Cyber Security Framework Lacks Mitigating Controls and Cloud Security

Wednesday, December 11, 2013

Anthony M. Freed


The protection of the nation’s critical infrastructure naturally brings to mind most if not all of the sixteen sectors identified in the National Institute of Standards and Technology’s (NIST) Preliminary Cyber Security Framework (CSF) – industries like energy, finance, healthcare, and transportation.

But what about the rapidly growing arena generally referred to as the cloud? Given the pace that both government and the private sector are migrating mission-critical operations to managed service providers, should NIST take steps to identify Cloud-based offerings as part of the nation’s critical infrastructure?

That’s just one of the issues being championed by Taiye Lambo (CISSP, CISA, CISM, HISP, ISO 27001 Auditor), president and founder of eFortresses and a security subject matter expert in the area of Information Security Governance, with 20+ years in IT and expertise in ISO 27000, COBIT, COSO, ITIL and NIST standards.

Lambo founded the UK Honeynet project, CloudeAssurance, and the Holistic Information Security Practitioner Institute (HISPI). Lambo also served on the Cloud Security Alliance (CSA) Quality Assurance (QA) team on behalf of HISPI for the development of the Cloud Controls Matrix (CCM).

According to Lambo, HISPI is an independent certification organization that provides training and professional certification in the integration of best practices for enterprise and cloud information security management, auditing and compliance requirements.

“The word cloud is only mentioned twice in the latest NIST CSF draft, and very casually at that,” Lambo said. “The Functions, Categories, Sub Categories in the latest NIST CSF draft do not specifically call out or even attempt to address cloud related risks.”

The CSF initiative was prompted by President Obama’s Executive Order issued in February of this year, and is set to be finalized by February, 2014. It is designed to be a broadly applicable “living document” that allows for flexibility to accommodate a range of industries already subject to numerous regulatory mandates.

Intended to bolster cybersecurity for critical infrastructure assets, the CSF is being developed with the aid of several thousand security experts who have attended workshops or otherwise contributed to the draft, but according to Lambo it falls terribly short on the subject of cloud security.

CloudeAssurance, which is the industry’s very first risk-intelligent rating and continuous monitoring system for assurance of cloud service provider’s security, governance, risk management and compliance, posed a question about cloud-related risks to the DHS panel at the very first Cyber Security Framework Workshop held in Washington, DC, as far back as April (video here).

“DHS’s response to this question on the panel discussion was that NIST and industry really should address cloud-related risks in the NIST CSF, so it was very disappointing to see that cloud-related risk has yet to be addressed in the latest NIST CSF draft,” Lambo said.

In addition to his concerns over cloud security issues, Lambo believes that the CSF in current form neglects several critical mitigating controls, and as such lacks the comprehensive approach that will result in the framework becoming just another “check-box” compliance standard.

Lambo was part of a ‘Consortium of Experts’ made up of HISPI members that submitted an NIST Cyber Security Framework RFI response (PDF) to NIST back in May, advocating for the inclusion of some or all of HISPI’s Top 20 Mitigating Controls.

“Unlike the SANS Top 20 Critical Security Controls which are mostly technical controls derived from NIST Special Publication 800-53, the HISPI Top 20 Mitigating Controls are based on publicly disclosed real world security breaches due to control failures that occurred in 2012, and is derived from ISO 27001 Annex A controls,” Lambo said.


Lambo says the HISPI integrated framework approach utilizes an “Implement-Once-Comply-Many (I-O-C-M)” approach to compliance based on analytical methods and tools that create a comprehensive risk governance platform for both compliance and assurance.

“The controls are not merely technical controls, but are based on People and Process,” Lambo explained. “Weaknesses in People and Processes accounted for most of the publicly disclosed real world security breaches in 2012.”

Upon thorough review of the CSF draft, Lambo says despite his and the efforts of other, many critical mitigating controls that correspond to the most common threats have not been included, much to his dismay.

“The very first draft of the CSF published in September mapped to the following 4 HISPI Top 20 Mitigating Controls A.7.2.1, A.8.1.1, A.8.2.2 and A.10.8.3 derived from ISO 27001 Annex A,” Lambo said. “However, the second draft published in October still only maps to the following 5 (one extra) HISPI Top 20 Mitigating Controls A.7.2.1, A.8.1.1, A.8.2.2, A.9.1.1 and A.10.8.3.”

Of the controls that the latest NIST CSF draft neglects, Lambo says there are three that are the most critical: A.10.9.1, A.10.9.2, A.10.9.3 – and they should be integrated because they account for the highest percentage of real-world security breaches documented in 2012.

The HISPI Framework integrates aspects of several other control frameworks, and Lambo says that means it is already well aligned with strategic aspects of the NIST CSF, and is not being proffered as an alternative, but that specific elements should be incorporated.

“The NIST CSF is already in alignment with the HISPI Framework because it seeks to leverage and harmonize most of the standards that the HISPI Framework is based on, so the issue of whether the HISPI Framework is better than the CSF does not even arise,” Lambo said.

The HISPI Framework has existed since the HISPI program was launched in March 2005, and Lambo says it is a proven framework that has kept more than 80% of the Global 1000, Fortune 50 and many government organizations that have invested in it out of the headlines by preventing a major security breach or data loss.

“NIST should leave no stone unturned to ensure that it leverages all the great threat based research available by organizations like HISPI, to ensure that the final NIST CSF is not only comprehensive but efficient and effective at mitigating real world cybersecurity threats as intended,” Lambo asserted.

“I think based on the momentum the CSF development has gained in the past six months, something workable will be finalized by February of 2014, and like any framework or standard this final revision will still be work in progress. But it remains to be seen whether it will really be effective at mitigating real-world threats.”

“This is why I’m so determined and very passionate about ensuring that we get the NIST CSF right before the final revision is published, to ensure its effectiveness from the get go.”

Cross Posted from Tripwire's State of Security

Possibly Related Articles:
NIST Cyber Security Framework
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.