GovLoop

Working Within a New Cyber Framework

Government networks are faced with millions of cyberthreats each day. Responding proactively to these security events is a top priority across federal, state and local governments.

GovLoop hosted an online training titled “Redefining Security- Govs Embrace Cyber Framework” that addressed how governments are enhancing cyber efforts through the adoption of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework (CSF).

What exactly does the CSF recommend and how can governments use it to tackle their own unique organizational concerns?

Ken Durbin, Sr. Strategist of Global Government Affairs and Cyber Security, Symantec, and Matt Barrett, NIST Program Manager, Cybersecurity Framework, spoke at the training.

First, Durbin pointed out that the CSF is celebrating its five-year anniversary, and over half a million downloads. “By 2020, a Gartner survey predicts that 50 percent of organizations will have adopted the NIST framework,” he said.

The CSF is used in a wide range of countries. “Soon, an estimated two billion people will be able to read the framework in their own language,” Barrett explained.

So what exactly are the five key functions of the CSF? They include:

“When you put all the categories together, you see the patchwork that happens,” Barrett pointed out. “You also see dependencies.” Here are the activities that correspond in color to each key function of the CSF:

How exactly is the framework used in organizations? “There is a typical order in which the five parts of the functions are used,” Barrett stated. The five functions are considered when communicating strategies, plans, and policies. Each implementation tier is customized and assessed to determine the current state of the agency and determine where improvements must be made. “A profile is a customization of the cybersecurity framework categories and subcategories in a way that prioritizes desired outcomes,” Barrett said. Profiles are also usually developed and implemented to manage requirements and ensure that agency priorities align with a set output.

NIST provides resources to help the implementation of the CSF. Success stories of CSF use include the University of Chicago, the Japanese Cross-Sector Forum, and the University of Pittsburgh, among others.

However, there are a few implementation challenges agencies might face when aligning procedures to the CSF. First, governmental organizations are federated, meaning there are multiple layers and they often operate individually of each other. Creating a comprehensive view of cybersecurity requires coordination across multiple departments, agencies, divisions, and institutions. “Organizational structures of government can be a challenge,” Durbin said. “You want to think about that during your planning.”

There are also naturally multiple compliance requirements, a lack of key stakeholder buy-in, budgetary constraints, and a “one and done” mentality.

A number of applicable technologies apply to the five aspects of the CSF:

There are a number of tool gaps, however:

How are you implementing the CSF in your agency? Let us know in the comments below.

Photo Credit: NIST

Exit mobile version