Implementation Steps

Identify overall mission objectives and high-level organizational priorities. With this information, make strategic decisions regarding cybersecurity implementations and determine the scope of systems and assets that support the selected business line or process.

PURPOSE

 

The purpose of this instruction is to facilitate the implementation of a security program for a business, municipality, or organization, henceforth referred to as the “agency.” This program is based on the NIST Cybersecurity Framework. It is based on many different NIST publications.

 

SCOPE 

 

  • Executive Order 13636 identifies critical sectors that need to be secured and protected.  Each sector likely has its own business/mission objectives and these need to be identified to ensure they are properly addressed.
  • This instruction covers the first step identified by the NIST Cybersecurity Framework, specifically Prioritize and Scope.
  • This instruction will be looking at the agency’s most important assets and systems. These will need to be identified so that the agency not only knows what they are protecting but that they start with the most important assets first. This process should continue to include lower priority missions/assets as higher priority ones are completed until all missions/assets are covered under the security program.
INSTRUCTIONS (Page 1 of 2)

 

DETERMINING PRIORITIES

 

IMPORTANT: These determinations for critical missions and systems are to be considered for the AGENCY, not individual departments.

Determining the priorities can be a simple matter of knowing what systems and assets are required to accomplish the mission or it could be as complicated as having to decide which functions are critical to the mission first and determining what the non-essential systems will be and the rest are the agency’s critical systems. If this has already been identified please move on to Defining Scope. Often times the agency’s mission assets and systems will connect or depend on each other, just as their missions likely interconnect. In fact, it is likely that most of the agency’s systems will interconnect through their primary network.

 

After determining what critical areas are required to complete the mission, the agency also has to determine what assets and systems support that critical mission. For example, in an IT Sector, the mission might be to provide a secure connection for a financial or payroll database to the financial department. In this case, all hardware, infrastructure, and services that support that database and its functioning for those individuals would be considered critical to the mission. A user’s email or access to an unrelated file server would not be considered critical thus fall lower on the priorities. Note: most IT sectors support more than one system and/or user.

 

Now that the agency has the critical missions and critical systems identified the issue of priorities should be pretty obvious. The agency will want to prioritize those systems that are most critical as highest. These priorities identified at this step go hand-in-hand with the NIST framework specifically most of the Business Environment category in the Identify function. The priorities will be utilized in areas of the restoral plans, contingency plans, etc.

INSTRUCTIONS (Page 2 of 2)

 
DEFINING SCOPE

 

Now that the agency knows what their priorities are, they need to determine what the scope of the assets and systems that support those priorities are. This was touched on a little bit, earlier, now though everything needs to be taken into account; keyboard to database, server to server, from the power to the network cables. NOTE: The intent here is NOT to take an inventory of those assets exactly. The purpose is to identify the assets and individuals. The complete list of items comes later on (Step 2: Orient).

 

EXAMPLE: if the agency needs a back end server running financial information then those systems, servers, and even line routes between the two need to be identified. This scope will be used in the same places as priorities to help build the different plans.

 

MULTIPLE PRIORITIES AND LARGER SCOPE

 

Priorities and scope are defined for all critical assets and systems that are required to complete all missions for the agency. This means that the agency may have to repeat this process several times to identify every critical system and the asset to their missions.

 

REFERENCES

The steps in this document are included in several of the core functions of the NIST Cybersecurity Framework. This means that if the agency has completed steps of the framework, this might help alleviate some of the tasks throughout this process. See the chart for the steps and correlating documentation to refer to.

Identify: Business Environment (ID.BE):

Category:

Category Subject:

Reference:

Documentation:

ID.BE-2

Critical Infrastructure

NIST SP 800-53 Rev 4. (Pg. 395); HSPD 7; National Infrastructure Protection Plan

Critical Infrastructure Plan

ID.BE-3

Priorities (Mission, etc.)

NIST SP 800-53 Rev 4. (Pg. 396); FIPS Pub 199; NIST SP 800-60

Mission Business Process Definition

ID.BE-4

Dependencies and Critical Functions

NIST SP 800-53 Rev 4. (Pg. 241, 289, 290, 395, 330); NIST SP 800-34; National Communications Systems Directive 3-10; HSPD 7; National Infrastructure Protection Plan

Telecommunication Services, Power Cabling & Equipment, Emergency Power, Critical Analysis

ID.BE-5

Resilience Requirements

NIST SP 800-53 Rev 4. (Pg. 234, 244, 330); Federal Continuity Directive 1; NIST SP 800-34

Contingency Plan, Alternate Communications Protocols

 

Once the scope of the cybersecurity program has been determined for the agency, they then identify related system and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.

