When I look at all of these frameworks, whether its NIST, ISO or X organization – I can’t help to wonder how it all comes together: Who is the audience? Does it actively portray Risk? Does it actually help with threat reductions?
And the biggest of all questions – is it usable?
While the Department of Defense’s Cyber Maturity Model (CMMP) is now onto its 0.4 release, when looking at it – I see something that looks very similar to the NIST CSF. It has tables that outline:
- Target level of maturity
Figure 1: DoD CMMP table
And it’s certainly easy, and anyone with a simple spreadsheet or Excel could merely transfer the CMMP framework over to a simple file-based questionnaire. Great news for NIST CSF aware organisations and resources.
The challenge though is obvious with a few questions:
- Do individuals following these vague details actually know what is required for cybersecurity? Or do they pick and choose applicability (to a similar extent) for the standard based on their interpretation? Often customers looking at NIST see a whole bunch of information, and the interpretation could lead to some perilous decisions/assumptions
- Is the coverage sufficient in this document for enhanced controls? The model is highly generic, which isn’t necessarily a bad thing, however, it could be insufficient where stronger security level target’s are not being addressed
The latter point speaks more to the reason for this article: if NIST CSF and DoD CMMP do not have adequate language or clarity on defining scenarios or organization/target security levels – so where do I find that answer?
Well the answer (today at least) is actually currently in DRAFT form – NIST SP 800-171B, and also the concept of overlays used in SP 800-82 to enhance NIST CSF controls for usage with critical infrastructure. The first document sticks to the same terminology used to cluster capabilities and domains, however, it has several sections for each item within it (where applicable) to discuss challenges, and the logic/solutions for each. Additionally, there is usually a hyperlink to cross-reference related NIST special publications to help readers find and be aware that additional reference documentation can be used.
Figure 2 Example discussion for enhancement
In particular, some of the most noticeable areas to explore are related to:
- Reducing the extent of malicious code propagation
- Disrupting attack surfaces
- Isolation techniques (physical included)
- System integrity including PKI
- Ongoing monitoring for specific conditions
- Convergent and future technologies (e.g., IoT/IIoT)
Regardless of whether other documents exist previously, or that contractors might be looking for a one stop shop for DoD CMMP – the answer is that it will be a series of several documents in order to be able to answer these assessments on the surface. And as for asset owners, or product vendors, reaching some of these targets are lower and of less importance when compared to many of the SP 800-171 requirements because high-level requirements leave room to interpretation, and implementation errors.
In fact, the higher level frameworks do not tell a product owner how to actually engineer for security and actually reduce risks related to cyber-enabled threats. However, I’m not saying any of these frameworks or guidelines are wrong. On the contrary, I believe NIST CSF, 800-82 & 800-171 could be easily mapped TOGETHER to provide a more comprehensive level of definition & description than that contained in the CMMP today. Oh and by the way – this is easily implemented in the Verve Security Platform through our extensible approach to reporting.
If you have any questions – feel free to reach out to firstname.lastname@example.org or comment.