NIST Offers 8 Ways Agencies Can Use Its Cybersecurity Framework

Federal officials in the market for new products and services might consider asking candidates to include a profile based on the National Institute of Standards and Technology Cybersecurity Framework during the acquisitions process, a new interagency report suggests.

“Respondents can be encouraged to include their Cybersecurity Framework Profile in the reply to a request for information or a sources sought notice,” reads NISTIR 8170, which NIST released Thursday.

“A reply describing cybersecurity capabilities of a product or service that includes Cybersecurity Framework terminology would help the agency to better compare and contrast the cybersecurity capabilities of organizations, products, and services of respondents,” NIST wrote. “It also provides agencies the means to consistently and objectively assess the cybersecurity posture of potential partners.”

NIST published the “Framework for Improving Critical Infrastructure Cybersecurity” or CSF, as it’s known, following Executive Order 13636. The Obama administration hoped private-sector owners of critical infrastructure would voluntarily use the tool to manage cybersecurity risks and prioritize mitigations based on their individual profiles.

In May 2017, President Trump issued Executive Order 13800, mandating federal agencies use the framework to, among other things, “document the risk mitigation and acceptance choices,” in reports to the Department of Homeland Security and the Office of Management and Budget.

But many organizations, public and private, still struggle to understand how to implement the framework and its relationship with other key documents, such as the “heavily used NIST Risk Management Framework.”

“Integrate Enterprise and Cybersecurity Risk Management” is the primary example among eight NIST provides in the new report for how agencies might implement the CSF throughout their processes, including procurement. 

Along with NISTIR 8170, the agency also released a draft document—Draft NISTIR 8286—focused entirely on this approach. It examines how to use a risk register to document cybersecurity risk as a consideration of broader enterprise risk management, and is available for comment through April.

The CSF is supposed to help chief information officers and technical personnel communicate their needs to executive-level officials by establishing a common, standardized lexicon.

But the regulatory landscape is complex. And even across the two NIST documents the definition of key terms varies. 

“NIST IR 8170 uses enterprise risk management and organization-wide risk management interchangeably,” reads draft NISTIR 8286. “The scope of IR 8170 includes smaller enterprises than this publication does, so an enterprise as defined in IR 8170 may be comprised of a single organization. The enterprises being discussed in this publication have more complex compositions.”

The CSF was also meant to avoid organizations falling into a false sense of security by relying on prescriptive checklists of security controls instead of undertaking a more analytical risk management approach that would direct them to security controls specific to their needs, including those for complying with regulatory requirements.

That mapping exercise can get complicated but, as NISTIR 8170 notes, there’s a checklist of checklists to help with that.