PURPOSE

The purpose of this instruction is to continue facilitating the implementation of a security program. This specifically identifies steps to take to complete Step 2: Orient for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework.

SCOPE 

 

  • This instruction applies to the specific set of assets/systems that were identified in Step 1: Prioritize and Scope.

  •  This instruction will also help identify the regulatory requirements, risk approach, and threats to and vulnerabilities of those systems.

IDENTIFY OVERALL SECURITY CATEGORIZATION

To identify the overall security categorization of your previously identified information systems use the specific information residing on them and the systems themselves.

To establish your security category for the previously identified information and information systems you have to analyze the potential impact should events occur which jeopardize the said information and information systems that are needed to accomplish the identified mission, protect its assets, fulfill its legal responsibilities, maintain day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an agency. These impacts are based on, Confidentiality, Integrity and Availability and are rated for each individually. 

 
COMMON CONTROLS:
  •  These are security controls put in place throughout the agency.

  • This is typically accomplished prior to implementing security controls for the individual systems.

  • These controls can be inherited by individual systems, thus streamlining their process.

 

Potential Impact: HIGH (severe or catastrophic impact)

  • This is likely the first impact you will address as you need to secure the high impact areas first and likely identified them in step 1 of this process as critical to the success of the agency.
  • These are identified as a loss of confidentiality, integrity or availability that might cause an inability to complete the mission, major damage to assets, major financial loss, or severe harm to individuals involving loss of life or serious life-threatening injuries.

 

Potential Impact: MODERATE (serious impact)

  • After you address all of the identified high impact areas you will need to address the moderate impacts.
  • These are identified as a loss of confidentiality, integrity or availability that might cause a significant degradation in the effectiveness of the ability to perform the mission, significant damage to assets, significant financial loss, or significant harm to individuals that does not involve loss of life or life-threatening injuries.

 

Potential Impact: LOW (limited impact)

  • After you address all of the higher impact areas you will finally begin to address the low impacts.
  • These are identified as a loss of confidentiality, integrity or availability that might cause a noticeable degradation in the effectiveness of the ability to perform the mission, though the mission is still accomplished, minor damage to assets, minor financial loss, or minor harm to individuals.

 

INFORMATION, SYSTEM, AND COMMON SECURITY CATEGORIZATION



INFORMATION CATEGORIZATION

The information categorization is handled separately from the information system that also must be categorized. The information to be categorized can be user information and system information and either electronic or non-electronic. This information also correlates to the information system security category. These categories are based on the security objectives associated with the particular information type.

EXAMPLES:

  • A law enforcement organization managing investigative information that is extremely sensitive might determine that impact from loss of confidentiality is high, loss of integrity is moderate, and loss of availability is moderate.
  • A website with public information on a web server might have no loss of confidentiality impact (meaning it is not applicable), moderate loss of integrity impact, and moderate loss of availability impact.
  • A financial organization managing routine administrative information (non-privacy) determines the potential impact from a loss of confidentiality is low, impact from integrity loss is low and impact from the loss of availability is low.

TOOL:?We have developed the?System/Application Impact Determination Tool?to help with this process 

SYSTEM CATEGORIZATION

The information system categorization is a more in-depth process and must consider the security categories of all information types resident on the information system. In this regard the impact will be the highest value from among the security categories that have been determined for each information type residing on the information system. NOTE: Information system security categorizations cannot be not applicable due to their very nature.

Examples: If a there are two types of information residing on a system where they have:

  • Information Type 1: (Confidentiality: MODERATE), (Integrity: LOW), (Availability: HIGH)
  • Information Type 2: (Confidentiality: MODERATE), (Integrity: HIGH), (Availability: LOW)

 The system itself would have a security categorization of at least:

  • (Confidentiality: MODERATE), (Integrity: HIGH), (Availability: HIGH)


COMMON CONTROL CATEGORIZATION

  • In most cases the primary network will house/transport information for most of the systems of the agency. The primary network will need its own determination and it needs to be determined if applying this process to the network will be more beneficial than to each individual system.
  • If most of the information/systems reside/traverse the agency’s primary network that makes hardening the network a top priority. The highest level of system impact for all of the systems on the network should be used to determine the criticality of this resource. It will be a common theme among many agencies for the network to house most of the application including several critical applications. Some agencies, however, may have their most critical assets communicating through different mediums or even processing information offline.
IDENTIFY SPECIFIC SYSTEMS AND ASSETS

HARDWARE INVENTORY

 The systems and resources need to be identified down to physical machine and virtual resources. This level of detail is required in order to identify the exact resources that need the protection.

