9.2 NIST Resources
NIST Risk Management Framework (RMF)
The NIST RMF (NIST. Risk Management Framework (RMF) Overview) provides a foundational process that integrates security and risk management activities into the system development life cycle and brings many of the NIST documents together into an overall approach to managing risk. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. (Ibid.)
CIOs must conduct program portfolio reviews as part of CPIC to ensure that all programs and the CIO are meeting the requirements of FITARA. This includes a CIO evaluation report to OMB for major IT investments that relate to mission delivery and mission support services investments and standard IT services investments that pertain to IT infrastructure, IT security, and IT management investments. However, CIO evaluations can also be provided for other investment types at the CIOs discretion.
NIST publishes and creates archives of standards, guidelines, recommendations, and research relating to the security and privacy of information and information systems.
Some examples include:
- Federal Information Processing Standards (FIPS) – FIPS establish mandatory requirements for information processing.
- NIST Special Publications (SPs) – SPs provide guidance for developing agency-wide information security programs, including guidelines, technical specifications, recommendations, and reference materials. NIST SPs comprise multiple sub-series:
- The NIST SP 800-series focuses on computer security, and
- The NIST SP 1800-series provides cybersecurity practice guides.
- NIST Internal or Interagency Reports (NISTIRs) – NISTIRs are reports of research findings, including background information for FIPS and SPs.
- NIST Information Technology Laboratory Bulletins (ITL Bulletins) – ITL Bulletins are monthly overviews of NIST's security and privacy publications, programs, and projects.
NIST Cybersecurity Framework (CSF)
The NIST CSF is a tool originally developed for the private sector that agencies must implement to manage cybersecurity risk in accordance with Executive Order 13800. The CSF can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program.
An organization can use the CSF as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk. It can help an organization determine which activities are most important to critical service delivery, prioritize expenditures and maximize the impact of investment. The CSF is designed to complement existing business and cybersecurity operations. It provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices. It also provides a general set of processes for considering privacy and civil liberties implications in the context of a cybersecurity program.
The CSF consists of three parts: the CSF Core, the CSF Profile and the CSF Implementation Tiers. The CSF Core is a set of cybersecurity activities, outcomes and informative references that are common across organizations, providing detailed guidance for developing individual organizational profiles. CSF Profiles help the organization align its cybersecurity activities with its business requirements, risk tolerances and resources. The CSF Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
OMB and DHS have organized the CIO FISMA metrics around the Cybersecurity Framework, leveraging it as a standard for managing and reducing cybersecurity risks and using the core functions to organize the information agencies must submit.
National Initiative for Cybersecurity Education (NICE) Framework
The NICE Cybersecurity Workforce Framework (NICE Framework) (US-CERT. NICE Cybersecurity Workforce Framework) is led by NIST at the DOC. The NICE Framework serves as a guide with a collection of common language, classifications, and vocabulary to describe cybersecurity activities and employees. It is meant for a variety of audiences including employers, current and prospective jobs holders, and academic advisors.
The NICE Framework includes the following:
- Categories (7)
- A high-level cluster of common cybersecurity functions
- Specialty Areas (33)
- Specific areas of cybersecurity work
- Work Roles (52)
- Detailed lists of cybersecurity work necessary for someone to be aware of to fulfill a job function
- Capability Indicators
- Combines education, certification, training, experiential learning and continuous learning useful to help someone succeed in a role (Ibid.)