How the Cybersecurity Framework and Risk Management Framework Inform a Risk Assessment

by Marty Aquino
How the Cybersecurity Framework and Risk Management Framework Inform a Risk Assessment

The need for cybersecurity predates the internet itself. When Bob Thomas coded the computer program “Creeper” in the 1970s to leave breadcrumbs wherever it moved across a digital network, Ray Tomlinson countered those actions with his “Reaper” deletion program — and cybersecurity was born. Older still is the origin of NIST. The National Institute of Standards and Technology was founded in 1901 to significantly upgrade America’s measurement standards in comparison to the world economic leaders at that time: the U.K., Germany and others. NIST exists to help proliferate U.S. technologies regardless of size or complexity, which more recently includes cybersecurity.

On February 12, 2013, Executive Order 13636 was initiated with the intent to improve critical infrastructure cybersecurity: “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and, civil liberties.” Ultimately, NIST, whether via its Risk Management Framework or its Cybersecurity Framework, has had and continues to have a massive effect and influence on the cybersecurity industry — especially best practices.

The NIST Risk Management Framework

The purpose of the Cybersecurity Risk Management Framework (RMF) is to create a risk-based approach to manage information security and privacy risk, taking into consideration effectiveness, efficiency and constraints against regulations, standards, executive orders and laws. The baseline concept is that risk management is critical to successful information security and privacy programs. A second important concept is that the RMF approach is adaptive to systems regardless of whether it is new, legacy, small or massive. The RMF Framework has seven primary steps:

1. Prepare

Like any good scout, the first step is to be prepared. The core goals here are to achieve more effective, efficient and cost-effective security and privacy risk management processes. Key NIST Prepare outcomes include:

  • Identify key risk management roles
  • Establish your risk management strategy based on your risk tolerance
  • Assess your entire organization
  • Develop and implement strategy to monitor systems
  • Identify common controls

2. Categorize

In the second step, NIST outlines how to develop a structured way to determine the “criticality of the information being processed,” stored and distributed by your system. It weighs potential worst-case scenarios to your system and its effect on your business, data, legal responsibilities and day-to-day business functions. Key NIST Categorize outcomes include:

  • Document system characteristics
  • Categorize the security of your system
  • Gain appropriate approval from key official(s)

3. Select

Choosing and implementing the appropriate controls for your system is critical because they can have outsized impacts on your operations and assets. The key purpose here is to select the controls that are necessary and customize them to your organizational needs. Key NIST Select outcomes include:

  • Select and customize control baselines
  • Designate controls as system-specific, hybrid or common
  • Allocate controls to specific system components
  • Continuously monitor your strategy systemwide
  • Gain necessary approvals and reviews from authorized officers

4. Implement

This is the action step portion of the RMF Select step. This underscores the importance of executing the controls correctly so they perform as expected as per your organization’s expectations. Key NIST Implement outcomes include:

  • Implement previously identified controls in RMF Select step
  • Update plans to document implemented security and privacy plan controls

5. Assess

This step attempts to confirm that your custom controls are implemented correctly, operate as expected, generate the expected results, and that it is compliant with any applicable organizational security and/or privacy requirements. Key NIST Assess outcomes include:

  • Select assessment team
  • Develop security and privacy assessment plans
  • Review and approve assessment plans
  • Implement control assessments in accordance with plans
  • Address any deficiencies in controls
  • Update security and privacy plans with any changes
  • Develop a plan of action and milestones

6. Authorize

The purpose of the Authorize step is to establish a system of accountability throughout your organization. It requires a senior official to greenlight the use of controls or operation of the proposed systems. In turn, they will determine whether the risk is acceptable. Key NIST Authorize outcomes include:

  • Complete authorization package, including: executive summary, security and privacy plan, assessment report(s), plan of action and milestones
  • Render risk determination
  • Provide risk responses
  • Approve or deny authorization for the system or common controls

7. Monitor

A good plan is only good if you stick to it. The purpose of continuous monitoring is to maintain or improve your system’s efficacy over time — with the understanding that changes due to external or internal forces are inevitable. This situational awareness helps future risk management decisions. Key NIST Monitor outcomes include:

  • Continuously monitor your system and environment of operation
  • Assess the effectiveness of your controls in accordance with your monitoring strategy
  • Analyze and respond to your continuous monitoring activities
  • Establish a process to report security and privacy posture to management
  • Gain ongoing authorizations resulting from continuous monitoring activities

The NIST Cybersecurity Framework

Executive Order 13636 established key requirements for NIST to use as design criteria. Key NIST Cybersecurity Framework criteria included:

  • Establish guidelines for security standards that would work across varying sectors of critical infrastructure
  • Create a stack-ranked, performance-based, adaptable and affordable approach
  • Allow owners and operators to self-assess, if appropriate
  • Empower technological innovations
  • Provide guidance that is technology neutral and allows sectors to benefit from a competitive marketplace
  • Suggest methods for analyzing and measuring performance post-implementation of the Cybersecurity Framework
  • Identify areas for improvement

The Cybersecurity Framework is divided into five core functions:

1. Identify

Do you know your business? The Identify step is a deeper dive into really understanding the business, its critical functions and related cybersecurity risks then developing an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.

2. Protect

It’s all about defense. The Protect step is about implementing appropriate safeguards to limit or contain the impact of a potential cybersecurity event.

3. Detect

Do you sense trouble? The Detect step develops processes that discover and seek out cybersecurity events like anomalies and breaches in a timely manner to allow for greater options to remedy the situation.

4. Respond

Something happened … Time to take action. The Respond step is all about taking action, often preplanned, in response to a detected cybersecurity event. Actions include: response planning, communications, analysis, mitigation and improvements.

5. Recover

I think we’re getting better. The Recover step is focused on getting back to business. If any capabilities or services were taken offline due to a cybersecurity event, then implementing appropriate activities to restore full functionality would be initiated. Actions include: recovery planning, improvement and communications.

The Power of a Solid Risk Assessment System

The influence of the NIST Risk Management Framework and Cybersecurity Framework is immense, starting with the highest office in the land extending to nearly every digitally connected business. According to NIST:

  • 16 critical infrastructure sectors use the NIST Framework
  • More than 20 U.S. states use the Cybersecurity Framework
  • More than 1.7 million downloads of the NIST Cybersecurity Framework have been made (as of March 2022)

Although the RMF is voluntary, any size organization can use the RMF and the best practices therein to improve its cybersecurity and build a more resilient business. The NIST RMF is incredibly scalable — however, it is not one-size-fits-all. Your organization will benefit greatly from a customized solution set, especially when administered by a trusted partner. Contact The Migus Group and get your assessment today.

Marty Aquino has been a passionate writer on venture capital, technology, forecasting, risk mitigation, wealth and entrepreneurial topics since 2009. He is the founder of Carbonwolf Energy, a venture capital firm specializing in world-changing and status-quo-defying technologies and people.