  • If you have the asset management physical and software inventories (ID.AM-1) this process is very simple. Just gather the data based on the locations as identified in the inventories themselves. It is important to remember to verify this information to ensure it is accurate.
  • If you do not have those inventories on hand, you can either go through the process of completing them (NIST 800-128), as they will be needed later, or visit each location. It is important that you identify all hardware to include the manufacturer, device type, model, serial number, physical location (i.e. building number, room number, cubicle number), system owner, MAC address, machine name and network address. This level of granularity is required in order to identify all of the “moving parts” that you will need to properly identify the system(s) from different aspects of the security documentation. For example, you need to know the network address, in case the machine is not available, for instance if DNS is down. Additionally, different interfaces utilize different identifiers. 

*NOTE: it is recommended that all critical systems NOT utilize DHCP and instead be on a static network Address. This helps ensure that you know exactly what the system’s address is at all times. Having this information may help you find the system or even determine whether or not it is connected to the network.

SOFTWARE INVENTORY
  • Do not forget to include your software inventories with this information. If you have accomplished the asset management software inventories (ID.AM-2) you can use that information as well. If not, it is recommended you gather software license information and software version numbers in addition to the information mentioned above.
  • If the systems have any dedicated connections with other internal or external information systems that are required these will need to be documented, including the interface characteristics, security requirements, and the nature of the information communicated. These are covered under System Interconnections and Internal System Connections (ID.AM-3). 

*NOTE: Careful consideration must be given when information systems are connected to other systems with different security requirements and security controls, both internally and externally. This is important because two systems that are fully interconnected have the weaknesses and vulnerabilities of the weakest system connected. Think of it as a chain’s weakest link, once one system is compromised it can compromise all connected systems.

REGULATORY REQUIREMENTS

Identifying regulatory requirements is not always easy, some are always applicable from a federal or state level, like Executive Order 13636, while others are industry sector specific or specific to a certain level of government. 

NOTE: This is not an exhaustive list, these are a sample of regulatory requirements. Other regulatory requirements exist and should be identified in the security program, from leadership, letters of agreement, etc. 

Federal Government Regulatory Requirements:

  • Executive Order 13636
  • Homeland Security Act of 2002
  •  Federal Information Security Management Act (FISMA) of 2002 

State and Local Government Regulatory Requirements

  • Local/municipal/county Executive Orders
  • Texas Senate Bill 1134
  • Texas Senate Bill 1597
  • Texas Administrative Code 202

 

Industry Specific Regulatory Requirements

  • Health Insurance Portability and Accountability Act (HIPAA) of 1996 – Healthcare Industry
  • New Basel Capital Accord (Basel II) Quantitative Standards, Section 606 – Banking (International)
  • Gramm-Leach-Biley Act (GBLA) Title V – Section 501 Interagency Guidelines Establishing Standards For Safeguarding Customer Information – Financial Services
  • Federal Energy Regulatory Commission (FERC) Cyber Security Standard CIP-003-1 Security management Controls – Energy/Infrastructure Industry
  • Chemical Information Technology Council (ChemITC) Guidance for Addressing Cyber Security in the Chemical Sector – Chemical Industry
  • USA PATRIOT Act – Financial Anti-Terrorism Act – Financial Services
REFERENCES

4.1. The steps in this document are included in several of the core functions of the NIST Cybersecurity Framework. This means that if you have completed steps of the framework, this might help alleviate some of the tasks throughout this process. It also means you may want to consider taking these steps first, especially in the case of the Risk Management functions to include Threats and Vulnerabilities. See the chart for the steps and correlating documentation to refer to. 

Identify: Asset Management (ID.AM):

Category:

Category Subject:

Reference:

Documentation:

ID.AM-1, 2

Physical devices/systems, Software platforms/apps

NIST SP 800-53 Rev 4. (Pg. 229); NIST SP 800-128

Information System Component Inventory

ID.AM-3

Information & Data Flows and Connections

NIST SP 800-53 Rev 4. (Pg. 170, 213, 219, 298); FIPS Pub 199

Information Flow Enforcement, System Interconnections, Internal System Connections, Information Security Architecture

ID.AM-4

External Information Systems

NIST SP 800-53 Rev 4. (Pg. 188, 318); NIST SP 800-35; FIPS Pub 199

Use of External Information Systems, External Information System Services

ID.AM-5

Prioritization of Resources (By Classification, criticality, and business value)

NIST SP 800-53 Rev 4. (Pg. 234, 307, 330); Federal Continuity Directive 1; NIST SP 800-34, 800-12, 800-30, 800-100

Contingency Plan, Alternate Communications Protocols

 

Identify: Governance (ID.GV):

Category:

Category Subject:

Reference:

Documentation:

ID.GV-1

Information Security Policy/Strategy

NIST SP 800-53 Rev 4. (all families)

Information Security Strategy

ID.GV-3

Legal and Regulatory Requirements

NIST SP 800-53 Rev 4. (all families, except Information Security Program Plan); All applicable laws and statutes

*

ID.GV-4

Governance and Risk Management

NIST SP 800-53 Rev 4. (Pg. 395, 396); NIST SP 800-35; FIPS Pub 199

Risk Management Strategy, Mission/Business Process Definition

 

 

 

 

The Organization develops a Current profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved .

PURPOSE

The purpose of this instruction is to continue facilitating the implementation of a security program. This specifically identifies steps to take to complete Step 3: Create a Current Profile for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework.

SCOPE 
  • This instruction is somewhat independent of the previous two steps and will touch upon every control in the NIST Cybersecurity Framework in order to determine if the control outcomes are being achieved.
  • This instruction will use the tier system identified in the Framework Core to help determine at what level the control outcomes are achieved.  This is a slight modification to the way that NIST users the tier system, but conforms to the feedback from the NIST Cybersecurity Workshop that occurred in April 2016.
THE CURRENT PROFILE: HOW WELL ARE OUTCOMES ACHIEVED?

Tool:?We have developed a?comprehensive questionnaire?to assist with this effort. It breaks the controls down into simplified questions and asks questions based on your given answers. 

Now that the impact determinations have been made, the next step is to compare what outcomes are accomplished against the NIST Cybersecurity Framework recommendations. This should begin with the list of the NIST recommended controls.  Consider adding any controls from NIST Special Publication 800-53 that apply to the system based on the system impact determination.   

*NOTE:?If you are just starting out and many of your highest impact applications/systems are running across your primary network you should start with that as your first?system (using a common controls approach).?This will allow you to build from the network and adapt policy and procedures that will eventually encompass your entire agency. 

 

HOW TO DETERMINE THE CURRENT PROFILE

The best way to compare control outcomes is to go through each control and determine if the agency accomplishes this the way the control intends. A tool has been developed that breaks down each of the NIST security controls into a series of questions.  For instructions: * Pick a download location that will be used throughout this process and put the Current Profile Questionnaire in that location. The Current and Target profile tools directly reference each other.

  • Upon opening the Current Profile Questionnaire, ensure it is opened for editing and the content is enabled. 
  •  The code within the spreadsheet is only used for hiding and expanding the questionnaire based on your answers.
  • The initial tab “Intro” displays a non-interactive comprehensive score of the data currently entered.  This will update as changes are made.
  • The tab labelled “Program Management” is based on your overall cybersecurity program, if the common controls have already been defined and implemented these should all be inherited.  
  • Each of the rest of the tabs correlate directly to the NIST Control Families as defined in NIST SP 800-53.
  • It is critical that this assessment be completed as accurately as possible.  The questions are based on the individual controls and the answers are created to best determine the level of conformance with the NIST Cybersecurity Controls that were identified previously.
  • The next step is about selecting the controls that are to be targeted for implementation and this will further affect your score.
REFERENCES

Due to the nature of this step, it does not directly correlate to any of the functions or categories of the NIST Cybersecurity framework. Since the assessment is the current state of your cybersecurity program all controls are affected.

The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of the likelihood of a given threat source attempting to exercise a given vulnerability, the magnitude of the impact should a threat-source successfully exercise the vulnerability and the adequacy of planned or existing security controls for reducing or eliminating.

PURPOSE

The purpose of this instruction is to continue facilitating the implementation or improvement of a security program. This instruction specifically identifies the action steps needed to complete Step 4: Conduct a Risk Assessment, which is designed to establish or improve a Cybersecurity Program as identified in the NIST Cybersecurity Framework.

SCOPE

  • This instruction will use similar segments from Step 3: Create a Current Profile to assist in identifying and evaluating certain events that could possibly affect the IT environment in a negative manner.
RISK MANAGEMENT APPROACH

The agency’s overall Risk Management approach needs to be defined prior to proceeding with the cybersecurity implementation. The agency’s risk management program and cybersecurity work together to ensure protection from external threats and keeping the risk level of those threats minimal and acceptable to the agency.

 

The risk approach should be defined in the risk management strategy and it needs to specifically address cybersecurity risks.  

If the risk management approach is not defined properly or if there is not a risk management strategy in place, it is recommended that risk management is addressed immediately. Risk management is a complex, multifaceted activity that requires the involvement of the entire agency; senior leaders provide the strategic vision and objectives, while mid-level leaders plan, execute and manage projects, and individuals on the front lines operate the information systems that support the mission/business functions. Risk management strategy is based on NIST SP 800-30, 800-37, and 800-39.

