To learn more about the NIST CSF program and unlock guidance on the actionable projects needed to establishing the NIST CSF, read the new eBook: Building a Comprehensive Cybersecurity Program with the NIST Cybersecurity Framework.
Control framework readiness assessments provide key strategic input to an organization’s cybersecurity program. Since it first came out in 2014, the NIST Cybersecurity Framework has steadily become the most popular framework, especially for midsized enterprises with less mature programs than large ones. But the 5 functions, 23 categories, and 108 subcategories do not all provide equal benefit to the organization – some are extremely important, some are bordering on insignificant, and some are just downright frustrating.
Here are my “top-5” nominations for the Good (most important), the Bad (least important), and the Ugly (most frustrating) subcategories of NIST CSF.
The Good: Five Most Important Subcategories
Choosing the Top 5 most important subcategories was the most challenging of the three labels – in reality, there are probably 20 or more that are truly necessary to develop and run a strong cybersecurity program. But I will take advantage of some of the idiosyncrasies of the framework like overly broad subcategories with implicit inclusions to save the day.
1. [PR.AC-7] Users, devices, and other assets are authenticated commensurate with the risk of the transaction
Authentication tops the list because it incorporates what most cyber pros believe is the most effective control in our stable – multifactor authentication. And combined with single sign-on as is typical these days, organizations can employ MFA easily for any necessary applications. At this point, “commensurate” becomes a secondary or conditional decision whether to re-authenticate or not.
2. [PR.IP-12] A vulnerability management plan is developed and implemented
Make no mistake, cybersecurity pros think vulnerability management is a key component to any program and it is difficult to deny. While I believe patch independence is a laudable goal for any organization, it’s easy to see its prominence with the media and regulators.
3. [RS.MI-2] Incidents are mitigated
How could I not include this one? In fact, the fatalists in our field may want it to be number one, but I still hold out hope that this is not a particularly common exercise for most companies. Throw in the entire Analysis (RS.AN) and Mitigation (RS.MI) categories as inclusive and this one is a no-brainer.
4. [PR.DS-1] Data-at-rest is protected
Again, I will take advantage of breadth and ambiguity to claim a lot under this subcategory. Some cybersecurity pros might suggest that this is the entire reason our field exists. Organizations will chase this outcome with access rights, filters, logging, and so forth. And yes, we need more encryption!
5. [PR.IP-4] Backups of information are conducted, maintained, and tested
For this subcategory, I will depart from the comfortable world of ambiguity and get right to the point. In another year, there may be more important subcategories, but right here, right now, with ransomware such a prominent concern causing real losses, we need to go back to basics with backups.
The Bad: Five Least Important Subcategories
More than 50 of the controls in the framework exist solely as words in documents describing the various needs of the program. To be fair, this is a “framework” but no piece of paper is going to stop the latest ransomware attack. In keeping with the effect on risk as a primary motivator, here are my top 5 least important subcategories.
1. [ID.BE-2] The organization’s place in critical infrastructure and its industry sector is identified and communicated
This just feels like the “It was a dark and stormy night” of NIST CSF. What drama! What moodiness! Thankfully, there’s no need to read this novel, especially since it is written in such horrible English (passive voice and past participles, ugh).
2. [PR.DS-4] Adequate capacity to ensure availability is maintained
I’m just going to claim out-of-scope here. It’s not that it is insignificant, I suppose, it’s just so obviously necessary that it doesn’t make sense for cybersecurity professionals to spend time on it. There is little implication of an intelligent adversary as threat here so it doesn’t fit and the potential for cognitive dissonance between this item and the need for data destruction (PR.IP-6) is simply too great.
3. [PR.DS-8] Integrity checking mechanisms are used to verify hardware integrity
If you aren’t involved in designing hardware. You can almost certainly ignore this one. In many ways, this is more important than many of the controls in this framework, it’s just that there isn’t much to do here, and as with number 2 above, it only borders on the traditional responsibilities as cybersecurity professionals.
4. [DE.CM-5] Unauthorized mobile code is detected
Having been a part of a number of community-driven initiatives, I am picturing an obnoxious vendor who breaks all unwritten codes of decorum by insisting that “mobile code” be called out as separate from “malicious code” until the organizers give in. And there it is, memorialized. Check your box now and move on.
5. [RC.IM-1] or [RC.IM-2] Recovery plans incorporate lessons learned or Recovery strategies are updated
Take your pick. Having one isn’t the end of the world, but you don’t need both.
The Ugly: Five Most Frustrating Subcategories
1. [ID.BE-2] The organization’s place in critical infrastructure and its industry sector is identified and communicated
Nominated for a second time! I just couldn’t pass up how bizarre it would be for a cybersecurity professional to preach to the executive team and board about its place. Yes, it should come from them; yes, it already has, for those companies that matter.
2. [PR.IP-8] Effectiveness of protection technologies is shared
Nobody measures the effectiveness of protection technologies so how could they share it?
3. [RS.CO-5] Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
“And now for a word from our sponsor.” Look, I consider myself someone who cares a lot about my community and I generally believe organizations should share important information that they know could affect others. But the idea that it should be incorporated into a control framework designed to protect an organization is ridiculous, not to mention self-serving. Companies keep secrets routinely, often for very good reasons. The relationship between regulators and constituents can be tenuous in many cases. And it has absolutely zero effect on an organization’s risk posture.
4. [RC.CO-2] Reputation is repaired after an incident
Reputation is fickle. Companies with good reputations often don’t have to do anything to “repair” their reputation after an incident – they already understand how to communicate with key constituents, address the problem, and continue to build the relationship. But the determination that reputation has been repaired is outside of the control of any organization; it is up to the other parties involved.
5. Every subcategory that includes the word “understand”
“Go back, it’s a trap!” At some point, if any of these subcategories are ever put to the test, the only thing they will do is demonstrate how human beings miscommunicate frequently. Whether used as an excuse by a victim or an indictment of a cybersecurity pro, determining “who understood what” can always be disputed in hindsight.
Make no mistake NIST CSF is an important component of most organizations’ cybersecurity strategies. The best way to align with it is through a NIST CSF Readiness Assessment that identifies prioritized subcategories aggregated into actionable projects and benchmarks the program with other similar-sized companies in the same industry. For a more detailed analysis of developing and implementing a framework NIST CSF that best suits your organization’s security programs, read the new eBook, Building a Comprehensive Cybersecurity Program with the NIST Cybersecurity Framework.