Previous chapters have mentioned the NIST Cybersecurity Framework as a solid resource upon which to base local government cybersecurity programs. The purpose of this chapter is to introduce readers to the 2018 version of the framework. First, the chapter presents a brief history of the framework’s development. Second, it describes overall structure and components of the framework and how local governments should use it as a continuous guide for cybersecurity improvement. The chapter concludes with an examination of each of the five functions of cybersecurity, which were previously introduced in Chapter 2, along with their categories and subcategories.
NIST’s original Cybersecurity Framework 1.0 (2014) was published in response to President Obama’s Executive Order (EO) 13636 for improving critical infrastructure cybersecurity (U. S. National Institute of Standards and Technology, 2019). The EO directed NIST to work with private industry to create a standard of best practices for all sectors of critical infrastructure. Academics and government stakeholders were also involved in the development process. The framework is intended to be a flexible, cost-effective set of guidelines applicable to every critical infrastructure sector (Table 9.1). NIST also offers resources specific to federal organizations, small- and medium-sized businesses, state, local, tribal, and territorial (SLTT) governments, academia, assessment and auditing, and for international organizations (NIST, 2020).
Local governments can, and often are, involved in many aspects of critical infrastructure. Therefore, the framework can be adopted by organizations of all types to help them practice cybersecurity more effectively and become more cyber resilient. The framework also proposes a set of questions that local governments should ask to help implement the best practices most appropriate for their size, location, budgets, and any unique cybersecurity issues they face.
Table 9.1 NIST Critical infrastructure sectors.
Chemical | Commercial Facilities | Communications | Critical Manufacturing |
---|---|---|---|
Dams | Defense industrial | Emergency services | Energy |
Financial services | Food and agriculture | Government facilities | Healthcare and public health |
Information technology | Nuclear reactors, materials and waste | Transportation systems | Water and wastewater systems |
Source: NIST (2021a).
The Cybersecurity Enhancement Act of 2014, which came into law almost a year after the release of version 1.0 of the framework, mandates that NIST take the lead in building consensus-based standards on an ongoing basis (NIST, 2021b). The framework was updated for the first time in 2018, and as of this writing, Version 1.1 of the framework is the most recent.
NIST provides specific resources for SLTT governments to improve their cybersecurity including many assessment tools from peer local governments and membership organizations like MS-ISAC (NIST, 2020). NIST. (2020, May 13). State, local, tribal and territorial resources. https://www.nist.gov/cyberframework/state-local-tribal-and-territorial-resources.
The NIST Cybersecurity Framework has three major components: the framework core, framework implementation tiers, and a framework profile. Adoption of the framework is a process by which local governments incorporate the standards set forth in the core into their cybersecurity risk management. Ultimately, the framework core, implementation tiers, and profiles provide local governments with a “common taxonomy and mechanism… to:
The framework core is made up of the five functions: Identify, Protect, Detect, Respond, and Recover. They are discussed individually in subsequent sections of this chapter.
The framework implementation tiers provide local governments with a simple methodology to assess how they view their overall cybersecurity risk and risk management in the context of their current practices, threat environment, mission objectives, legal requirements, and organizational constraints. The tiers are: 1) partial, 2) risk informed, 3) repeatable and 4) adaptive. The tiers assess three aspects of a local government’s cybersecurity posture: its risk management process, how integrated its risk management program is, and its level of external participation.
Partial means that the local government’s risk management process functions in an ad hoc or reactive fashion, with limited organizational awareness of cybersecurity risk and no external participation. Informed means that local government management approves of the risk management practices used, but that an organization-wide policy or approach is not in place, and the local government only engages in limited information-sharing activities. Repeatable means the local government’s risk management practices are formalized as policy on an organization-wide level, with extensive information sharing and collaboration. Adaptive means the local government’s cybersecurity risk management is adapted regularly based on previous activity and lessons learned by implementing risk-informed policies, practices, and procedures, participating and incorporating in collaborative information-sharing activities. This assessment is not intended to be a maturity model, but rather a way for local governments to better organize and prioritize their thinking around risks and objectives specific to them.
