top of page

NIST CSF

Sep 8, 20236 min read

Updated: Feb 29, 2024

Defining Control Framework (or cyber maturity) is the fifth step in building an X-Analytics profile. This page tells you how to enter your NIST CSF maturity.




The Control Framework section gives you the ability to enter your cyber framework implementation (or cyber maturity). Within this section, there are five options:

  1. CIS CSC Profile

  2. CIS CSC Sub-Controls Profile

  3. NIST CSF Profile

  4. Foundational Controls Profile

  5. Technology Controls Profile

How Does NIST CSF Work Within X-Analytics?

NIST CSF is one of several options to defined control framework implementation (cyber maturity). The control framework implementation serves as a risk countermeasure that determines the delta between inherent risk and residual risk. For each risk scenario (within the residual risk grid), the logic is:

  • inherent risk = threat x impact

  • residual risk = inherent risk x (1 - control effectiveness)

  • control effectiveness = control effectiveness max value x % of control implementation

    • control effectiveness max benefit = determine by historical data and cybersecurity intelligence data, updated several times per year within the application.

    • % of control implementation = determined by you answering cybersecurity framework questions

Your NIST CSF implementation determines residual risk, which further determines estimated cyber incident probability and severity.



Step 1: Answer the NIST CSF Sub-Category Questions

If you have a NIST CSF report, you can use your report to guide your answers in this section. If you do not have a report, then you will need read each questions and answer for the profile.

For each question, you need to enter cyber maturity on a scale of 0 to 5 for each sub-category. X-Analytics supports decimal scores, such as 2.3. The maturity scale converts to a % implementation score within X-Analytics:

  • Maturity 0.0 = 0% implemented

  • Maturity 0.5 = 10% implemented

  • Maturity 1.0 = 20% implemented

  • Maturity 1.5 = 30% implemented

  • Maturity 2.0 = 40% implemented

  • Maturity 2.5 = 50% implemented

  • Maturity 3.0 = 60% implemented

  • Maturity 3.5 = 70% implemented

  • Maturity 4.0 = 80% implemented

  • Maturity 4.5 = 90% implemented

  • Maturity 5.0 = 100% implemented

After answering each sub-category question, you will notice that a maturity score is being determined for the NIST CSF category.


A list of each NIST CSF category is below:

  • NIST CSF Function = Identify

    • Assess Management

      • Definition: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

      • Number of sub-categories: 6

      • Informs: risk reduction related to asset management amongst all applicable asset groups.

    • Business Environment

      • Definition: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

      • Number of sub-categories: 5

      • Informs: risk reduction related to the business's mission and objectives amongst all applicable asset groups.

    • Governance

      • Definition: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

      • Number of sub-categories: 4

      • Informs: risk reduction related to governance amongst all applicable asset groups.

    • Risk Assessment

      • Definition: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

      • Number of sub-categories: 6

      • Informs: risk reduction related to risk assessment amongst all applicable asset groups.

    • Risk Management Strategy

      • Definition: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

      • Number of sub-categories: 3

      • Informs: risk reduction related to risk management strategy amongst all applicable asset groups.

    • Supply Chain Management

      • Definition: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

      • Number of sub-categories: 5

      • Informs: risk reduction related to supply chain management amongst all applicable asset groups.

  • NIST CSF Function = Protect

    • Access Control

      • Definition: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

      • Number of sub-categories: 7

      • Informs: risk reduction related to access control amongst all applicable asset groups

    • Awareness

      • Definition: The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

      • Number of sub-categories: 5

      • Informs: risk reduction related to awareness training amongst all applicable asset groups

    • Data Security

      • Definition: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

      • Number of sub-categories: 8

      • Informs: risk reduction related to data security amongst all applicable asset groups

    • Information Protection

      • Definition: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

      • Number of sub-categories: 12

      • Informs: risk reduction related to information protection amongst all applicable asset groups

    • Maintenance

      • Definition: Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

      • Number of sub-categories: 2

      • Informs: risk reduction related to maintenance and repairs amongst all applicable asset groups

    • Protective Technology

      • Definition: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

      • Number of sub-categories: 2

      • Informs: risk reduction related to maintenance and repairs amongst all applicable asset groups

  • NIST CSF Function = Detect

    • Anomalies

      • Definition: Anomalous activity is detected and the potential impact of events is understood.

      • Number of sub-categories: 5

      • Informs: risk reduction related to anomaly detection amongst all applicable asset groups.

    • Monitoring

      • Definition: The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

      • Number of sub-categories: 8

      • Informs: risk reduction related to event monitoring amongst all applicable asset groups.

    • Detection

      • Definition: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

      • Number of sub-categories: 5

      • Informs: risk reduction related to event detection amongst all applicable asset groups.

  • NIST CSF Function = Respond

    • Response Plan

      • Definition: Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

      • Number of sub-categories: 1

      • Informs: risk reduction related to response plan amongst all applicable asset groups.

    • Response Communications

      • Definition: Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.

      • Number of sub-categories: 5

      • Informs: risk reduction related to response communications amongst all applicable asset groups.

    • Analysis

      • Definition: Analysis is conducted to ensure effective response and support recovery activities.

      • Number of sub-categories: 5

      • Informs: risk reduction related to response analysis amongst all applicable asset groups.

    • Mitigation

      • Definition: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

      • Number of sub-categories: 3

      • Informs: risk reduction related to response mitigation amongst all applicable asset groups.

    • Response Improvements

      • Definition: Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

      • Number of sub-categories: 3

      • Informs: risk reduction related to response improvements amongst all applicable asset groups.

  • NIST CSF Function = Recover

    • Recovery Plan

      • Definition: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

      • Number of sub-categories: 1

      • Informs: risk reduction related to response improvements amongst all applicable asset groups.

    • Recovery Improvements

      • Definition: Recovery planning and processes are improved by incorporating lessons learned into future activities.

      • Number of sub-categories: 2

      • Informs: risk reduction related to recovery improvements amongst all applicable asset groups.

    • Recovery Communications

      • Definition: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

      • Number of sub-categories: 3

      • Informs: risk reduction related to recovery communications amongst all applicable asset groups.

  • NIST CSF Implementation Tier = Integrated Risk Management Program (This section is not part of the NIST CSF sub-categories. It was added to better determine NIST CSF Tier achievement. The questions in this section related to the NIST CSF tier definitions.)

    • Integrated Risk Management Program

      • Definition: Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risk, they monitor cybersecurity risk in the same context as financial risks, they adjust their perspective of cybersecurity risk due to ever changing business objectives, and they adjust the cybersecuirty budget based on a definition of risk tolerance.

      • Number of sub-categories: 4

      • Informs: risk reduction related to integrated risk management program amongst all applicable asset groups.

  • NIST CSF Implementation Tier = External Participation (This section is not part of the NIST CSF sub-categories. It was added to better determine NIST CSF Tier achievement. The questions in this section related to the NIST CSF tier definitions.)

    • External Participation

      • Definition: An organization participates with external stakeholders to prioritize threat information to inform its understanding of risks and actions to address evolving threats and technologies..

      • Number of sub-categories: 2

      • Informs: risk reduction related to external participation amongst all applicable asset groups.


Step 2: Complete the Next Section of the Profile Builder.

For further Profile Build guidance, please return here.

Tags:

73 views

Comments

Commenting has been turned off.
bottom of page