The Cybersecurity Framework is helping agencies, but there's room for improvement
The world was a different place when the National Institute of Standards and Technology introduced the first version of its Cybersecurity Framework in 2014. Yes, there were some noteworthy intrusions in the mid-2000s, such as the attack on the Department of Veterans Affairs in 2006. However, when the Framework was issued, some of the most infamous breaches in government history -- including the massive hack of the Office of Personnel Management in 2015 -- were yet to come.
Since 2014, foreign and domestic hackers have become ever more resourceful and creative, and the potential for damage to government systems has risen. Today, the cybersecurity landscape is seemingly evolving in real-time, and federal IT professionals are striving to keep pace.
The Framework seems to be helping, at least somewhat. Forty-five percent of respondents to a recent SolarWinds federal cybersecurity survey stated that the Framework has been successful in promoting a dialog about ways to better manage risk. Unfortunately, only six percent of respondents strongly agreed that they fully understood the Framework.
This raises the question of whether or not the Framework has actually changed agencies’ cybersecurity posture for the better. The answer is yes… but with some caveats.
Discussions about risk are ongoing…
The fact that the Framework has spurred a dialog around risk is certainly a positive. Federal IT professionals are talking about the various threats that are out there -- not just in terms of foreign bad actors, but of potential insider threats within their own organizations. Active discussion can lead to awareness, and awareness can lead to action. Even if federal IT professionals do not fully understand the Framework, simply talking about the repercussions their agencies could experience if they do not implement at least some of the Framework’s more than 900 controls is a step in the right direction.
… but response and recovery is lagging
Although by some accounts the Framework has been successfully adopted, many agencies have not been able to implement successfully all of its “core functions.” While many teams have been able to find success with the Framework’s first three functions (Identify, Protect and Detect), they are lagging on the final two (Respond and Recover). In fact, according to respondents to the SolarWinds federal cybersecurity survey, a large portion of federal IT professionals feel their agencies are not at all mature in either of these areas.
This indicates that agencies have been successful in using the Framework to keep potential intruders out but have problems responding to and recovering from events that may slip through the cracks. That weakness will obviously pose a challenge as hackers get better at exploiting the security protocols that agencies have put in place. Inevitably, something will get through.
A focused approach needed
Agency IT professionals must be able to shore up their response and recovery efforts to help ensure that when an attack does happen, they can mitigate its effects in a timely and effective manner. To implement appropriate and sound recovery and response tactics, IT professionals must simplify their approach to the Framework and hone in on the controls that will help their agencies become more resilient.
Each core function of the Framework is defined by categories, which NIST describes as “outcomes closely tied to programmatic needs and particular activities.” Examples for the Respond and Recover core functions include analysis, mitigation and communications. It is incumbent upon federal IT teams to focus on and address these outcomes. They can do this by implementing controls and strategies that allow them to analyze data pertaining to a potential attack, immediately communicating information about the attack and automating responses.
Network and security monitoring tools, particularly those dedicated to continuous security and event management, play a vital role in this effort. However, beyond simply detecting an event, systems must be able to deliver forensic data that provides deeper intelligence into the hack. Those systems should also be able to automate responses so that event mitigation occurs almost instantaneously and without human intervention, which can take time and impede a rapid response.
Effective IT controls such as these have demonstrated success in enhancing agencies’ overall security postures. Survey respondents overwhelmingly indicated that excellent controls helped in all core functions of the Framework, including Respond and Recover.
The conclusion is that the NIST Cybersecurity Framework has engendered some success, but there is much more that can be done, particularly in the Response and Recovery functions. Teams have laid the groundwork for success in the first few core functions. Now, they must take strides to ensure that their ability to rebound from an attack measures up to their ability to prevent one.
Joe Kim is executive vice president engineering and global CTO at SolarWinds.