NIST Assessment and Cybersecurity Roadmap for Large County
Updated: Dec 18, 2022
A large county that provides critical services to more than a million citizens needed to evaluate their state of readiness against cyber attacks, such as ransomware. The county had never conducted a comprehensive cybersecurity assessment and wanted an expert partner to step in and spearhead the assessment, analysis, and remediation. Strategic Alliance Consulting (SAC) was already leading the penetration testing for the county and recommended a NIST Cyber-Security Framework (NIST CSF) assessment for identifying the gaps in their governance, risk management, and compliance policies and procedures.
NIST Assessment Solution
SAC utilized its proprietary methodology and quickly deployed an expert team to implement the standardized NIST assessment, which included the following steps:
Interview the stakeholders & identify existing policies and procedures
Study and analyze the data to identify any gaps
Develop Strategic and Tactical Recommendations
Document a 12-month Cybersecurity Roadmap
Review the results and recommendations with the technical and executive team
The NIST Assessment measured compliance across five functions and 23 categories, which included:
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.
Identity Management, Authentication, and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
Awareness & Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
Anomalies and Events (DE.AE): Anomalous activity is detected, and the potential impact of events is understood.
Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events
Response Planning (RS:RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities.
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).
NIST Assessment Results
After several weeks of work, SAC concluded that the county was partially compliant in 19 of the 23 categories, while non-compliant in 4. SAC’s team provided recommendations for:
New programs or overhauls in areas like Incident Response, Risk Management, Vendor Management, Business Continuity / Disaster Recovery, and Security Training
Formal policies / procedures and documentation to promote cybersecurity maturity
Improved communications and oversight across departments
The final component of the project was the 12-month NIST compliance roadmap which included a schedule for planning and remediation of the identified compliance issues, and milestones for benchmarking and continual cybersecurity improvement.
Thanks to the NIST assessment, the county was now armed with the knowledge and framework to continue to mature its cybersecurity posture across its infrastructure, people, and processes.