Navigating the NIST Cybersecurity Framework

Transcription

1 Navigating the NIST Cybersecurity Framework Explore the NIST Cybersecurity Framework and tools and processes needed for successful implementation. Abstract For federal agencies, addressing cybersecurity threats while maintaining mission-critical operations is a challenge. The NIST Cybersecurity Framework promises to help agencies meet these dual needs. But in these early days of the Framework rollout, agencies may find implementation comes with its own set of challenges. How can agencies navigate the Framework to most effectively implement the guidelines? Introduction Since 2009, the reported number of cyber intrusions at federal agencies has increased 144% 1, keeping cybersecurity a top priority for the federal government. With thousands of employees, often siloed departments, and tight budgets, increasing agency cybersecurity while still maintaining missioncritical operations presents critical challenges. To address these challenges, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The resulting NIST Cybersecurity Framework includes leading practices that a variety of standards bodies have deemed successful. Like the Federal Identity Credential and Access Management (FICAM) framework, this framework is a collection of best practices practices that improve efficiency and protect constituents. Many of the best cybersecurity measures are purely organizational going above and beyond technology to look at what the agency as a whole is doing for response and recovery. However, Dell has helped many federal agencies develop cybersecurity plans, and believes the Framework 1 Government Accountability Office, Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent.

2 Core Implementation tier Profile Partial Repeatable Risk informed Adaptive Set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors How an organization views cybersecurity risk and the processes in place to manage that risk Alignment of the mission requirements, risk tolerance, and resources of the organization The NIST Framework at a glance Top Challenges in Addressing Cyber Threats 1. Budget constraints 2. Slow technology acquisition process 3. Bureaucratic inertia 4. Need to comply with three or more federal mandates 5. Inability to provide managers and auditors evidence of appropriate IT controls offers a solid platform for developing a cybersecurity strategy that will protect them from current known, and future unknown, threats. Yet, the Framework is intentionally broad no agency can implement every guideline and no single technology vendor can address every aspect of it. To use this framework to its fullest effect, you need to understand what is important to your agency and the cybersecurity and IT challenges you face. Challenges Facing Federal Agencies Based on our experience in the federal agency cybersecurity arena, Dell has identified key challenges federal agencies face in adopting the Framework and issues to consider in implementing the Framework. The first challenge agencies face is the sheer number of cyber threats they must deal with: 52% of federal executives say their agency is the target of cyber intrusions multiple times each month or more and 30% say they are a target multiple times each day, according to Dell-sponsored research by the Government Business Council (GBC). Creating thoughtful, proactive policies when operating in a crisesmanagement mode is nearly impossible for any organization. The GBC research also found 86% of respondents face obstacles to a more holistic federal cybersecurity posture. Not surprisingly, the top obstacle is budget constraints (61%). Other common challenges include a slow technology acquisition process (46%) and bureaucratic inertia (44%). Federal executives report that each of their information system layers (i.e., network, host, application, and data levels) are secure, but say there is room for improvement. In particular, respondents single out workforce education (52%) and risk management (51%) as cyber defense elements needing the most improvement. In Dell-sponsored research conducted by government market research firm Market Connections, Inc., 72% of agencies said they must comply with three or more federal mandates. Half (51%) describe their organization s ability to provide managers and auditors evidence of appropriate IT controls as fair (they have the tools in place to respond to issues, but are reactive rather than proactive). Another challenge is the silos in which many agencies are divided. Security measures for this siloed approach were developed long before cloud, BYOD, and other innovations became mainstream. They work best for locking down only parts of the enterprise the network or the endpoint, the user or the 2