The framework profile is a document created and used by local governments to help them visualize their overall cybersecurity posture (or policies, practices, and people). To start their cybersecurity planning process, local governments should generate two profiles: a current profile reflecting the then current cybersecurity posture and a target profile representing cybersecurity goals and objectives that the local government intends to prioritize and accomplish. These profiles consist of specific cybersecurity outcomes chosen by the local government from the categories and subcategories (or outcome categories) making up the five functions. Local governments should review the categories and subcategories of each function to determine which are the most important in terms of their missions and overall levels of risk. The current profile is used to help prioritize goals and objectives to meet in order to achieve the target profile. Whatever outcome categories the local government prioritizes can then be tracked as they are implemented, which is an assessment process similar to the “as-is”/“to-be” management process in the commercial world.
Organizations can apply the NIST cybersecurity framework in various ways. However, it is important to note that the framework does not replace cybersecurity policies and practices currently in place but rather can assist local governments to identify where and how to improve and implement best practices. For example, one local government might use the framework implementation tiers to express a desired level and approach to risk management practices. Another local government might focus entirely on the framework core and profiles. A third could use the framework implementation tiers analysis to inform its profile assessment and prioritization of next-steps as identified in the categories and subcategories of the framework core. Ultimately, successful implementation of the NIST cybersecurity framework entails achieving the outcome categories chosen in the local government’s target profile. Therefore, in order to make the two profiles (current and target) and implement the framework, local governments must go through each function, category, and subcategory of the framework to identify its current cybersecurity posture and to highlight what needs to be prioritized in order to achieve its desired level of cybersecurity.
Additionally, the framework also puts forth a list of seven recommended steps for establishing or improving a local government’s cybersecurity program (Table 9.2). These steps should be repeated as necessary to assess and improve the local government’s level of cybersecurity.
Table 9.2 NIST CSF steps to establish or improve a cybersecurity program.
Step | Description |
---|---|
1) Prioritize and scope |
|
2) Orient |
|
3) Create a current profile |
|
4) Conduct a risk assessment |
|
5) Create a target profile |
|
6) Determine, analyze, and prioritize gaps |
|
7) Implement action plan |
|
Source: NIST (2018).
The Multi-State Information Sharing & Analysis Center (MS-ISAC) provides a free tool that local governments can use annually (from October 1 to February 28) to understand and track their cybersecurity posture using NIST’s Cybersecurity Framework – the Nationwide Cybersecurity Review (Center for Internet Security, n.d.). Local governments can complete the self-assessment to manage cybersecurity risk through the framework and use it as a benchmark to track year-to-year comparisons and compare to peer governments. Center for Internet Security. (n.d.). Nationwide Cybersecurity Review (NCSR). https://www.cisecurity.org/ms-isac/services/ncsr.
NIST’s five functions of cybersecurity are: Identify, Protect, Detect, Respond, and Recover. As previously discussed, each of the five functions of the framework contains categories and subcategories detailing the steps and methods necessary to help ensure specific cybersecurity outcomes (see Figure 9.1). These outcome categories help make actionable the priorities set forth in each function.
Five functions, 23 categories, and 108 subcategories make up the framework. Each subcategory is further distilled into specific informative references, which link to standards like NIST’s Special Publications, the Center for Internet Security (CIS) Controls, ISACA’s COBIT 5, and those set forth by the International Society of Automation (ISA) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). Although the framework can read as a nesting doll of checklists drilling down from function to category, subcategory, and informative references, many of the methods overlap to generate different desired outcomes. Table 9.2 of Version 1.1 of the cybersecurity framework provides a list of each of the functions and their related categories, subcategories, and informative references (NIST, 2018). This chapter utilizes a condensed version of the table for each function section below.
