DIG IT AWARD FINALIST: CYBERSECURITY
A better way to build on the NIST framework
- By Stephanie Kanowitz
- Oct 05, 2017
Joshua Lubell, a computer scientist at the National Institute of Standards and Technology, was getting tired of toggling back and forth between the agency’s Cybersecurity Framework and Special Publication 800-53 as he worked on the Cybersecurity for Smart Manufacturing Systems project. To make applying the technical documents easier, he created Baseline Tailor, an application that lets users reference the framework to determine the security posture and then tailor a subset of the SP 800-53 security controls to make that desire a reality.
“The Cybersecurity Framework has this top-down organization where there are these five principal cybersecurity activities and then outcomes based on those activities and then sub-outcomes based on those outcomes,” Lubell said. “And then at the bottom of the hierarchy are these pointers to other sources of guidance, one of which is the 800-53 security control catalog.”
He added that “what we needed to do was relate that top-down hierarchy with the more bottom-up organization of 800-53, which has this comprehensive catalog of security controls. There are hundreds of them, and each control can be tailored according to a methodology that’s spelled out in 800-53.”
Baseline Tailor users start by clicking on the Cyber Framework tab in the graphical user interface and choosing a function and its subcategories. That process reveals the related SP 800-53 security controls. To tailor them, users click the needle and thread icon, which brings up the Security Control Editor tab. From there, users can set the baseline impact of the control at low, moderate or high.
“Then it builds this XML representation for you, and then you can take that XML representation and use it elsewhere,” Lubell said.
Other agencies are taking note. NASA is using the tool for its Space Apps Challenge, and more are likely to follow suit now that President Donald Trump’s cybersecurity executive order mandates that federal civilian agencies use the framework in conjunction with SP 800-53.
“I would expect that at least some people are going to want to use Baseline Tailor to do this,” Lubell said.
Stephanie Kanowitz is a freelance writer based in northern Virginia.