i3 Design and Consulting LLC
Inspire - Imagine - Improve

News

Musings.

Part Four: Leveraging ISO 27000 to address FISMA and NIST 800-53 cyber security requirements

This article is forth in an informational series exploring details of various implementation scenarios and the unique challenges of ISO and CMMI implementation in the U.S. contractor environment. 

  • Part One: Common Challenges for Implementing in a U.S. Government Contractor Environment.
  • Part Two: Implementing ISO and CMMI for Staffing Services Contractors
  • Part Three: Implementing CMMI and Government Requirements in an Agile Development Shop
  • Part Four: Leveraging ISO 27000 to Address FISMA and NIST 800-53 Cyber Security Requirements
  • Part Five: Implementing ISO 20000 as a Practical Path to Address Government ITIL Implementation Requirements.

Part Four will discusses how organizations that have implemented ISO 27000 can use their existing information security system to address NIST Cybersecurity Framework requirements, such as NIST SP 800-53 and NIST SP 800-171. 

Over the past five years, many U.S. government contractors have invested in ISO 27000 certifications.  Whether to create a business differentiator improve information security, or both, many have certified systems that can be leveraged to meet requirements of the NIST Cybersecurity Framework (CSF).   

The CSF was originally intended for U.S. companies considered part of U.S. critical infrastructure (e.g., communication, information technology, defense industrial base, etc.).  Many other companies, especially service companies, have had limited interaction with CSF because they didn't operate systems requiring independent NIST SP 800-53 based FISMA or FedRAMP accreditations.  With high profile cyber incidents on the rise, CSF implementation requirements are becoming more frequent for government contractors.

On December 30, 2015, DoD amended both DFARS 252.204.7008 (Compliance with Safeguarding and Covered Defense Information Controls) and DFARS 252.204.7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) giving contractors until December 31, 2017 to fully implement all NIST SP 800-171 requirements on the covered contractor information system. Notwithstanding the 12/31/2017 phase-in period, contractors must notify DOD within 30 days after contract award “of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award”. The NIST SP 800-171 organizes requirements into 14 families, with each family containing basic security requirements derived from both NIST SP 800-53 and FIPS 200.

Leveraging ISO 27000 Investments

Although internationally recognized and the de facto information security standard, ISO 27001 is not the definitive answer for information security.  The NIST Cybersecurity Framework (CSF) provides detailed IT security controls but doesn't necessarily address broader information security issues or provide a holistic management approach.  To maximize the effectiveness of a security implementation, the system should effectively deal with challenges like limited resources, organizational alignment, and higher expectations from customers and other interested parties.  At the same time, it should have a robust set of operational and management controls.  Combining ISO 27000 and the CSF achieves both.  TOgether they enable more reliable and cost-effective results in the implementation, management, operation of security controls, optimization of resources, and improvement of business results.

Key similarities

Both ISO 27000 and CSF are driven by implementing security controls.  A detailed mapping of the common controls is found in the NIST 800-53 Appendix, but here's a brief summary of the control similarities:

ISO 27000

NIST CSF

A.5 – Information security policies

Governance

A.6 – Organization of information security

Asset Management; Governance; Risk Assessment; Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Detection Processes; Communications

A.7 – Human resource security

Governance; Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures

A.8 – Asset management

Asset Management; Data Security; Information Protection Processes and Procedures; Protective Technology

A.9 – Access control

Identity Management and Access Control; Data Security; Protective Technology

A.10 – Cryptography

There is no specific category covering cryptographic controls.

A.11 – Physical and environmental security

Asset Management; Business Environment; Identity Management and Access Control; Data Security; Information Protection Processes and Procedures; Maintenance; Protective Technology

A.12 – Operations security

Business Environment; Risk Assessment; Data Security; Information Protection Processes and Procedures; Protective Technology; Security Continuous Monitoring; Analysis; Mitigation

A.13 – Communications security

Asset Management; Identity Management and Access Control; Data Security; Protective Technology

A.14 – System acquisition, development, and maintenance

Data Security; Information Protection Processes and Procedures; Security Continuous Monitoring; Detection Processes

A.15 – Supplier relationships

Business Environment; Supply Chain Risk Management; Maintenance; Security Continuous Monitoring

A.16 – Information security incident management

Information Protection Processes and Procedures; Anomalies and Events; Detection Processes; Response Planning; Communications; Analysis; Mitigation; Improvement; Recovery Planning

A.17 – Information security aspects of business continuity management

Business Environment; Risk Assessment; Information Protection Processes and Procedures; Protective Technology

A.18 – Compliance

Governance; Risk Assessment; Information Protection Processes and Procedures; Detection Processes

Key Differences

CSF provides a basis for self-assessment and definition of objectives. Using CSF Profiles (Current and Target), and Implementation Tiers (Partial, Risk-Informed, Repeatable, and Adaptive), organizations have a solid basis to identify where they are today and what they want to achieve.  This approach makes it easier to define the task, how far they want to go with their implementation, and which action plans should be developed for closing the gaps.

IT environments are only one aspect that need to be considered when protecting information, and ISO 27001 goes beyond IT security. Paper-based information, as well as information from conversations and meetings, also needs to be protected, and ISO 27001 is better prepared to manage these situations.

Path to NIST CSF Implementation from ISO 27000

The CSF specializes in defining security profiles, and structuring the security controls and safeguards, especially those related to cyber environments. ISO 27001, on the other hand, specializes in integrating all IT security elements in a cohesive system that aligns with the overall context of an organization’s management and production processes.

If an organization has already implemented ISO 27001 and wants to align with the NIST CSF, the process is fairly straightforward. ISO 27000 compliance focuses on the assurance that all elements of the management system are in place, so implementing the NIST CSF is based on closing any risk-based gaps associated with the implementation of security controls.  To incorporate the CSF, the organization should do the following:

  1. Review and update the risk management process, to include the concepts of Current Profile and Target Profile.
  2. Use the Statement of Applicability and the Framework Core to create a Current Profile.
  3. Perform an internal audit of its risk management process and implemented controls, considering the NIST CSF Framework Core and Framework Implementation Tiers as a reference. This way, the organization will have an overview of how compliant its current controls are.
  4. Define a Target Profile, considering the created Current Profile, business and security objectives, and the results of the internal audit.
  5. Prepare action plans to achieve the proposed Target Profile.

ABOUT I3 DESIGN AND CONSULTING LLC

i3 Design and Consulting LLC is a boutique Information Technology, process consulting, and products firm headquartered in Leesburg, Virginia.  Our company is defined by its deep content knowledge of its staff and partners.  We bring twenty years of information technology and business process improvement knowledge to the table, with a record of success producing business value, increasing operational efficiency through IT innovation and process improvement, and driving customer focused service excellence.  i3 provides consulting support to senior executives, as well as, leadership to transition organizations to the next level by transforming business processes and improving growth, margin, customer engagement, IT, and quality.