NISTIR 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework

こんにちは、丸山満彦です。

NISTがNISTIR 8170 Approaches for Federal Agencies to Use the Cybersecurity Frameworkが公表されていますね。Cybersecurity Frameworkを実装するためのツールという位置付けですかね。。。

●NIST ITL

・2020.03.19 NISTIR 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework

 ・[PDF]  NISTIR 8170 (DOI)

 

 

=====

Abstract

The document highlights examples for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) in a manner that complements the use of other NIST security and privacy risk management standards, guidelines, and practices. These examples include support for an Enterprise Risk Management (ERM) approach in alignment with OMB and FISMA requirements that agency heads “manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a federal information system or federal information.” The use of the Cybersecurity Framework’s components enable discussion about the various types of risk that might occur within federal organizations and promote conversations about how to determine the likelihood and potential consequences of risk events. These activities can then be combined with those described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations; SP 800-39, Managing Information Security Risk; and other guidelines to form a comprehensive risk-based approach for security and privacy.

This risk-based approach will assist agencies in determining the risks that are relevant to its mission throughout the operational lifecycle and apply an appropriate type and degree of resources to treat those risks to an acceptable level. Examples in this publication will demonstrate the use of the Cybersecurity Framework, the NIST Risk Management Framework (RMF), and other models to evaluate and report agency goals and progress and to inform tailoring activities for managing cybersecurity risk appropriately. Use of a comprehensive cybersecurity risk-based approach, as demonstrated through these examples, supports agencies’ activities to meet their concurrent obligations to comply with the requirements of FISMA and Executive Order (EO) 13800.

 

Executive Summary

All federal agencies are entrusted with safeguarding the information contained in their systems and ensuring that those systems operate securely and reliably. It is vital that agency personnel at all levels manage their assets wisely and address cybersecurity risks effectively. To do that, agencies need a holistic approach to their enterprises’ risk management that includes timely, streamlined approaches and automated tools.

As part of its statutory responsibilities under the Federal Information Security Management Act as amended (FISMA), the National Institute of Standards and Technology (NIST) develops standards and guidelines—including minimum requirements—to provide adequate information security for federal information and information systems [1]. This suite of security and privacy risk management standards and guidelines provides guidance for an integrated, organizationwide program to manage information security risk.

NIST produced this report to assist federal agencies in strengthening their cybersecurity risk management processes by highlighting example approaches for implementing the Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework) [5].

Developed by NIST in close collaboration with private and public sectors, the Cybersecurity Framework is a risk-based approach used voluntarily by organizations across the United States.

Initially developed to address cybersecurity challenges in the Nation’s Critical Infrastructure (CI) sectors, the voluntary Framework is used by a variety of organizations across the world. The Cybersecurity Framework aligns with and complements NIST’s suite of security and privacy risk management standards and guidelines.

This report illustrates eight example approaches through which federal agencies can leverage the Cybersecurity Framework to address common cybersecurity-related responsibilities. By doing so, agencies can integrate the Cybersecurity Framework with key NIST cybersecurity risk management standards and guidelines that are already in wide use. These eight approaches support a mature agency-wide cybersecurity risk management program:

1. Integrate enterprise and cybersecurity risk management
2. Manage cybersecurity requirements
3. Integrate and align cybersecurity and acquisition processes
4. Evaluate organizational cybersecurity
5. Manage the cybersecurity program
6. Maintain a comprehensive understanding of cybersecurity risk
7. Report cybersecurity risks
8. Inform the tailoring process

The key concepts and cybersecurity approaches described in this document are intended to promote more effective risk management and to encourage dialogue within and among federal agencies.