This three-day Integrating NIST Frameworks (CSF/RMF) course helps students to understand the background and integration of several key frameworks from the National Institute of Standards and Technology (NIST). The course explains the background and application of NIST’s Cybersecurity Framework and Risk Management Framework (RMF), and their relationship to other NIST models such as those for Cybersecurity Workforce, Privacy Risk Management, Supply Chain Risk Management (SCRM), and integration with Enterprise Risk Management (ERM).
Using the Cybersecurity Framework’s proven components as a way to organize risk expectations, outcomes and communication, the course explains the interaction among mission objectives and priorities, risk management through the language of business, and application of those objectives for managing risk for business systems and services.
The course applies the principles described in the Cybersecurity Framework to treat cybersecurity risk management as an enterprise practice. It helps security teams understand how to manage risk in light of executives’ priorities, and it helps leaders apply the necessary privacy & security enablers to be prepared for an ever-evolving cybersecurity risk landscape.
Note that although this course has been developed and will be delivered by an engineer that participated in numerous NIST projects, NIST itself does not deliver or endorse any formal courses about their risk management or cybersecurity initiatives.
The integration course is organized as follows:
Section 1 - Course Introduction
This section will provide an overview of the course including the relevant learning objectives, course organization, and approach. It will introduce the role of the U.S. National Institute of Standards and Technology (NIST) in setting international standards, providing broad risk management guidance, and promoting interoperability.
Section 2 - The Basics of Cybersecurity Risk Management
There are some terms, such as threats and vulnerabilities, that are commonly used but that are also frequently misunderstood. This section sets a foundation for risk management discussion by clearly defining and explaining the terms uses by various risk models, and by exploring the common stages of risk management in public- and private-sector enterprises.
- Internationally-recognized standards and models for describing risk itself and the management of that risk to support enterprise mission and objectives;
- Defining the scope of a risk management program and establishing relevant internal and external context for achieving objectives;
- Purpose and process for risk identification;
- Methodologies and tradeoffs for effective risk analysis;
- Risk evaluation to consider the results of analysis, in light of stakeholder expectations and enterprise context, to determine appropriate risk response;
- Risk treatment through accountable implementation of the risk response selected;
- Monitoring and review of ongoing risk conditions at each organizational level; and,
- Tools, templates, and processes for continuous communications for risk management strategy, direction, achievement, and adjustment.
Section 3 - Introduction to the NIST Cybersecurity Framework
This section will describe the creation of the NIST Cybersecurity Framework (CSF) and the ongoing evolution of that model. The course will explain the unique conditions under which CSF was born, why it was included in a Presidential Executive Order, and why it continues to be supported by a collaborative global partnership.
- Events leading to the creation and updates to the Cybersecurity Framework;
- Uses and Benefits of the Framework;
- The CSF process for organizational communications and coordination;
- Framework Components (Core, Profiles, Implementation Tiers); and,
- NIST Supplemental Materials for applying the CSF (Success Stories, External Resources, Online Informative References (OLIR)).
Section 4 - Detailed Review of the Framework Core
This section provides a deep dive into the elements of the CSF Core. The Core is what defines the building blocks for planning, building, achieving, and monitoring successful cybersecurity outcomes. Because they are intentionally broad, it is helpful to review their purpose and definition. Because they were developed by committees, it is helpful to hear an insider clarify. The section will also highlight some of the ways that organizations have adapted the Core.
- The Framework’s 5 Functions:
- Identify – Determine and document what resources are vital to enterprise mission, and a high-level understanding of threats and vulnerabilities;
- Protect – Define and document how best to protect those resources;
- Detect – Effectively detect and analyze emerging risks;
- Respond – Efficiently implement risk response in accordance with plans, training, and strategies; and
- Recover – Plan, execute, and document steps to recover from cybersecurity incidents, including necessary notifications, communications, and improvements.
- Explore each of the 23 Categories in detail, including review of CSF’s 108 Subcategories;
- Discuss the value of (and cautions regarding) changes to the CSF Core; and,
- Provide a demonstration of NIST’s Online Informative Reference (OLIR) Program.
Section 5 - Organizational Assessment through the Framework Implementation Tiers
The Framework Implementation Tiers are likely the most confused and misunderstood element of the CSF. This section will describe the background for this measurement model, ways that it has been used by various organizations, and potential methods for measuring plans and implementation of cybersecurity outcomes.
