How States Can Benefit From the NIST CSF, the “Swiss Army Knife” for Managing Cyber Risk

By Rick Tracy posted May 30,2019 09:43 AM


By Rick Tracy, CSO, Telos Corporation

Imagine the pressure and responsibility that comes with protecting sensitive government and citizen data from malicious cyber threats. For any CISO working for a state government today, there is no need to imagine – it is the daily reality of the job.

It is no surprise then that security and risk management stood at the top of NASCIO’s Top Ten Policy and Technology Priorities for 2019.  In the not-so-distant past, it was hard to get people to think twice about cyber risk management – we’ve come a long way!

One practice that has proven effective in managing cyber risk is adherence to the NIST Cybersecurity Framework (CSF), developed five years ago as a set of voluntary standards and best practices to help organizations manage cybersecurity risks. It was intended to be effective and specific in its recommendations while remaining flexible enough for all organizations to implement it.

Given its growing acceptance among public and private enterprises worldwide, it makes sense that cybersecurity professionals in state governments are also taking notice. More than 20 states from Florida to California are using the NIST Cybersecurity Framework (CSF) to create or enhance their cybersecurity policies and programs. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has also based its Nationwide Cybersecurity Review (NCSR) on the NIST CSF.

The “Swiss Army Knife” of Cyber Risk Management

The beauty of the NIST CSF is its flexibility. It creates a common frame of reference for planning, deploying, and discussing cybersecurity strategies and tactics, while enabling cybersecurity personnel to communicate ideas to committees and commissions within the state legislature in order to marshal support and gain funding for critical security initiatives. 

It can also be used to address a wide range of cyber risk management activity and reporting that goes well beyond what it explicitly spells out, such as:

Viewing remediation investments and benefits over time. It helps you justify spending by understanding where and why the most significant investments are being made and how these patterns change over time.

Understanding where there is redundancy in cyber risk remediation coverage and where there might be gaps.  The CSF can also help identify where automation might increase efficiency by reducing reliance on human analysis and manual tasks.

Producing meaningful cyber risk metrics and relating them back to the CSF to synchronize cyber risk management activity.  This allows auditors and IT personnel to better understand each other and helps organizations understand the effectiveness of security controls.

Key to the efficient deployment of the CSF is automating as many of the processes that relate to the framework as possible.  The ability to inherit security controls, collect and manage the right data, and maintain a supporting body of evidence to prove compliance can enable effective implementations of the CSF, making it an even more powerful regimen for assuring cybersecurity and enabling IT risk management across the organization.