10 Dec Increasing Federal Cybersecurity and Privacy Program Maturity: Building a Flexible Roadmap
By Dan Chandler, CISO, and Bob Heckman, CIO, Criterion Systems, Inc.
In our first article on the subject of increasing the maturity level of federal department and agency (D&A) cybersecurity and privacy programs (CS&P), we outlined the challenges currently faced by Federal D&As regarding CS&P maturity and proposed a solution: a CS&P Maturity Model that reconciles applicable federal standards and industry best practices. The first step toward increasing maturity is understanding the current state of a CS&P program, project, or system and identifying what the current (as-is) and target (to-be) state looks like. Our solution starts with the NIST Cybersecurity Framework (CSF), and then integrates applicable criteria from FISMA, OMB, DHS, and OIG in order to provide the context needed to measure as-is and to-be CS&P framework profiles.
What is a Framework Profile?
The NIST CSF starts with a Core:
“…a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors…The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.”
To create a framework profile, a federal D&A first selects the Framework Categories and Subcategories that are the most appropriate based on their business drivers and risk appetite. This helps them create a framework profile representing the cybersecurity standards, guidelines and practices mapped to an implementation scenario. The current profile is called the “as-is” state and can be used to identify opportunities for improvement by comparing it to a target profile, or the “to-be” state. As described by NIST:
“The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.” Source: https://www.nist.gov/cyberframework/questions-and-answers#framework
The Problem: Roadmap Development Still a Piecemeal Approach
Starting with the NIST CSF and the organization’s developed profiles, federal D&As then need to combine and resolve several standards, methodologies, procedures, and processes to truly understand their CS&P program’s as-is state. These include FISMA, OMB, DHS, and OIG criteria and annual reporting requirements. Adding to the challenge, current maturity models frequently address only a few of the things Federal D&As need to truly understand where they are at and where they need to go. For example, the OIG currently has developed and implemented criteria that includes incident response, contingency planning, information system continuous monitoring (ISCM), configuration management, etc. DHS’ CyberScope is also non-comprehensive. In order to determine and find the true “As-Is” and “To-Be” CS&P states, all of these elements must be brought together.
Recognizing the challenge of combining multiple criteria and requirements, Criterion has created a CS&P maturity model that provides a common language to address and manage CS&P risks. With the problem of taxonomy solved, the model provides a structured method to survey, analyze, document, manage, and enhance an organization’s CS&P program, operations, and /or systems. The model tracks more than 1000 data points, enabling organizations to gain a truly multidimensional view of their program and its needed evolution. This enables Federal D&As to address and manage CS&P risks in a cost-effective way based on mission/business needs without additional regulatory requirements.
Building a Roadmap towards the Ideal To-Be State
When building a roadmap, flexibility matters. Over time, changes will need to be made to the CS&P program due to new threats, shifting requirements, updated mission/business strategies, and the need to add third-party relationships. Furthermore, it will need to adapt to new tools, technologies, processes, procedures, staffing, hiring etc. That being said, what are the qualities that a well-resourced CS&P program or project should shoot for?
In describing a healthy, mature Federal organization’s CS&P program, operations, and/or systems, Criterion starts with the most basic elements of the program mission/business: Identify, Protect, Detect, Respond, and Recover, along with general programmatic, external connections, and training/career aspects. Our customized and tailorable approach enables Federal D&As to determine activities that are important to their critical service delivery and applicable CS&P goals and objectives, and then prioritize investments to maximize the impact of each dollar spent.
In an optimized, high maturity state, policies, procedures, and strategy are fully institutionalized, repeatable, self-generating, consistently implemented, and regularly updated based on a changing threat and technology landscape and mission/business needs. Criterion’s model, processes, and toolsets can help organizations create the roadmap they need to improve the maturity of their CS&P programs, moving towards this optimized state.