Alan Levine, cybersecurity advisor and recently retired CISO for Alcoa, recently presented “True North: A Path to NIST Cybersecurity Framework Success.” Alan’s presentation generated lots of great questions, which he graciously answered below. If you missed his presentation or would like to watch it again, you can view it below.
There are tools in the marketplace that provide ongoing assessments that evaluate whether or not an organization is in compliance with CSF. Could you recommend one in particular?
It’s very hard for me to make specific tool or service recommendations. Nevertheless, the beauty of CSF is that you can do it yourself, without a tool, and spend only internal resources.
You said to pick one framework, however, most organizations already have regulatory requirements (FFIEC, NCUA, HIPAA, HITRUST, PCI, etc). Do I still need the CSF?
You may not. If an organization has already adopted a particular framework (for finance, healthcare, or anything else that’s sector-specific), then it makes less sense to move to CSF. Now, if you have a choice, CSF is a cleaner approach and may also be easier to implement than FFIEC or PCI.
Are there any good resources that will help document the path to true north? What would you look for in a good documentation resource?
There are lots of free models for policy, but less for testing specific to NIST standards. It’s important that any documentation for your processes (test results, for example) fits your specific program.
We have adopted CIS Top 20 Critical Security Controls as a basic/foundational approach to cybersecurity and would like to adopt NIST CSF? What steps should we take?
Good news - this is the natural progression and you’ve done the hard work already. Integrate what you can and avoid any duplicate efforts.
When should an organization use NIST 800-171 instead of NIST CSF?
I recommend using 171 when it is required (CMMC level 3, for example). Otherwise, 171 is too much for most organizations.
What's the adoption rate of NIST 800-171 vs CSF?
CSF is adopted much more often, because it is a smaller lift for most organizations. 171 is typically adopted by regulated organizations.
What is the CMMC?
The Cybersecurity Maturity Model Certification, or CMMC, is the US Defense Department’s most recent effort to secure the defense industrial base supply chain. CMMC is an outgrowth of the DFAR for cybersecurity, which relies heavily on NIST 800-171. The change with CMMC is that an organization’s maturity level can be measured and assessed, and that self-attestations have been replaced with formal audits.
Is there a CSF specific to medical device security?
CSF is not sector-specific, however, NIST does offer advice specifically by sector, in its 1900 level publications. Click here for an example.
Are there standards for Higher Education?
NIST appears to be developing a set of advice for higher education. Click here for the current status.