Integrating NIST cybersecurity for business applications into existing management system processes requires specialized implementation. This is of special concern for organizations involved in contracting with the Department of Defense (DoD) that are adopting NIST SP 800-171 to meet Cybersecurity Maturity Model Certification (CMMC) requirements.
A major issue in this integration, is that the NIST cybersecurity framework was originally designed for U.S. Government federal agencies. These agencies do not share the organizational challenges in managing information security that businesses face. Businesses must balance a wide array of risks including quality and regulatory into a cohesive management system. To address these concerns, NIST has released a series of reports that address cybersecurity risk management methodologies applicable to Enterprise Risk Management (ERM) systems.
NISTIR 8286 Reports
NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) is a series of three documents that provide guidance in establishing and maintaining a systematic approach to risk guidance, identification, and analysis applicable to business management systems. Central to these reports is the differentiation of roles of Enterprise Level Management and the Cybersecurity Risk Management. It emphasizes the need for cooperation and collaboration of all parties in the establishment and operation of a Cybersecurity Risk Management System (CSRM).
It describes a system whereby senior management provides a framework complete with scope, internal and external context, and essential requirements from stakeholders. The CSRM is then tasked with controlling these risks and monitoring them in a Monitor, Evaluate and Adjust (MEA) cycle.
NISTIR 8286 goes further by describing an ongoing systematic approach to reporting findings back to the Enterprise Risk Management. This allows for notification of stakeholders as to the status the program and evaluation of information security risks. During this evaluation process adjustments are made of the organization’s approach to risk management to better address the dynamic requirements of the organization.
NISTIR 8286A provides guidance for risk context, scenario identification, and determination of the impact and likelihood of occurrence for those risks. It utilizes Cybersecurity Risk Registers (CSRR) and Risk Detail Records (RDR) to aid in identifying and managing these risks.
NISTIR 8286A describes the necessity of senior management to establish the scope, context, and criteria of the program. It further describes the establishment of organizational structures, processes, and business systems relevant to accomplishing these mission objectives.
NISTIR 8286B provides guidance for organization and system level management to assign risk ownership, define a specific risk descriptions, determine a response cost, and provide a priority for those risks. Topics covered in this report include risk avoidance, risk transfer, risk mitigation, risk response, risk strategy, and implicit acceptance of risk.
Upon release of this post, NISTIR 8286C is published as a draft, although the public comment period has been closed. This report describes methods for integrating information from the CSRM such that it can inform senior management and be implementable in the overall risk management process of the organization. It emphasizes a continuous process for adjusting risk strategy and management activities.
ISO 27001:2013 Information Security Management System
ISO IEC 27001:2013 is an international standard and widely accepted Information Security Management System (ISMS). The role of an ISMS is to preserve confidentiality, integrity and availability of information. It accomplishes this task by applying risk management processes. An effectively tailored program can meet this challenge because it is part of the organization’s processes and management structure.
This standard provides the mechanisms and processes laid out in NISTIR 8286 and allows for an appropriate implementation of NIST cybersecurity for businesses. It can when properly implemented provide processes for continual improvement.
Implementation of an effective ISMS requires an assessment of the organization’s objectives, security requirements, and organizational processes. These assessments include a consideration of the size and structure of the organization so that the ISMS is scaled to meet the needs of the organization.
Once these influencing factors have been defined a risk assessment can be conducted. This process should:
- identify the information security risks
- identify the risk owners
- assess the potential consequences of an undesired occurrence
- assess the realistic likelihood of the occurrence
- determine the levels of risk
- establish priorities for treatment of the risk (e.g. implementation of information security controls)
CVG Strategy Information Security Management System Consultants
To assist businesses meet the challenges in adopting CMMC programs, CVG Strategy has developed an approach that combines the compliance requirements of CMMC 2.0 compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.