The main components of risk management are:

  • Risk Management Strategy
  • Risk Assessment
  • Risk Response
  • Risk Monitoring
RISK MANAGEMENT APPROACH 

Without a proper risk management approach the agency will not be able to accurately identify the possible threats to, and vulnerabilities of, the systems, information, and assets it is working to protect. Using the risk assessment approach is the best way to identify threats, vulnerabilities, and risks.  

NOTE: If the agency does not have a risk management program, it may be in their best interest to begin that process now. 

 

Once the agency has identified the potential threats, risks, and vulnerabilities, it needs to evaluate its findings to determine the likelihood of the occurrence for each. Each event should be categorized with one of the following threat level ratings: Critical, Major, Important, or Minor in order to prioritize the order in which each issue should be resolved. Issues that have been identified as critical should be resolved first and those identified as minor can be addressed at a later time due to the level of risk they present to the agency. Examples of a threat, the related vulnerabilities, the risks generated by the two, and the probability of each occurring can be seen in the table below: 

 

Threat 

Vulnerability 

Risk of Compromise 

Probability 

 

Unauthorized use of a wireless connection for malicious use. 

An open, unsecured router with a broadcasted SSID 

The exploitation of flaws could cause the loss of the confidentiality, integrity, or availability of an agency and/or catastrophic effects on the agency’s data, assets or operations. 

Almost Certain 

 

A WEP encrypted router with a broadcasted SSID 

Likely 

 

A WPA2 encrypted router, hidden SSID but there is no additional authentication needed.

Possible 

 

A WPA2 encrypted router, hidden SSID, additional user name and password authentication with password requirements, but no MAC filtering. 

  Unlikely 

POTENTIAL THREAT LEVELS

 

  • Critical: A critical threat, risk, or vulnerability is any weakness or combination of weaknesses that, if exploited, could result in the loss of the confidentiality, integrity, or availability of an agency’s assets or data. Occurrences marked “Critical” should be expected to have a severe or catastrophic effects on the agency’s assets or operations. It is likely that an exploit of this level will prevent the delivery of critical IT services.
  • Major: A major threat, risk, or vulnerability is any weakness or combination of weaknesses that, if exploited, could result in a compromise of the confidentiality, integrity, and/or availability of user data, or could result in a compromise of the integrity or availability of processing resources. It is likely that an exploit of this level will prevent the delivery of IT services within expected timeframes.
  • Important: An important threat, risk, or vulnerability is a weakness whose exploitation isn’t as substantial as a major weakness, but may have a negative impact on operations or may allow access to limited resources. It is likely that an exploit of this level may impact the ability to satisfactorily deliver IT services
  • Minor: A minor threat, risk, or vulnerability is a weakness whose exploitation has a minimal impact on the system, users, and its information. An exploit of this level would have insignificant or no impact on delivering IT services as expected.
DEGREES OF LIKELIHOOD:

 

The degrees of likelihood are various categories that help assist the agency in determining the probability of each event/issue occurring (each of the risks found in the assessment will fall into both a threat level and likelihood degree category.

  • Almost Certain: Events that fall into the “almost certain” category are expected to occur in most circumstances, as there is a history of a regular occurrence at other agencies or similar institutions. Not only does this event have the highest probability of being exploited, but it also provides a gateway for other exploitations to occur. It is imperative that the events that fall under this category be handled immediately.
  • Likely: Events that fall into the “likely” category have a higher probability of occurring than others and should be solved in a timely manner to avoid further exploitations. There is a strong possibility the event will occur, as there is a history of frequent occurrence at other agencies or similar institutions.
  • Possible: Events that fall into the “possible” category are not expected to occur, but there is a slight possibility that it may occur at some point in time. Events with a “possible” likelihood of occurring will not be any of the more common risks, but should be addressed to prevent threat and exploit escalations due to the initial risk being overlooked. Based on occurrences at other agencies or similar institutions, the occurrence of these events is doubtful.
  • Unlikely: Highly unlikely, but it may occur in exceptional circumstances. Any event in the “unlikely” category would require a multitude of factors and variables to be in place before it becomes an immediate risk. The event could happen, but probably never will based on occurrences at other agencies or similar institutions.
THREATS AND RISKS

Threats and risks will fall under one or more of the following category types listed below. Identifying the type of risk/threat will help an agency separate and prioritize events. It will also help the agency develop the necessary resolutions to solve or prevent those events from occurring. 