Identify means that local governments “develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities” (2018, p. 7). The six identify functions are: asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management. What this means in practice is that local governments must engage in asset management and identify aspects of their cybersecurity environment by inventorying physical hardware, software, data, and personnel. Second, local governments must assess their business environment and relate cybersecurity to organizational mission, objectives, and stakeholders. Third, local governments should establish robust cybersecurity governance by ensuring organization-wide cybersecurity policy is established and communicated to address risks and legal requirements. Fourth, instituting a risk assessment will help local governments address asset vulnerabilities and incorporate shared threat intelligence. Risk management strategies should be established and levels of organizational risk tolerance identified. Assessing the security measures used by third-party device manufacturers and application developers is an important aspect of supply chain risk management (Table 9.3).
The process of the identify function does not stop; like each of the five functions, it operates continuously. New devices, software, and applications must be included in inventories when incorporated into a local government’s information systems.
Local governments address the protect function by “develop[ing] and implement[ing] appropriate safeguards to ensure delivery of critical services” (2018, p. 7). The six categories of protect are: identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology. Identity management and access control involves authenticating user identities and credentials, permissions, and authorizations of which users are allowed to access the government’s information systems, protecting physical and remote access and more. Staff awareness and training for all end users regardless of title, pay grade, or status in the organization is needed so that they understand their roles and responsibilities in protecting local government information systems. Data security means that the confidentiality, integrity, and availability of the local government’s information, in its three states, are protected. Information protection processes and procedures involve implementing official security policies around back-ups, system configuration, physical security, and data destruction including human resources, response and recovery plans, and vulnerability management plans. System maintenance, such as replacing hardware or system updates or patches, should occur regularly and according to adopted policy. Protective technology means having technical solutions in place to help ensure system security and resilience, such as audit logs and the principle of least functionality in which non-essential system functions are prohibited (Table 9.4).
Table 9.3 Identify categories and subcategories.
Function | Category | Subcategory |
---|---|---|
Identify |
Asset management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. | 1) Physical devices and systems within the organization are inventoried |
2) Software platforms and applications within the organization are inventoried | ||
3) Organizational communication and data flows are mapped | ||
4) External information systems are catalogued | ||
5) Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value | ||
6) Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | ||
Business environment The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. | 1) The organization’s role in the supply chain is identified and communicated | |
2) The organization’s place in critical infrastructure and its industry sector is identified and communicated | ||
3) Priorities for organizational mission, objectives, and activities are established and communicated | ||
4) Dependencies and critical functions for delivery of critical services are established | ||
5) Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations) | ||
Governance The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. | 1) Organizational cybersecurity policy is established and communicated | |
2) Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners | ||
3) Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed | ||
4) Governance and risk management processes address cybersecurity risks | ||
Risk assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. | 1) Asset vulnerabilities are identified and documented | |
2) Cyber threat intelligence is received from information sharing forums and sources | ||
3) Threats, both internal and external, are identified and documented | ||
4) Potential business impacts and likelihoods are identified | ||
5) Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | ||
6) Risk responses are identified and prioritized | ||
Risk management strategy The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. | 1) Risk management processes are established, managed, and agreed to by organizational stakeholders | |
2) Organizational risk tolerance is determined and clearly expressed | ||
3) The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | ||
Supply chain risk management The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. | 1) Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | |
2) Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process | ||
3) Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and cyber supply chain risk management plan | ||
4) Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations | ||
5) Response and recovery planning and testing are conducted with suppliers and third-party providers |
Source: NIST (2018).
Under the detect function local governments must “develop and implement appropriate activities to identify the occurrence of a cybersecurity event” (2018). The categories for detect are: anomalies and events, security continuous monitoring, and detection processes. Anomalies and events means that system activity deviating from what is normally expected is detected and analyzed to determine if it poses a danger to the local government’s information system. Security continuous monitoring means that the local government’s systems, networks, third-party service providers, and physical environment are constantly monitored to detect and identify potential security events that could cause damage. Detection processes include implementing roles and responsibilities accountable for detection, ensuring that detection processes are tested and continuously improved, and that detection information is communicated appropriately (Table 9.5).
With proper protection systems and policies in place, the occurrence and impact of adverse cybersecurity events can be mitigated. Since it is impossible or nearly so to prevent cyberattacks, it is essential to be able to detect attacks when they occur.