3 data. Because they were developed to operate in siloed environments, these approaches create gaps, forcing IT to manage each silo separately. And this increases costs and risk while challenging everybody especially users. Most of these challenges have more to do with organizational policies rather than technology. However, all of these challenges can be, at least in part, addressed by having the right processes in place and the right technology can help streamline processes. Addressing these key challenges as you begin developing a NIST framework strategy is critical to developing an effective plan. Developing a NIST Cybersecurity Framework Strategy There is good news for agencies that may be feeling overwhelmed after an initial reading of the Framework: There is no requirement that agencies address all 102 subcategories. The Framework isn t about doing everything now it s about thinking through the issues and challenges and developing processes that evolve over time. The reality is, there may be 7, 10, or even 20 things your agency can do now that will accomplish 80% of your implementation plan a solid foundation from which to advance over the course of the next months or years. When reconfiguring any IT processes, it s important to take a look at what you have and how it fits within the Framework changing course on a technology investment you ve already committed to may be costly and unnecessary. There are often multiple ways to address any requirement. Assess how your agency is already meeting or exceeding cybersecurity requirements. You may be focusing your efforts on the categories that comprise the Framework, or you may be doing it some other way that is still valid, even if it doesn t follow the Framework. Operationally, this is your challenge and one that a systems integrator can help you navigate. To effectively understand where you need to go, you need to stop and assess where you are. This seven-step process will get you going in the right direction: 1. Prioritize and scope mission objectives and priorities. 2. Match critical systems with threats. 3. Create a current cybersecurity technology profile based on Framework categories. 4. Conduct a risk assessment. 5. Create a target profile (an organization s desired state). 6. Determine, analyze, and prioritize gaps between mission priorities, critical systems, current technology profile, desired state, and risks. 7. Develop a strategy to address the items uncovered in step 6. When you look at what is important to your organization in terms of cybersecurity and mission-critical operations, what rises to the top? Those are the areas to focus your efforts when it comes to aligning processes and technology with the Framework. You can use that knowledge as the foundation for a plan to implement key cybersecurity priorities that follow the NIST guidelines. While no one integrator has tools to address every aspect of the Framework, one with deep federal knowledge can help you develop the strategy and identify the processes. The Framework places a strong emphasis on collaboration with an intention that agencies learn from each other. Integrators can easily facilitate that knowledge sharing. Dell and the NIST Framework With over a hundred distinct subcategories, completely satisfying all Framework requirements is a challenge to even the most adept organization. While some compliant infrastructure and processes may be in place, it s most likely that you ll need to take additional steps to meet the Framework. Dell offers a number of hardware, software, and services solutions to help you take those steps. At end of day, complying with the Framework is not about trying to complete a checklist. It s about figuring out your agency s real world priorities and what will move you toward achieving them as quickly as possible. Paul Christman,Vice President, Dell Software Public Sector 3

4 NIST Framework Function (and Identifier) Category Dell Solutions Identify (ID) Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Assurance Dell One Identity (Identity & Access Management IAM) Dell One Identity KACE Systems Management Dell Data Protection Encryption (DDP E) Cloud Client Computing 93% of the federal executives surveyed in the GBC study said at least one element of their agency s cyber defense needs significant improvement. Implementing the Framework can address that security gap. Protect (PR) Detect (DE) Respond (RS) Recover (RC) Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Archive Solutions Information Assurance (IA) Cybersecurity Lab Supply Chain Assurance SecureView Workstations SonicWALL Network Security & Secure Mobile Access Monitoring Appassure Backup and Recovery NetVault Backup and Recovery Backup Hardware Dell One Identity SonicWALL Network Security & Secure Mobile Access Cloud Client Computing KACE System Management Other Security Services (including SecureWorks) AppAssure Backup and Recovery NetVault Backup and Recovery Backup Hardware Dell offers many other solutions which give your agency the solid foundation a Framework-compliant organization needs to have; servers, storage, desktops, laptops, mobile devices, services and software to help you optimize, migrate, and manage your IT infrastructure. Conclusion Should your agency adopt the NIST Cybersecurity Framework? Based on Dell s work helping federal agencies implement cybersecurity plans and solutions, there is much to recommend the Framework as the core guideline for an agency s cybersecurity strategy. Adopting the Framework will help improve risk-based security, and it can assist with regulatory compliance a challenge in and of itself for the majority of federal agency IT managers. Solid processes and good technology tools can also reduce costs and workforce pressure over time. The key to moving from a strategy to successful implementation comes down to the tools. The Framework holds great promise, but at the end of the day, the tools and processes agencies implement will determine cybersecurity readiness and mission success. 4

5 For More Information 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA Refer to our Web site for regional and international office information. 5 Whitepaper-NIST-CyberSecurity-US-KS-25392