Navigating the NIST
Cybersecurity Framework
Explore the NIST Cybersecurity Framework and tools and processes needed for successful implementation.
Abstract
For federal agencies, addressing cybersecurity threats while maintaining mission-critical operations is a challenge. The NIST Cybersecurity Framework promises to help agencies meet these dual needs. But in these early days of the Framework rollout, agencies may find implementation comes with its own set of challenges. How can agencies navigate the Framework to most effectively implement the guidelines?
Introduction
Since 2009, the reported number of cyber intrusions at federal agencies has increased 144%1, keeping cybersecurity a top priority for the federal government. With thousands of employees, often siloed departments, and tight budgets, increasing agency cybersecurity while still maintaining mission-
To address these challenges, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The resulting NIST Cybersecurity Framework includes leading practices that a variety of standards bodies have deemed successful. Like the Federal Identity Credential and Access Management (FICAM) framework, this framework is a collection of best practices—
practices that improve efficiency and protect constituents.
Many of the best cybersecurity measures are purely
organizational—going above and beyond technology to look at what the agency as a whole is doing for response and recovery. However, Dell has helped many federal agencies
2
offers a solid platform for developing a cybersecurity strategy that will protect them from current known, and future unknown, threats.
Yet, the Framework is intentionally broad—no agency can implement every guideline and no single technology vendor can address every aspect of it. To use this framework to its fullest effect, you need to understand what is important to your agency and the cybersecurity and IT challenges you face.
Challenges Facing Federal Agencies
Based on our experience in thefederal agency cybersecurity arena, Dell has identified key challenges federal agencies face in adopting the Framework and issues to consider in implementing the Framework.
The first challenge agencies face is the sheer number of cyber threats they must deal with: 52% of federal
executives say their agency is the target of cyber intrusions multiple times each month or more and 30% say they are a target multiple times each day, according to Dell-sponsored research by the Government Business Council (GBC). Creating thoughtful, proactive policies when operating in a crises- management mode is nearly impossible for any organization.
The GBC research also found 86% of respondents face obstacles to a more holistic federal cybersecurity posture.
Not surprisingly, the top obstacle is budget constraints (61%). Other common challenges include a slow technology acquisition process (46%) and bureaucratic inertia (44%). Federal executives report that each of their information system layers (i.e., network, host, application, and data levels) are secure, but say there is room for improvement. In particular, respondents single out workforce education (52%) and risk management (51%) as cyber defense elements needing the most improvement.
In Dell-sponsored research conducted by government market research firm Market Connections, Inc., 72% of agencies said they must comply with three or more federal mandates. Half (51%) describe their organization’s ability to provide managers and auditors evidence of appropriate IT controls as fair (they have the tools in place to respond to issues, but are reactive rather than proactive).
Another challenge is the silos in which many agencies are divided. Security measures for this siloed approach were developed long before cloud, BYOD, and other innovations became mainstream. They work best for locking down only parts of the enterprise – the network or the endpoint, the user or the The NIST Framework at a glance
Top Challenges in Addressing Cyber Threats
1. Budget constraints
2. Slow technology acquisition process 3. Bureaucratic inertia
4. Need to comply with three or more federal mandates
5. Inability to provide managers and auditors evidence of appropriate IT controls
Set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors
Core Implementation tier Profile
How an organization views cybersecurity risk and the processes in place to manage that risk Partial
Risk informed
Repeatable Adaptive
Alignment of the mission requirements, risk tolerance, and resources of the organization
Share:
“At end of day, complying with the Framework is not about trying to complete a checklist.
It’s about figuring out your agency’s real world priorities and what will
move you toward achieving them as quickly as possible.”
Paul Christman,Vice President, Dell Software Public Sector data. Because they were developed to
operate in siloed environments, these approaches create gaps, forcing IT to manage each silo separately. And this increases costs and risk while challenging everybody—especially users.
Most of these challenges have more to do with organizational policies rather than technology. However, all of these challenges can be, at least in part, addressed by having the right processes in place—and the right technology can help streamline processes.
Addressing these key challenges as you begin developing a NIST framework strategy is critical to developing an effective plan.
Developing a NIST Cybersecurity Framework Strategy
There is good news for agencies that may be feeling overwhelmed after an initial reading of the Framework: There is no requirement that agencies address all 102 subcategories. The Framework isn’t about doing everything now—it’s about thinking through the issues and challenges and developing processes that evolve over time. The reality is, there may be 7, 10, or even 20 things your agency can do now that will accomplish 80% of your implementation plan—a solid foundation from which to advance over the course of the next months or years.