  • Adversarial: An adversarial threat occurs when individuals, groups, or agencies that look to manipulate, abuse, or exploit an agency’s dependence on cyber resources.
  • Accidental: An accidental threat occurs when individuals, in the process of performing their everyday responsibilities, take unintentional actions.
  • Structural: A structural threat occurs when an agency’s equipment, controls, and/or software necessary to perform daily operations fail.
  • Natural or Environmental: A natural or environmental threat occurs when natural disasters and failures of critical elements, outside of the agency’s control, negatively affect the cybersecurity environment that agency depends on.
RISK DETERMINATION

After the risks are analyzed and regulations are put in place, the agency can begin to prioritize the issues needing to be addressed in descending order, starting with the events flagged as “most critical.” Those events determined to be acceptable to the agency can be retained, but plans should be put in place to manage the possible consequences should the risk take place. Even if the risk may be considered minor, it is important for the agency to review and apply any vendor-provided patches and upgrades in a timely manner.

CONTROL RECOMMENDATIONS

  • The best practices the agency can implement to reduce the likelihood of the risk occurring include preventive maintenance, audit and compliance programs, policies and procedures, testing, and training staff to abide by certain practices to assist with the securing process.
  • Additionally, an agency can reduce the results of the risk occurring through contingency planning, disaster recovery, and off-site back-ups. With these processes in place, the consequences of the risk, should they occur, will be minimized.
  • There are also options to outsource and transfer some of the responsibilities to joint vendors or partnerships. This can give the agency a hand in properly securing their data and assets, while also leaving certain areas of inexperience to parties who specialize in those particular fields.
  • The final option is to completely avoid an event from occurring by deciding not to proceed with the activity that would produce the risk, threat or vulnerability.
RISK EVALUATION

 

  • In most agencies, the network itself will continually be expanded and updated, its components changed, and its software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new potential risks will surface and risks previously mitigated may again become a concern. Because of this, the risk management process is ongoing and evolving.
  • The risk assessment process is typically repeated every few years; however, a risk management approach should be conducted and integrated in order for IT systems to effectively support the agency’s business objectives/ mission. There should be a specific schedule for assessing and mitigating risks, but the performed process should also be flexible enough to allow changes where warranted (specifically referring to major changes to the IT system and processing environment from policy changes and new technology).
  • A successful cybersecurity risk management program will rely on several key factors including, but not limited to: commitment from senior management, support and participation from the IT team, and the IT team’s expertise in applying the risk assessment methodology to a specific site and system. They will also be used to identify mission risks, and provide cost-effective safeguards that meet the needs of the agency. There will also need to be user training to provide instruction over procedures and compliance with the implemented controls in order to safeguard the mission of their agency. As previously stated, this is an ongoing process and there will always be a need to reevaluate and assess the IT-related mission risks.
REFERENCES 

Due to the nature of this step, it does not directly correlate to any of the functions or categories of the NIST Cybersecurity framework. Since the agency is assessing their current cybersecurity program though, all of the controls of a system are being assessed similar to how they would be in the Security Assessment control family.

The agency creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the agency's desired cybersecurity outcomes. Agencies also may develop their own additional Categories and Subcategories to account for unique agency risks. The agency may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile.

 
PURPOSE

The purpose of this instruction is to continue facilitating the implementation or enhancement of a security program. This specifically addresses steps to take to complete Step 5: Create a Target Profile for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework. 

 

SCOPE 

  •  This instruction depends on the outcomes of the Current Profile developed in Step 3, it will similarly touch upon every control family in the NIST Framework in order to determine what control outcomes are desired.
  •  This instruction will use the tier system identified in the Framework Core to help determine at what level the control outcomes are achieved.
TARGET PROFILE

Tool: We have developed a comprehensive questionnaire to assist with this effort. It breaks the controls down into simplified questions and asks questions based on the given answers.

Note: This tool uses macros that will need to be enabled in order to function properly.

For the target profile the agency should go back through the recommended controls for a cybersecurity program identified in Step 3: Create a Current Profile to determine what outcomes the agency desires.

 

Now that the agency knows what is recommended, and what is currently accomplished, the agency needs to determine what outcomes they desire. This will eventually allow them to create a plan for implementing those outcomes through the NIST Security Controls. We recommend downloading the tool in the sidebar and to follow these instructions: 

Tool: We have developed a comprehensive questionnaire to assist with this effort. It breaks the controls down into simplified questions and asks questions based on the given answers. Note: This tool uses macros that will need to be enabled in order to function properly.

