Many if not all IT providers openly support and endorse the NIST Cybersecurity Framework published in 2018. While laudable, supporting and endorsing an industry standard does not automatically equate to their products delivering on these standards. If anything, organizations should exercise caution as to what any IT provider’s support of the NIST Cybersecurity Framework really means and how it applies to the solutions they offer.
Possessing Cybersecurity Features ≠ Cyber Secure IT Infrastructure
Every IT provider currently makes multiple claims about the cybersecurity capabilities of its products. Further, IT providers can justifiably make these claims. The National Institute of Science and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity has five cyber security categories that it labels as follows:
Each of these five cybersecurity categories then contains specific items. For example, the NIST framework lists six components of the Protect category. These are Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes; Maintenance; and Protective Technology.
IT providers can then map their product’s features to any of these NIST cybersecurity categories or their specific components. They may then point to these features to illustrate their solution provides specific cybersecurity capabilities. In that sense, they would be correct. However, acquiring IT solutions that possess specific cybersecurity features does not automatically result in a cyber secure IT infrastructure for an organization.
The NIST Cybersecurity Framework is Just That: A Framework
The NIST Cybersecurity Framework certainly assists organizations in identifying IT solutions that possess specific cybersecurity features. The Framework even provides organizations guidance in terms of the specific product features for which they should look. However, the NIST Cybersecurity Framework is just that: a framework. Organizations must still determine the features they need, which products need these features, and how best to implement them.
Deciding which products to use and which features they should possess becomes complicated for at least three reasons.
- First, the mapping of specific product features to specific NIST Cybersecurity Framework boxes is a subjective exercise. The NIST Cybersecurity Framework only lists five high level cybersecurity categories and each category’s respective components. NIST leaves it up to organizations to map specific product features to these cybersecurity categories and their respective components. Even then, organizations must still independently determine if a specific product’s features meet their internal cybersecurity standards.
- Second, no universal, objective NIST cybersecurity feature check list exists for all IT solutions. Acquiring an IT solution that checks all the NIST Cybersecurity Framework boxes may sound like the simplest and easiest approach to becoming cyber secure. However, no such universal, objective checklist exists for all IT solutions. A specific IT solution feature may map to one, two, or multiple components of multiple NIST Cybersecurity categories. Further, mapping specific product features to specific NIST Cybersecurity components becomes a subjective exercise. The mapping becomes dependent upon each organization’s interpretation and understanding of the NIST Cybersecurity Framework components.
- Third, an IT solution may not, and probably does not, need to possess all NIST Cybersecurity Framework features. The subjective nature of the NIST Cybersecurity Framework and the difficulty in establishing a universal, objective feature checklist that applies to all IT solutions highlight why few, if any, IT solutions need to possess every cybersecurity feature. If anything, organizations should be suspicious of any IT solution that claims to check all the boxes. Rather, they should quantify where the IT solution fits in their organization’s IT infrastructure and the specific cybersecurity features that it should possess.
Two Organizational Cybersecurity To-Dos
Viewing the NIST Cybersecurity Framework in the context of what it is, a framework, should prompt organizations to perform two tasks.
First, establish the specific cybersecurity functions that specific IT solutions in their IT infrastructure should perform or support. For instance, more organizations, if not all organizations, now want to know as soon as possible when ransomware has been detected in their IT infrastructure. If that is the case, they need to quantify the features that each specific IT solution within their IT infrastructure should offer to support this initiative. They should also identify the IT solution(s) that will oversee and manage the detection of ransomware so all IT solutions in their IT infrastructure may interface with it.
Second, create a NIST Cybersecurity Framework feature checklist for each specific IT solution in their IT infrastructure. No one, universal NIST Cybersecurity Framework checklist exists for all IT solutions. However, organizations can and should create checklists for specific IT solutions they deploy in their IT infrastructure using the guidelines available in the NIST Cybersecurity Framework. In this way, organizations may quantify the specific cybersecurity features each IT solution must possess, and which features are optional.
In that vein, DCIG has already performed this task as it prepares a series of TOP 5 reports on Cyber Secure Backup Targets. It has mapped specific cyber security features found on today’s disk-based backup targets to the components within each of the five categories of the NIST Cybersecurity Framework. DCIG does not anticipate any backup target will fully support every component of these five NIST Cybersecurity categories. However, DCIG does anticipate that some backup targets better support more cybersecurity feature than others and, if and when deployed, will better position and secure organizations against ransomware attacks.
KEEP UP TO DATE WITH DCIG
To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.
To learn about DCIG’s future research and publications, see the DCIG Editorial Calendar.
Technology providers interested in licensing DCIG TOP 5 reports or having DCIG produce custom reports on their behalf, please contact DCIG for more information.