When reconfiguring any IT processes, it’s important to take a look at what you have and how it fits within the Framework—changing course on a technology investment you’ve already committed to may be costly and unnecessary. There are often multiple ways to address any requirement. Assess how your agency is already meeting or exceeding cybersecurity requirements.
You may be focusing your efforts on the categories that comprise the Framework, or you may be doing it some other way that is still valid, even if it doesn’t follow the Framework. Operationally, this is your challenge—and one that a systems integrator can help you navigate.
To effectively understand where you need to go, you need to stop and assess where you are. This seven-step process will get you going in the right direction:
1. Prioritize and scope mission objectives and priorities.
2. Match critical systems with threats.
3. Create a current cybersecurity technology profile based on Framework categories.
4. Conduct a risk assessment.
5. Create a target profile (an organization’s desired state).
6. Determine, analyze, and prioritize gaps between mission priorities, critical systems, current technology profile, desired state, and risks.
7. Develop a strategy to address the items uncovered in step 6.
When you look at what is important to your organization in terms of cybersecurity and mission-critical operations, what rises to the top? Those are the areas to focus your efforts when it comes to aligning processes and technology with the Framework. You can use that knowledge as the foundation for a plan to implement key cybersecurity priorities that follow the NIST guidelines.
While no one integrator has tools to address every aspect of the Framework, one with deep federal knowledge can help you develop the strategy and identify the processes. The Framework places a strong emphasis on collaboration—with an intention that agencies learn from each other.
Integrators can easily facilitate that knowledge sharing.
Dell and the NIST Framework
With over a hundred distinctsubcategories, completely satisfying all Framework requirements is a challenge to even the most adept organization.
While some compliant infrastructure and processes may be in place, it’s most likely that you’ll need to take additional steps to meet the Framework.
Dell offers a number of hardware, software, and services solutions to help you take those steps.
4
Dell offers many other solutions which give your agency the solid foundation a Framework-compliant organization needs to have; servers, storage, desktops, laptops, mobile devices, services and software to help you optimize, migrate, and manage your IT infrastructure.
Conclusion
Should your agency adopt the NIST Cybersecurity Framework? Based on Dell’s work helping federal agencies implement cybersecurity plans and solutions, there is much to recommend the Framework as the core guideline for an agency’s cybersecurity strategy.
Adopting the Framework will help improve risk-based security, and it can assist with regulatory compliance—a challenge in and of itself for the majority of federal agency IT managers. Solid processes and good technology tools can also reduce costs and workforce pressure over time.
The key to moving from a strategy to successful implementation comes down to the tools. The Framework holds great promise, but at the end of the day, the tools and processes agencies implement will determine cybersecurity readiness and mission success.
93% of the federal executives
surveyed in the GBC study said at least one element of their agency’s cyber defense needs significant improvement.
Implementing the Framework can address that security gap.
NIST Framework Function (and
Identifier)
Category Dell Solutions
Identify (ID)
Asset Management Business Environment Governance Risk Assessment Risk Management Strategy
Supply Chain Assurance
Dell One Identity (Identity & Access Management – IAM)
Insider Threat Services
Protect (PR)
Access Control Awareness and Training Data Security
Information Protection Processes and Procedures
Maintenance Protective Technology
Dell One Identity
KACE Systems Management
Dell Data Protection|Encryption (DDP|E) Cloud Client Computing
Archive Solutions
Information Assurance (IA) Cybersecurity Lab Supply Chain Assurance
SecureView Workstations
SonicWALL Network Security & Secure Mobile Access
Monitoring
Appassure Backup and Recovery NetVault Backup and Recovery Backup Hardware
Insider Threat Services
Detect (DE)
Anomalies and Events Security Continuous Monitoring Detection Processes
Dell One Identity
SonicWALL Network Security & Secure Mobile Access
Cloud Client Computing Insider Threat Services KACE System Management
Respond (RS)
Response Planning Communications Analysis Mitigation Improvements
Insider Threat Services
Other Security Services (including SecureWorks)
Recover (RC)
Recovery Planning Improvements Communications
AppAssure Backup and Recovery NetVault Backup and Recovery Backup Hardware
Share:
© 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products.
EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
About Dell Software
Dell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs:
data center and cloud management, information management, mobile workforce management, security and data protection.
This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.
If you have any questions regarding your potential use of this material, contact:
Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com
Refer to our Web site for regional and international office information.
For More Information