Table 9.4 Protect categories and subcategories.
Function | Category | Subcategory |
---|---|---|
Protect |
Identity management and access control Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. | 1) Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
2) Physical access to assets is managed and protected | ||
3) Remote access is managed | ||
4) Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | ||
5) Network integrity is protected (e.g., network segregation, network segmentation) | ||
6) Identities are proofed and bound to credentials and asserted in interactions | ||
7) Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) | ||
Awareness and training The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements. |
1) All users are informed and trained | |
2) Privileged users understand their roles and responsibilities | ||
3) Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities | ||
4) Senior executives understand their roles and responsibilities | ||
5) Physical and cybersecurity personnel understand their roles and responsibilities | ||
Data security Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. | 1) Data-at-rest is protected | |
2) Data-in-transit is protected | ||
3) Assets are formally managed throughout removal, transfers, and disposition | ||
4) Adequate capacity to ensure availability is maintained | ||
5) Protections against data leaks are implemented | ||
6) Integrity checking mechanisms are used to verify software, firmware, and information integrity | ||
7) The development and testing environment(s) are separate from the production environment | ||
8) Integrity checking mechanisms are used to verify hardware integrity | ||
Information protection processes and procedures Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. | 1) A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality) | |
2) A system development life cycle to manage systems is implemented | ||
3) Configuration change control processes are in place | ||
4) Back-ups of information are conducted, maintained, and tested | ||
5) Policy and regulations regarding the physical operating environment for organizational assets are met | ||
6) Data is destroyed according to policy | ||
7) Protection processes are improved | ||
8) Effectiveness of protection technologies is shared | ||
9) Response plans (incident response and business continuity) and recovery plans (incident recovery and disaster recovery) are in place and managed | ||
10) Response and recovery plans are tested | ||
11) Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) | ||
12) A vulnerability management plan is developed and implemented | ||
Maintenance Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. | 1) Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools | |
2) Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access | ||
Protective technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. | 1) Audit/log records are determined, documented, implemented, and reviewed in accordance with policy | |
2) Removable media is protected and its use restricted according to policy | ||
3) The principle of least functionality is incorporated by configuring systems to provide only essential capabilities | ||
4) Communications and control networks are protected | ||
5) R Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
Source: NIST (2018).
Table 9.5 Detect categories and subcategories.
Function | Category | Subcategory |
---|---|---|
Detect |
Anomalies and events Anomalous activity is detected and the potential impact of events is understood. | 1) A baseline of network operations and expected data flows for users and systems is established and managed |
2) Detected events are analyzed to understand attack targets and methods | ||
3) Event data are collected and correlated from multiple sources and sensors | ||
4) Impact of events is determined | ||
5) Incident alert thresholds are established | ||
Security continuous monitoring The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. | 1) The network is monitored to detect potential cybersecurity events | |
2) The physical environment is monitored to detect potential cybersecurity events | ||
3) Personnel activity is monitored to detect potential cybersecurity events | ||
4) Malicious code is detected | ||
5) Unauthorized mobile code is detected | ||
6) External service provider activity is monitored to detect potential cybersecurity events | ||
7) Monitoring for unauthorized personnel, connections, devices, and software is performed | ||
8) Vulnerability scans are performed | ||
Detection processes Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. | 1) Roles and responsibilities for detection are well defined to ensure accountability | |
2) Detection activities comply with all applicable requirements | ||
3) Detection processes are tested | ||
4) Event detection information is communicated | ||
5) Detection processes are continuously improved |
Source: NIST (2018).
Adverse cybersecurity events need to be detected as soon as possible. The time it takes to discover a breach can exponentially increase the amount of damage inflicted. Detecting and analyzing adverse events helps local governments respond accordingly.
