So, NIST just released the final draft of their Cybersecurity framework.
You can read it here, or I can give you a synopsis for now:
The federal government is concerned about the 16 critical infrastructure sectors identified by DHS. If you are in one of these sectors, the concern is that the collection of security tools you have and the security compliance activities that you do, do not add up to a totally comprehensive Cybersecurity program. If a nation state were to engage us in a cyber-war tomorrow, they would certainly target our critical infrastructure. That’s where the NIST CSF comes in. They provide a list of capabilities and goals that an organization should include in their Cybersecurity program. They provide a list of references to use to implement and achieve those capabilities and goals, and they provide a method for assessing and measuring yourself along the way.
I gave a webcast on this subject a few months ago if you’re interested, and will be giving an updated webcast with new material on March 13
Anyone familiar with RSA Archer would recognize that as a GRC platform, we are well-equipped for the sort of use case presented by the NIST CSF. So, in response we did two things:
- We consumed the mappings defined in the CSF between the security goals (called Categories and Subcategories ) and the references (called Informative References). This would provide the owners of the RSA Archer Policy Management solution with the core to build their own NIST CSF solution. [DEAD LINK /docs/DOC-32101]Here is a blog from Mason Karrer, our content strategist, on the subject.
- We built a proof of concept NIST CSF solution, which we will be showing at the RSA Conference in a few weeks. I will be giving demos at the RSA booth, so please stop by if you’re attending, and if you’re not registered to attend,
Thanks for tuning in, hope to see you at the RSA Conference
Email me with comments or questions