Critiquing NIST's Cyber Security Framework


Today in the final stages of preparing the awareness module on "Security frameworks", I'm thinking and writing about the NIST Cyber Security Framework (CSF). For awareness purposes, there's no point describing and elaborating on the CSF in great detail, but I need to read and evaluate it in order to sum it up and comment meaningfully for our subscribers. I'm investing my time and effort partly on their behalf, partly for my own education: I'm interested in infosec standards, keen to discover NIST's take on 'cyber security', and on the look out for good security practices.

So, indulge me for a moment as I talk you through the evaluation of just one small part of the CSF, specifically the core framework's advice on awareness and training (denoted "PR.AT", making it the prat section :-).
"The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements."
Reading that paragraph literally and narrowly, precisely who are "the organization's personnel and partners"? The "organization's personnel" are presumably its employees ... but that's a presumption. "Employee" is legally defined in at least some jurisdictions. Are temporary workers, interns and so on included in or excluded from that category? It depends.

"The organization's ... partners" is even less clear and more open to interpretation: various third parties may or may not be included in that category. Does it mean 'business partners' only, for example joint venture partners with binding contracts in place? Or suppliers and customers? Consultants? Contractors? Owners/stockholders? Assorted authorities? The general public and society at large? Current and former partners, perhaps future ones too (e.g. potential partners currently in negotiation)? 

Hmmm. There are many possible concerns at this stage for those (like me) who are anal enough to critique the wording. Many users of the CSF will not even notice these issues, or if they do will gloss-over them. Some may even actively exploit issues like these for their own advantage, or perhaps dismiss the entire CSF out of hand as "ambiguous and unhelpful".

The underlying issue I'm getting at here is common to most public security standards and advisories. There are several prospective audiences with a variety of expectations and interests, concerns and constraints. Most readers/users of the standards are not lawyers, and many are not trained or experienced in this area - which is precisely why some go looking to the standards for help. We all either seek or welcome easy answers, simple and elegant solutions to our immediate needs, without necessarily recognizing or accepting that the standards aren't written for us, personally. They are inevitably generalized or generic. They need to be interpreted, which in turn frees the authors from writing too narrowly and specifically but at the same time increases the risk of the standards becoming hand-waving, bland and unactionable. It's a fine line they tread.

NIST's approach in the CSF involves layered structures within the standards. The paragraph above is one of 23 in fact, called "categories" within 5 areas called "functions". The structure reflects a process view of cybersecurity, a timeline relative to the point an incident occurs. That's certainly not the only way to structure the CSF but, presumably, it suits their purpose and has the advantage of roughly even amounts of content in each part - an example of symmetry or balance that, for some obscure reason, seems to matter.

Moving further down into the structure, the 23 categories across 5 functions are supported by additional recommendations plus references to other standards, for example these support the awareness and training category:
"All users are informed and trained (CIS CSC 17, 18; COBIT 5 APO07.03, BAI05.07; ISA 62443-2-1:2009 4.3.2.4.2; ISO/IEC 27001:2013 A.7.2.2, A.12.2.1; NIST SP 800-53 Rev. 4 AT-2, PM-13)"
"Users" there presumably refers to IT users. "Informed and trained" is not the ultimate objective of awareness and training, but the process or mechanism used to achieve the (unstated) objective. While admirably succinct, notice the total lack of details about the form or nature of the awareness and training activities, their content and topics, motivation, frequency, reception etc. The reader is left to figure all that out for themselves, perhaps exploring those cited resources for further advice. 
"Privileged users understand their roles and responsibilities (CIS CSC 5, 17, 18; COBIT 5 APO07.02, DSS05.04, DSS06.03; ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3; ISO/IEC 27001:2013 A.6.1.1, A.7.2.2; NIST SP 800-53 Rev. 4 AT-3, PM-13)"
Again, readers have to interpret "privileged users" but at least this time the statement is somewhat closer to being an objective or intended outcome. 'Understanding' is helpful, yes, but doesn't achieve much in isolation unless people go on to comply with the requirements and fulfill the organization's expectations, which means behaving in certain ways, making sound decisions etc. The reader is left to flesh out all those unstated details. Easy enough for those of us who live and breathe this stuff, not so easy for readers who have come here for guidance.
"Third-party stakeholders (e.g.,suppliers, customers, partners) understand their roles and responsibilities (CIS CSC 17; COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05; ISA 62443-2-1:2009 4.3.2.4.2; ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2; NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16)"
This statement takes even more interpretation. It's good of them to offer three examples of "third-party stakeholders", but there's no advice on those "roles and responsibilities" - no examples there. Given the context, the roles and responsibilities presumably relate in some way to cybersecurity, but what are they, even generally speaking? 
"Senior executives understand their roles and responsibilities (CIS CSC 17, 19; COBIT 5 EDM01.01, APO01.02, APO07.03; ISA 62443-2-1:2009 4.3.2.4.2; ISO/IEC 27001:2013 A.6.1.1, A.7.2.2; NIST SP 800-53 Rev. 4 AT-3, PM-13)"
I have the same concerns here are with first supporting statement. Who are "senior executives"? Are senior, middle and junior managers excluded? What about team leaders, shift leaders, project managers and others? What are their roles and responsibilities, and is 'understanding' sufficient?
"Physical and cybersecurity personnel understand their roles and responsibilities (CIS CSC 17; COBIT 5 APO07.03; ISA 62443-2-1:2009 4.3.2.4.2; ISO/IEC 27001:2013 A.6.1.1, A.7.2.2)"
Ditto. Let's make sure our 'physical personnel' understand what they're meant to be doing, eh?  :-)

Take another look at the overall PR.AT sentence though: notice there's no mention or supporting detail for the final clause "related policies, procedures, and agreements".

The are similar issues with the cited sources: they are all generic and fairly high-level, needing to be interpreted (within their own contexts plus the organizations using them) and applied sensibly. 

Summing up, the Cyber Security Framework, plus those other standards and methods cited by it and more besides, all need to be interpreted carefully and applied sensibly to have any real value to a given organization. They are skeletal, the bare bones: simply add flesh and bring to life.  If only it were that simple.