontractors. The new Cybersecurity Maturity Model
Certification (CMMC) consists of five levels, with each providing
specific controls and policies for the secure handling of federal data
by private sector information systems. CMMC was purposefully designed
to protect the DoD against supply chain attacks that could disrupt
military and defense operations. By October 2025, all DoD contracts
will require some level of CMMC accreditation.

As a guideline for private sector organizations handling federal
information and data, the CMMC is a prescriptive cybersecurity
framework with step-by-step instructions for implementation with the
aim of increasing security, reducing risks, and furthering security
management. Using this framework can also be a competitive advantage
for businesses. Similar frameworks are likely to be implemented across
other federal departments and raise new requirements for contractors
and subcontractors. As enterprise customers increase their specific
data protection and privacy requirements, a CMMC certification can
open many new doors.

Cybersecurity Is a Business Decision
Whether a business is just starting on its security journey or looking
to improve the policies and procedures it has in place, investing in
security is a long-term business decision. With security becoming an
ever-growing focus for consumers and end users, cybersecurity
frameworks can help simplify the transformation and set the
organization up for success.