November 16, 2020

Last Updated on January 15, 2024

The US National Institute of Standards and Technology (NIST) is a global leader in standards development. While its mission is to serve the US public and private sector organizations, NIST’s efforts support and influence standards worldwide—especially for cybersecurity. 
But are US federal agencies getting “too much of a good thing”? Since a Trump executive order in 2017, they’ve had to comply with NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, and the NIST Cybersecurity Framework (NCSF). 

Is there a way to streamline compliance around NIST SP 800-53 and the NCSF?

On a recent episode of The Virtual CISO Podcast, host John Verry, Pivot Point Security’s CISO and managing partner, got firsthand insight into that question. His special guest, Dr. Ron Rossis “uniquely qualified” to illuminate that topic as he heads development of NIST’s cybersecurity and privacy publications.
As Dr. Ross put it, “As they say at NASA, ‘Houston, we have a problem…’ because we’ve got two frameworks now.”
So the private sector had one framework [NCSF], which was voluntary,” continues Dr. Ross. “Now the feds have two frameworks and they’re both mandatory. So we had a little bit of an issue here. It’s not a bad problem. In fact, it turned out rather well and we’re still working on that resolution. 
When we updated the Risk Management Framework [RMF, aka NIST 800-37in 2018, we said, ‘How can we use the best concepts in both of these frameworks?’ recalls Dr. Ross. In other words, the frameworks are different: one is a risk management framework, one is a cybersecurity framework, but they both have strengths and weaknesses.

“The strength of the [NCSF] is in its simplicity,” clarifies Dr. Ross. “You’ve got the five top-level functions, namely Identify, Protect, Detect, Respond and Recover. Under each of those you have the categories and subcategories, and then the information references—which actually reference the different security control sets from around the world… So it’s a big tree structure…”



That’s a great way to communicate with senior leaders, because look, you’re not going to get a senior leader to understand the details of NIST 800-53,” Dr. Ross points out. “But what they can understand is the cybersecurity framework. And if you don’t have senior leadership understanding your involvement in cybersecurity, nothing good is going to happen downstream in that organization.  
So the huge contribution of the NCSF, whether you’re public or private sector, is it allows senior leadership to understand the problem,” Dr. Ross adds. “And it gives them a vehicle on how to start to execute. So in NIST 800-37, Revision 2, we took the NCSF apart and we actually have little tag pointers to every task in the RMF where it relates back to a specific part of the NCSF. And that’s hoping to get our agencies to use both frameworks.”

How would that look?

Dr Ross shares: “For example, you create a profile, you have a starting state in your framework, and then you have your goal state. That starts to sound a lot like my control selection process: I build a profile of what I would like to achieve in my organization with regard to cybersecurity, and that can actually form the basis of my security plan or my control selection process.
“So we talk about in our RMF 2.0, how can you actually do that, and use both frameworks together? We don’t just use the baselines anymore to do our control selection. Because of our engineering guidance documents, you can now drive your control selection from an engineering-based approach as well. 
Let’s say you’re building a new system, and you’re going through all the requirements engineering at the front into that. Once you get your set of system level requirements, where a subset of those are designated as security requirements, you can then specifically take those requirements and map those to specific controls, which can be implemented to satisfy those requirements. 
It’s a top-down driven process based on good systems engineering. Or you can go back to the enterprise approach at take the Moderate/Low/High baseline and do tailoring,” Dr. Ross summarizes. “Or you can use the NCSF. … Pick a framework that you feel comfortable with, but make sure once you’ve got that you do a good job of executing. We’ve got a whole set of tools in our toolbox to help our customers do that.

John Verry reframes: “So basically it’s two paths that should lead to ultimately the same destination. And depending on which one works best for you, the advantage with the NCSF is I think it’s a little simpler for people to communicate and understand. … I think the other advantage is you really made it very, very simple to cross-reference it to another good group of well-regarded controls. … That is really pretty helpful.”



Does your organization need to comply with, or leverage, NIST cybersecurity guidance? Then you won’t want to miss this podcast with Dr. Ron Ross at NIST. 
To hear the complete episode featuring Dr. Ross, and also accessthe rest of our cybersecurity podcast stash, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.