Imagine the pressure and responsibility that comes with protecting sensitive government data from malicious cyber threats. For any chief information security officer (CISO) working for the federal government today, there is no need to imagine – it is the daily reality of the job.
From the Office of Personnel Management breach in 2015 to the large swaths of information exposed from the Democratic National Committee, the cyber threat isn’t hypothetical anymore and must be addressed. In this era of partisanship, the effort to improve cybersecurity has received bipartisan support — a clear message to agencies that this will be extremely important going forward, regardless of political climate.
The added emphasis on cybersecurity means that all high-ranking agency leaders, specifically CISOs, have to know definitively if they are compliant with constantly changing regulations. And the simple reality is many CISOs think they are up to date on the National Institute of Standards and Technology’s cybersecurity guidelines, when in fact, they may not be.
So how did this confusing situation occur? President Trump signed an executive order last year detailing new parameters for federal agencies regarding cybersecurity, designed to develop a more robust cyber posture. The order mandates that federal agencies follow NIST’s cybersecurity framework (CSF). What it doesn’t acknowledge is that prior to the CSF, NIST had another standing set of guidelines for agencies related to cybersecurity — the risk management framework (RMF).
For the layperson reading the cyber executive order, unaware of NIST and its past work, they may see this language and think, “Holy cow, federal agencies haven’t had any cybersecurity regulations until right now? No wonder there has been so many breaches!”
However, CISOs reading the executive order for the first time may have seen “NIST” and thought, “Oh, I started implementing those guidelines years ago.” While the first scenario is grossly wrong, the second is dangerously incomplete.
In reality, while the RMF was a starting point for cybersecurity standards, the follow-on CSF gives agencies increased agility to address the increasing reality that the federal government has a target on its back placed by nation-state hackers. Since the CSF builds on the RMF, agencies need to know how to blend the two — and keep up with CSF iterations — to remain in good standing. The importance should not be lost that the cyber executive order states agency heads will be “held accountable by the president” — a good indicator that jobs are on the line.
Filling the Gaps
Essentially, cyber has enabled a new era of perpetual war — going on constantly but invisible at the same time. In the past, cyber breaches looked familiar. Hackers stole money or information from individuals and used that data to exploit them. Now hacking is a widespread operation that can create political firestorms, enabling nation-states to manipulate records — and public opinion by spreading false information.
This landscape necessitates a transformation in our nation’s cyber defense, and embracing best practices starts with adherence to NIST guidelines and untangling the confusion between the RMF and CSF. When used in concert, they provide a powerful weapon for our nation to emerge victorious against today’s evolving cyber threats.
Where the CSF will play an integral role going forward is in communication. It’s not always easy for those versed in the high-tech details of cybersecurity to convey a good strategy up to the agency leader (or CEO in the business world) level, and vice versa. The NIST CSF details cybersecurity objectives and outcomes from the lowest levels of an organization to the highest by creating a unified framework for all functions that map back to cybersecurity.
This practical language approach can help agencies meet five functions that serve as the framework core: identify, protect, detect, respond and recover. Under these functions are 22 categories, and nearly 100 additional subcategories, that map back to those five functions, meaning there are very explicit details regarding how to uphold those five pillars. For instance, “protect” might also encompass how to protect data in transit or data at rest, which is then broken down into further subcategories and functions.
This construct gives everyone in an organization — from the server room to the boardroom — an understanding of the information at the level of detail meaningful for them. By being able to speak in one language, the CSF enables agencies to make smarter purchasing decisions and invest in technology they know they need.
While this sounds very explicit, the beauty of the NIST framework is the flexibility of the agency to continue to refine these requirements over time. This is backed by the cybersecurity executive order, which specifies agencies must align their policies to any successor documents such as NIST SP 800-53. In fact, NIST already has a version four of the document, with revision 5 due out within the next several months.
New technologies come out all the time and, to date, NIST has been adept in responding to new areas of concern, like the Internet of things (IoT), mobile, cloud and other new methods for hackers to exploit agencies.
At the same time, the CSF isn’t prescriptive. It’s still up to agency leadership to determine how to meet all of NIST’s requirements, leaving no bureau pigeonholed or hamstrung by a specific solution. Cybersecurity will always be a cat-and-mouse game, and NIST has given agencies the agility to stay ahead through this new framework. Going forward, it will be increasingly important for government agencies to vet their vendors, ensuring they are as up to date on the latest NIST standards as the agencies themselves.
Implementing Both Frameworks
While there are two clear and separate roadmaps for how agencies should manage their cyber risk and cybersecurity compliance, there isn’t a clear delineation of how to do both at once.
While RMF and CSF do have a lot in common, the RMF has certain parameters, like defining how controls are implemented and a risk-based decision of how to authorize a system for use, that isn’t in the CSF. However, there are also RMF concepts that are embedded within the CSF. An example of this is found in CSF’s step No. 4, which specifically calls out risk assessment. This overlap, though, is fueling the confusion between the two.
Originally, the CSF was created by NIST as a best practices set of standards related to cybersecurity. Now that the cyber executive order has mandated them as gospel, NIST has begun detailing how agencies might implement the CSF.
One day after the cyber executive order’s signing; NIST released a new implementation guide for agencies, to start the conversation on how to clear up any confusion. The agency will continue to update the document over the summer, as it gets feedback from other government agencies. NIST regularly solicits feedback from all parts of the cybersecurity landscape, but until recently had a bent toward industry.
Since its initial release in 2014, the CSF has been adopted by about 30 percent of U.S. companies — behemoths like Apple, Intel, Bank of America and Kaiser Permanente. Gartner projects that figure will reach 50 percent by 2020. Moving forward, NIST’s feedback process will include federal agency input as well.
Restoring Faith in Our Cyber Posture
Just like the state of cybersecurity itself, NIST’s guidelines will continue to evolve and change over time. It’s important for all cybersecurity professionals in the government to maintain their vigilance and stay up to date on all that NIST has to offer.
There’s no silver bullet solution that’s going to stop cyber breaches from occurring, but maintaining compliance and proactively managing cyber risk are critical details in that fight. And the burden falls to CISOs and agency leaders to ensure they are complying with the letter of the law, as detailed by NIST.
They must be prepared to develop an agile cybersecurity plan that guarantees the precious data within federal agencies remains protected against today’s evolving and advancing cyber threats. It won’t be easy, but it’ll be worth it.
About the Author:
Richard A. Tracy is the CSO of Telos Corporation. Tracy joined Telos in October 1986 and held a number of management positions within the Company’s New Jersey operation through 1995. In February 1996, he relocated to Telos Headquarters in Ashburn, Virginia to start an information security consulting business within Telos and was promoted to Vice President. Since that time the information security business unit has become quite successful and has served to help Telos grow in other areas.
Tracy co-invented Xacta IA Manager and is identified as the principal inventor on five issued patents in the areas of IT risk and compliance management and continuous monitoring. Tracy assumed the role of chief security officer for Telos in 2004, which is his current title. He was also the chief technology officer 2005 through 2014.