It is impossible to declare success in the absence of defining what success is. Indeed, there is no lack of passion within cybersecurity professionals, which include professionals interested in cyber policies and controls, or cyber professionals engaged in cyber operations. Each of these groups of professionals focuses on achieving cyber strength for their environment. Dealing with regulated environments can benefit from the following:
The challenge in the industry: Do our efforts result in a compliant data center and services? Are we making it more difficult for cyber criminals?
For some environments, a defined set of cyber controls and cyber policy can be a daunting task. There are thousands of controls, in fact within the US Department of Defense there are lingering controls from DoD 8500, agency-specific controls and policies, and other controls and policies all attempting to align with NIST 800-53 and other NIST standards.
How do we accurately categorize our specific needs and develop control language to satisfy our requirements (RMF Step 1-3)?
A cyber control is an objective and the implementation of the objective within the environment. A cyber control is very specific with the objectives, for example encryption, insider threat, and physical security. Cyber controls are often found within industry control bodies.
A security framework is a collection of cyber controls focused on control language that meets unique needs of a business vertical. Some examples include NIST for the US government, ISO for manufacturing, FDIC for banking, SANS for corporations and many others not listed.
A cyber policy is a foundation effort, the starting point for accountability within cyber operations. A cyber policy is the collection of cyber controls into an actionable state. Frequently throughout the US Government, a cyber policy is referred to as an Authority to Operate or ATO. Cyber policies are frequently confused for industry security frameworks of controls. For example, DFARS, a standard established for contractors serving the US Department of Defense, is a derivative of controls found within NIST. It is not uncommon to have multiple cyber policies specific to organizational outcomes. Within RMF, ATO’s may be focused on human resources, the S3, and Units, Brigades, Battalions and Companies as a few examples.
A crosswalk is a mapping between multiple security frameworks. Many controls within security frameworks are very similar, the crosswalk enables organizations to see “like” controls.
Cyber control objective. The cyber control objective states the desired outcome related to the control.
Cyber control implementation. Using the cyber control objective as the guide, the control is "implemented" within the environment. Implementation requires technical expertise to fulfill the guidance provided within the implementation and control language.
Use case example: 508 compliance and RMF
For DoD environments that have specific regulations that must be satisfied, for example, 508 compliance, an established set of standards are available. There are hundreds of applications that will review our websites, and analyze our files producing a visual representation of how well we comply with the defined policy.
If we are unable to make the rules and policy actionable, we can find ourselves spending more time than available to become compliant or accept the reality that compliance is out of our reach. In the world defined by compliance to policy, frequently initiated by organizations unfamiliar with information technology, becoming compliant now and in the future will become progressively more difficult.
The challenge, how do we become actionable to meet requirements and policy, like the risk management framework. Like 508 compliance, the risk management framework is grounded in strategy, objectives, and the world's most extensive set of controls found in NIST 800-53 and other NIST publications.
DOD organizations require flexibility with the type of controls implemented within their environments, although the number of options available can be overwhelming. For many of us, when we become overwhelmed we seek out practices that have been successful in the past, although the practices of the past are difficult to mold into the future. Success will be found beyond our processes today, we must make cyber controls and policies accountable.
TechnologyMilestones can help. See our solutions. See multiple videos on the topic at: https://www.youtube.com/user/JeffreyLush/search?query=RMF.