Honing NIST Cybersecurity Framework with Occam’s Razor

You are anxious to put the NIST Cybersecurity Framework into action. You have your core ducks lined up: identify, protect, detect, respond, and recover. You have an idea of your framework tier (risk maturity level), and you have a sketch of a current and future state profile. What next?

You are not alone in adopting a security framework: 80% of respondents in a 2016 Tenable study are using some form of framework. Moreover, this finding is across the board from SMB (100 – 1000 employees) to the enterprise (5000+ employees).

Adopting frameworks is relatively straightforward, implementing them is hard: 95% of the survey respondents indicate significant implementation challenges.

Overview of NCSF Controls Factory Model (CFM)

As I wrote in my last post, we need help operationalizing these frameworks, and it starts with the right training. To this end, I have just finished reviewing the first few modules of the upcoming itSM/UMass NIST Cybersecurity Framework Controls Factory ModelTM (CFM) Practitioners course. It is phenomenal! 

The power of the NCSF CFM is its flow, flexibility, and extensibility. It succinctly addresses the critical challenges referenced in the above report: organizational, operational, and technological. The essence of the model is reducing the organization’s risk by converting unmanaged (high risk) assets into managed (low risk) assets by running them through the factory.

The CFM’s simplicity is striking, especially when I compare it to other security operations methodologies that can be overly complicated. For operationalizing the NIST CSF, I am following Occam and focusing on the simplest solution to get the job done.

The factory has three main tracks:

  1. Engineering Center– The engineering center is the factory hub, addressing vulnerabilities, controls framework, assets, and identities for the organization. This function develops the set of differentiated technical and business controls directly linking to the NIST CSF, and it maintains a detailed understanding and mapping of all risk components
  2. Technology Center– The technology center covers the technical controls design, build (technology), managed services, testing, and assurance of all controls. This function determines and implements optimal technology solutions to automate the controls and operate the Security Operations Center (SOC).
  3. Business Center– The business center includes the control design related to critical business processes and staff. This function establishes an industry standard cyber risk management program, manages control implementation (via policy), workforce development, executive communications, testing, and the assurance of overall security operations.

As Larry Wilson, UMass CISO (training program author), explains during the training “The Controls Factory produces managed assets that are implemented into an enterprise network and support essential business functions. The goal of our controls factory is to ensure these assets include security controls that safeguard the critical assets against the latest cyber-threats.”

The CFM is the heart of an itSM/UMass NCSF workforce development program that teaches individuals and organizations “how to” Engineer, Operate and Manage the Business Governance of a NIST Cybersecurity Framework (NCSF) Program. Each learning track also aligns with the workforce categories outlined in the  NICE Cybersecurity Workforce Framework.

If I have piqued your interest, please contact me, and I am happy to discuss the curriculum and provide training samples.

Coming Next

In my next post, I get into some of the core aspects of each CFM function. In particular, I highlight the extensibility of the model as it pulls from a range of standards and frameworks, including NIST, ISO, CIS, and PCI.