Cybersecurity for Defense: Cisco Supports the NIST Risk Management Framework
In our Cybersecurity for Defense Blog Series Kickoff, Peter Romness mentioned that we at Cisco are hard at work delivering advanced cybersecurity capabilities that support the Department of Defense Cyber Strategy. That’s certainly true, and each blog in our series will further that point. But it’s about more than just products and services. It’s also about understanding and acting on key concepts of cybersecurity risk management. Our approach to cybersecurity – and everything we do – has deep roots in cyber best practices. How? Let’s take a closer look.
A key part of DoD Cyber Strategy is captured in Strategic Goal II: Defend the DoD Information Network, Secure DoD Data, and Mitigate Risks to DoD Missions. To improve accountability and responsibility for data protection, the DoD will act “in a manner consistent with known standards for protecting data from cyber adversaries, to include standards promulgated by the National Institute of Standards and Technology (NIST).”
The DoD recently started down the path toward NIST alignment. Back in March 2014, then-CIO Teresa Takai issued DoD Instruction 8510.01 entitled “Risk Management Framework for DoD Information Technology.” This instruction was an important policy change, since it shifted the risk management process from the legacy DoD Information Assurance Certification and Accreditation Process (DIACAP) toward the NIST Risk Management Framework (RMF). This brings the DoD into better alignment with the rest of the federal government as well.
The NIST RMF is actually a pretty big topic. To keep things short, the RMF proposes a six-step risk management process each with a companion NIST guide:
- Categorize information system (NIST SP 800-60)
- Select security controls (NIST SP 800-53)
- Implement security controls (NIST SP 800-160)
- Assess security controls (NIST SP 800-53A)
- Authorize information system (NIST SP 800-37)
- Monitor security controls (NIST SP 800-137)
Selecting the security controls in Step 2 is particularly challenging, since NIST SP 800-53 is a comprehensive catalog that contains hundreds and hundreds of controls grouped into eighteen control families. The document alone is over 450 pages. So figuring out where to start can be a daunting task, even for highly capable organizations like the Department of Defense.
But it doesn’t have to be.
At Cisco, we’ve already aligned all of our cybersecurity products with NIST 800-53, taking the guesswork out of where each solution fits. And Cisco Advisory services is staffed with strategy and risk management experts who can assess the organization, develop the action plan, and help to implement it, all in accordance with the NIST Risk Management Framework. It’s just one example of how we think in terms of best practices, and how we have the right capabilities that support the DoD Cyber Strategy.
As Peter said, stay tuned. We’ll continue to discuss use cases and Cisco solutions that are helping the DoD implement its cyber strategy, and each one of them has deep roots in cybersecurity best practices.