 

  •  Download this tool into the same folder as the current profile tool was downloaded. This will enable the scoring to adapt based on the target controls.
  •  Upon opening the Target Profile Questionnaire, ensure it is “opened for editing’ and that the content is enabled (this allows the macros to function)
  • The target profile tool is laid out very similarly to the Current Profile Tool.  This is intentional and allows the two to be cross-referenced easier.
  • The first tab is the “Intro” tab and it displays a non-interactive comprehensive score of the current program compared to the target controls that have been selected.
  •  The Program Management tab is again based on the overall cybersecurity program regardless of what type of system, application, or information the rest of the assessment is for or where it resides. The rest of the tabs are specific to that individual system (or common controls if that is the goal), application or information that is currently being analyzed.
  • The questions here will adapt to the answers in order to simplify the process. If “Yes” is selected to an overarching control question, all sub-questions will shift to match the selection (this also works with “No” selections). This does not lock in the control answers, Simply select a different answer for any sub-question whenever desired, thus overwriting the formula. NOTE: changing a sub-questions response overwrites the code and the questionnaire will need to be re-downloaded in order to reset it

Back on the scoring sheet the complete score will be updated. This only scores the current profile items of selected controls in the target profile questionnaire, ignoring any “no” selections.

REFERENCES

Due to the nature of this step, it does not directly correlate to any function or category of the NIST Cybersecurity Framework. In fact, since the agency is selecting where it wants to go with its program, it doesn't even map to anything in any of the NIST Security Control Family from NIST Special Publication 800-53.

The agency determines, analyzes and prioritizes gaps based on the results of the Current and Target Profiles.

 
PURPOSE

The purpose of this instruction is to continue determining the actions and prioritization of actions needed to implement or enhance the security program. This specifically addresses the requirements in order to complete Step 6: Determine, Analyze, and Prioritize Gaps for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework.

SCOPE

  • This instruction depends on the outcomes of the Current Profile developed in Step 3, as well as the results specified in the Target Profile in Step 5. A priority scale has been provided to sort each control and control family in the NIST Cybersecurity Framework in order to determine which control outcomes need to be addressed first.
GAP ANALYSIS

Conducting a Gap Analysis is an integral part of implementing or enhancing a cybersecurity program. The gap analysis will help determine the best course of action to effectively accomplish the cybersecurity outcomes the agency seeks to pursue. By comparing the answers gathered in the Current and Target profiles, a gap analysis can most efficiently be generated.

In accordance with the NIST Cybersecurity Framework, Priority codes are to be used to determine the order in which to implement controls.  Based upon the priority score given to each control in the Target profile, the agency can begin to prioritize which controls need to be addressed first. The first table provided on the next page indicates that each control graded with “Priority Code 1 (P1)" should be implemented first, followed by controls with a "Priority Code 2 (P2)" grade, and so on. Individual Controls or Control Families with a graded “Priority Code 0 (P0)" should be the very last items to be implemented. These items, while still important, are minor in comparison to other items, which require immediate attention if they are not currently in place.
TABLES

Priority Code

Sequencing  Action 
Priority Code 1 (P1)  FIRST  Implement P1 security controls first. 
Priority Code 2 (P2)   NEXT   Implement P2 security controls after implementation of P1 controls. 
Priority Code 3 (P3)   LAST   Implement P3 security controls after implementation of P1 and P2 controls. 
Unspecified Priority Code 0 (P0)   NONE   Security Control not selected by any baseline 

Considering that more than half of the controls listed in NIST Special Publication 800-53 are P1s a method to prioritize implementation of these controls was needed.  Each cybersecurity environment will differ; therefore, the prioritization of the controls and control families will vary from agency to agency. There may be multiple controls marked Priority Code 1 that have yet to be implemented within the agency. Depending on the current state of the environment, certain controls will come before others (an example demonstrating the prioritization of multiple controls with P1 to be addressed can be found in the next Table).

Current Environment

 

Analysis An electronics manufacturing agency in South Florida with an implementation percentage of 85% 

Controls

 

The agency allowing the system to be accessed from external information systems
The Agency is providing a short-term uninterruptible power supply 

Suggestions

 

According to the current environment, the short-term uninterruptible power supply should be the first to be implemented due to the location of the agency and the likelihood of power outages due to weather. 
IMPACT, DIFFICULTY, COST, & TIME

There are many ways to further refine the order in which the agency should address their weaknesses/implement new security controls. It is recommended that these are given a number scale, they can be 1-4 or 1-10, whatever distinction the agency prefers to use. Below are a few examples using a scale of 1-4).

Impact: This is a measurement that the security control would have on the agency's cybersecurity program. Something like implementing new Security User Training, which may not be very difficult would likely have a great impact (4) on an agency that never had one before.