To effectively respond to adverse cybersecurity events once they are detected, local governments should “develop and implement appropriate activities to take action regarding a detected cybersecurity incident” (NIST, 2018, p. 7). The five categories for the respond function are: response planning, communications, analysis, mitigation, and improvements. Response planning means that processes and procedures established in a response plan are executed during or after an adverse cybersecurity event. Communications involves ensuring that personnel understand and act appropriately on their roles and responsibilities when responding to an adverse event. It also means that those events are reported internally and externally according to policy. Analysis in event response means that detection notifications are investigated to understand the impact of the event, that forensics are performed, and that processes are in place to respond to vulnerabilities identified by the local government. Mitigation means that events are contained, mitigated, and that newly identified vulnerabilities are either successfully mitigated or documented as accepted risks. Improvements means that response plans incorporate lessons learned into the local government’s cybersecurity posture, and that response strategies are updated (Table 9.6).
Table 9.6 Respond categories and subcategories.
Function | Category | Subcategory |
---|---|---|
Respond |
Response planning Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. | 1) Response plan is executed during or after an incident |
Communications Response activities are coordinated with internal and external stakeholders (e.g., external support from law enforcement agencies). | 1) Personnel know their roles and order of operations when a response is needed | |
2) Incidents are reported consistent with established criteria | ||
3) Information is shared consistent with response plans | ||
4) Coordination with stakeholders occurs consistent with response plans | ||
5) Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness | ||
Analysis Analysis is conducted to ensure effective response and support recovery activities. | 1) Notifications from detection systems are investigated | |
2) The impact of the incident is understood | ||
3) Forensics are performed | ||
4) Incidents are categorized consistent with response plans | ||
5) Processes are established to receive, analyze, and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins, or security researchers) | ||
Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. | 1) Incidents are contained | |
2) Incidents are mitigated | ||
3) Newly identified vulnerabilities are mitigated or documented as accepted risks | ||
Improvements Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. | 1) Response plans incorporate lessons learned | |
2) Response strategies are updated | ||
Source: NIST (2018). |
Finally, the recover function states that local governments should “develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident” (NIST, 2018, p. 8). Recover has three categories: recovery planning, improvements, and communications. Recovery planning means that recovery processes and procedures are executed during and/or after an adverse cybersecurity event to ensure restoration of the local government’s information systems. Improvements means that local governments incorporate lessons learned and update recovery plans. Communications for the recover function include public relations management, reputation repair, and communication of recovery activities to internal and external stakeholders, including the public (Table 9.7).
Recovery is an essential step toward ensuring local government resilience. Restoring systems and returning to normal operations in a timely manner is the ultimate goal.
The NIST cybersecurity framework emphasizes organizational and managerial components important in implementing the cybersecurity best practices that can be supported by appropriately configured and deployed technologies. It represents a matrix of achieving the highest level of cybersecurity attainable. Local governments can incorporate the framework into their cybersecurity planning and management in order to achieve and maintain high levels of cybersecurity.
The framework provides flexibility so that local governments can implement the best practices most appropriate for their particular risk environments. The important numbers to remember about the NIST cybersecurity framework are three and five: three major components involved in adopting the framework (framework core, framework implementation tiers, and framework profiles) and five cybersecurity functions that identify cybersecurity outcomes to be prioritized by local governments (identify, protect, detect, respond, recover). The framework presents a cyclical process through which organizations can continuously improve their cybersecurity outcomes. This cycle of continuous improvement can help local governments achieve high levels of cybersecurity by identifying current gaps and the steps to take to reach the state of best practice and to ensure this process is repeated to continuously to identify new gaps. By going through each function, category, and subcategory of the framework, local governments can prioritize their most important areas for improvement based on the risks they face and their available resources.
Table 9.7 Recover categories and subcategories.
Function | Category | Subcategory |
---|---|---|
Recover |
Recovery planning Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. | 1) Recovery plan is executed during or after a cybersecurity incident |
Improvements Recovery planning and processes are improved by incorporating lessons learned into future activities. | 1) Recovery plans incorporate lessons learned | |
2) Recovery strategies are updated | ||
Communications Restoration activities are coordinated with internal and external parties (e.g., coordinating centers, internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). | 1) Public relations are managed | |
2) Reputation is repaired after an incident | ||
3) Recovery activities are communicated to internal and external stakeholders as well as executive and management teams |
Source: NIST (2018).
18.221.185.155