- Background and purpose of the Implementation Tiers;
- The components of the Implementation Tiers (Risk Management, Risk Process Integration, External Participation);
- The four Implementation Tier levels (Partial, Risk Informed, Repeatable, Adaptive); and,
- Parallel industry models for measuring process achievement.
Section 6 - Planning and Recording Organizational Outcomes through Framework Profiles
This section will review how to use and maintain various CSF profiles. Profiles represent the most important element of the CSF in that they enable communications about expectations for risk management, current security posture for a given organizational scope, information about risk-related observations, and plans for achieving target milestones. The instructor will share example profiles from NIST and from throughout industry to help students understand how profiles can be adapted and used for many risk management purposes.
- The purpose of the Profile CSF component;
- Examples of manual and automated profiles, including pointers to various templates;
- Discussion about how to measure plans and results;
- Methods for documenting current state (“as-is”), desired, or target, state (“to-be”), and interim milestones between those states; and,
- Considerations for measuring progress and recording that in profiles.
Section 7 - The Cybersecurity Framework Seven Step Process
While the components are a necessary building block for application of the CSF, this section will help to apply the CSF’s implementation steps. These steps provide a process for applying the risk management approach described in Section 2 and they help to build a foundation for an organization-wide cybersecurity risk management program.
- Review of CSF Step 1: Prioritize and Scope;
- Review of CSF Step 2: Orient;
- Review of CSF Step 3: Create a Current Profile;
- Review of CSF Step 4: Conduct a Risk Assessment;
- Review of CSF Step 5: Create a Target Profile;
- Review of CSF Step 6: Determine, Analyze, and Prioritize Gaps;
- Review of CSF Step 7: Implement Action Plan; and,
- Demonstration of industry models that have helped to “put it all together” for ongoing cybersecurity risk communications and coordination through a common language.
Section 8 - Introduction to the NIST Risk Management Framework
This section provides information about the origin and evolution of the NIST Risk Management Framework (RMF). It briefly reviews various information security projects for the U.S. federal government and how they have become among the most-respected risk management worldwide. The instructor will discuss how risk management processes (like assessment, control objectives, and monitoring) change in relation to the portion of the enterprise being managed, and how the risk processes are applied at each organizational level. The course will also explore methods and processes for ensuring effective communications among those levels.
- A brief history of the NIST FISMA Implementation Project;
- NIST's role in various cybersecurity initiatives;
- Introduction to NIST publications and standards;
- The Risk Management Framework seven step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor); and,
- Connections among Cybersecurity Framework steps, RMF steps, and other models.
Section 9 - Integration of CSF and RMF with Other Key Frameworks
This section will provide instruction regarding integration of the various frameworks described in the previous sections with other industry models, including many other valuable NIST frameworks. In particular, the course will include information about NIST’s increasingly valuable work in privacy engineering, and why privacy and security risk management are not equivalent. The instructor will also demonstrate how the NIST models can be integrated with other industry approaches to support holistic enterprise implementation.
- Integrating CSF, RMF, and the NIST Privacy Framework;
- Defining risk management activities through the work roles, tasks, knowledge statements, and skills statements of the NICE Workforce Framework;
- Leveraging other NIST Frameworks (e.g., Baldrige, Supply Chain, Software Development, Cyber Physical) to ensure a comprehensive risk management approach; and,
- Integrating NIST risk management with those from other worldwide organizations.
Section 10 - Applying NIST Frameworks to Real-World Cybersecurity
This section will conclude the course by reminding the user that frameworks and models provide a type of scaffolding that enables, but are not wholly sufficient, for effective enterprise cybersecurity risk management. The instructor will share industry examples of how organizations are implementing and integrating cybersecurity risk management processes to help transition from theoretical understanding to real-world application.
- Integrating cybersecurity risk management (CSRM) in support of enterprise risk management (ERM), including review of NIST’s recent guidance on that topic (NIST Interagency Report 8286);
- Organizational assessments through integrated CSF/RMF templates
- Processes for security planning through selecting and tailoring security and privacy controls
- Integration of MITRE ATT&CK™ and Pre-ATT&CK into training, assessment, reporting, and monitoring
- Reviewing Roles and Responsibilities from the CSF, RMF, NICE, and other models
- Continuous monitoring and ongoing authorization / ongoing assessment; and,
Applying the integrated approach to ensure holistic enterprise risk communications, coordination, and comprehension