Difficulty: This is a measurement of how difficult a control is to implement. It only considers from a technical perspective the difficulty. For instance, if a control calls for a new building to secure the data center, that would be very difficult as it would require experts in multiple fields to implement, this would get the highest rating, say a 4. Whereas, implementing a new Group Policy on an existing Microsoft network would take significantly less effort which may earn it a 1 rating in this category.

Cost: This is a measurement in resource costs for implementation of a security control. The resources this accounts for could be only monetary, but it could also include other things, for instance space, equipment, or any manner of important resource to the agency. Looking again at the example for Difficulty, new building versus the GPO, the cost would get similar ratings. However, something like scrubbing active directory to remove extraneous accounts, could be a tedious task, while cost little outside of time.

Time: This is concerned with how long it takes to implement a security control.  A good example is back to the scrubbing of accounts in active directory (which would take a long time, but is not too difficult, and depending on how many accounts exist, may take a long time.
PRIORITIZATION

Scoring can be handled in many different ways.  Using a 1-4 scale with 1 being the least and 4 being the greatest. It is recommended the following method to assist with prioritization is used: Time, Cost, Difficulty are all added together, while subtracting the Impact.

T + D + C - I = Prioritization level

A: 3 + 2 + 2 - 3 = 4

B: 3 + 3 + 3 - 2 = 7

C: 2 + 3 + 4 - 1 = 8

D: 2 + 2 + 1 - 4 = 1

E: 4 + 4 + 4 - 4 = 8

F: 4 + 4 + 4 - 1 = 11

  •  It is recommended that the security controls be prioritize by lowest score first. This results in a possible score set of -1 through 11. The order of the above would come out to D, A, B, C, E, F.
  •  If the agency would rather the impact rating (or any other rating) have a larger impact on the score, they could use a higher range (for example: 1-6, or 1-10).

The implementation action plan prioritizes the implementation actions and projects the start and target completion dates. This plan will aid and expedite the risk mitigation process.

 
PURPOSE

The purpose of this instruction is to continue facilitating the implementation of a security program. This instruction specifically identifies the action steps needed to complete Step 7: Implement Action Plan, which is designed to establish or improve a Cybersecurity Program as identified in the NIST Cybersecurity Framework.

SCOPE

This instruction will use segments from all previous steps to assist in implementing an action plan to bring an agency's environment into compliance with the NIST Cybersecurity Framework for a Cybersecurity Program.
INSTRUCTIONS

The Implement Action Plan is the focal point for all activities associated with implementing a cybersecurity program. With the previous Implementation Steps completed (Current Profile, Target Profile, and Gap Analysis) and the results gathered and analyzed, your agency can begin the implementation process. There will be a Testing Phase as well as a Deployment Phase to complete the course of action. As previously stated in the Gap Analysis, controls tagged with a Priority Code 1 (P1) should be addressed first, according to NIST, however the agency may have decided to adjust that to use the TDC-I method in addition in order to account for the large quantity of P1 controls that need implementation. Attending to these critical issues first will be useful for your agency's planning costs, scope, and time.

NOTE: The all of the processes described here are applied continuously throughout the agency as different controls are implemented at different times throughout the agency.
POLICIES AND PROCEDURES

The single most important thing an agency can do is account for how they will implement security controls, but including them in their policies and procedures.
TESTING

This step will involve periodic deployments into several environments and the assistance of various testing groups to ensure the functionality of new implementations into each environment. Testing should cover a wide range of areas including load testing, performance, user testing, as well as other areas, in order to cover all capacities where implementation issues may occur. If using a production environment, planning the following will be helpful when assigning roles to specific individuals in order to maximize improvement: how the system will be tested, which hardware and software will be used, and which dates and times, and specific devices will be tested. This process should also be communicated to the end users to avoid confusion and mishaps during daily operations.
DEPLOYMENT

After the testing has been completed, all parties involved should then coordinate with one another to propose any last minute changes to the implementation plan. Specific dates and times of the deployment will need to be set to ensure an efficient installation and configuration process. There should also be a time slot allocated after the deployment has been completed to address any issues that were not found during the testing phase. In the case that things are problematic, this post-deployment evaluation will assist in fixing the problem(s) found for your agency's earliest convenience.
REVIEW

The agency must review all installations, configurations, and any other changes to the environment that occurred during the deployment phase. Once this has been completed and you have verified that the environment is in a working and functional state, your agency should document the implementation process as "completed" and use its new configuration as a benchmark for any future changes or risk assessments that occur. Environments change, as do employees, so it is imperative to keep a record of all changes to ensure that all personnel that follows will be aware of previous changes made to the environment.