- Donald E. Hester
Reporting to Council: Why Local Governments Should Use the NIST Cybersecurity Framework
As cybersecurity threats continue to increase, it is becoming more important than ever for local governments to prioritize their security measures. One way to ensure that City Council is aware of the state of cybersecurity within their organization is by using the NIST Cybersecurity Framework (CSF). This framework is highly recommended for local governments and critical infrastructure partners, making it an ideal tool for reporting on cybersecurity to council. The framework is designed around five main objectives, providing a straightforward way to report on areas of strength and weakness. Additionally, the Cybersecurity Framework is broad enough in scope to avoid revealing sensitive information during public meetings, while remaining easy for non-professionals to understand. By utilizing this framework, City Council can be better informed about their organization's cybersecurity posture and take appropriate actions to mitigate risks.
Other Frameworks for Reporting
While some have suggested the CIS Top 18 controls for reporting cybersecurity in local government, some experts find it difficult to manage and clearly communicate. The main advantage of reporting with the Cybersecurity Framework is that it is easy to understand and to report on the progress of each objective. On the other hand, the Top 18 controls are more detailed and often require further explanation, which can confuse non-professionals.
Some have considered using a vendor-specific framework, such as InfoTech's Security Governance and Management Maturity Scorecard. However, it's important to keep in mind the intended audience of the report. InfoTech's scorecard covers seven areas, including auditing, policy and process governance, risk analysis, vulnerability management, event and incident management, security culture, and compliance management. While this may provide a comprehensive view of an organization's security posture, it may not be the clearest approach when reporting to a council or board.
As mentioned earlier, council members may not have a technical background or may not have the time to delve into the details of a report. Therefore, it's important to keep the report simple and high-level, while still providing meaningful information. Using a framework such as the NIST Cybersecurity Framework, which has five main objectives, can provide a clearer picture of an organization's security posture while still being easily understandable by non-professionals.
While the Cybersecurity Framework does contain over a hundred controls, it is broken down into five main easy-to-understand objectives: identify, protect, detect, respond, and recover. These objectives give a comprehensive view of the organization's security posture and can be easily understood by non-professionals. This approach can provide a high-level overview of the organization's security posture and identify areas that need improvement without getting into the weeds of detailed control implementations.
Save Time Using CSF
Using the NIST Cybersecurity Framework not only simplifies the reporting process but it can also save time. This is because the annual National Cybersecurity Review (NCSR), which is required for federal grant funding, uses the same framework. Using the NCSR to assess your organization's cybersecurity posture, you can obtain a score in each of the five parent objectives of the framework. This score can then be used to report to the council or board, reducing the amount of work you need to do.
By leveraging the results of the NCSR, you can save time and resources that would have been spent on conducting a separate cybersecurity assessment. This can be particularly beneficial for small local governments or organizations with limited resources. Additionally, using the NCSR can ensure that your organization's cybersecurity posture is consistent with federal guidelines, which can help you qualify for grant funding.
However, it is important to note that the NCSR is currently voluntary, and not all local governments may be required to complete it. Nevertheless, if you are already filling out the NCSR, using its results to report to the council or board can be an efficient and effective way to communicate your organization's cybersecurity posture.
Use CSF to Align With Overall Local Government Goals
Using the Cybersecurity Framework (CSF) can also help align your cybersecurity objectives with your overall city goals. Many organizations use cascading goals, which means that the goals and objectives at the highest level are broken down into smaller objectives that are cascaded down to lower levels of the organization. By using the CSF, you can easily adapt it to fit into this type of goal-setting framework. This can help ensure that cybersecurity is integrated into the overall strategy of the city, and that it is not viewed as a separate and disconnected function. By aligning cybersecurity with other goals and objectives, you can ensure that it is given the appropriate attention and resources it requires.
Here is an example:
Overall Goal: Identify cyber risks and develop mitigation measures to reduce the City's exposure to cyber attacks
Main Objective: Collaborate with stakeholders to identify and mitigate cyber risks related to their operations, missions, and goals.
Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect: Develop and implement appropriate safeguards to ensure the delivery of critical services and provide digital resilience.
Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity incident.
Respond: Develop and implement appropriate activities to respond to cybersecurity incidents.
Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Using CSF for Budget Justification and Requests
Using the cybersecurity framework for budget justification and requests can greatly simplify the process of explaining the need for certain cybersecurity measures. For instance, when requesting the purchase of a security information and event management (SIEM) system, rather than getting bogged down in technical jargon, it is much easier to explain how the system will help detect threats and increase the organization's ability to respond to an attack. By referencing a low score in the detect area from the last assessment, it becomes clear that investing in a SIEM service is necessary to improve the organization's overall cybersecurity posture. This can help make a case for funding much simpler and more compelling for executives and decision-makers.
CSF Maps to all the Other Standards
The Cybersecurity Framework is a great choice for reporting cybersecurity posture because it aligns with all the other standards and compliance requirements. This means that you can use the framework to create an overall picture of your cybersecurity posture while still meeting the specific requirements of each standard. The framework has detailed mapping for the most common standards and requirements, such as HIPAA, PCI DSS, NIST 800-53, ISO 27001, COBIT, ISA, and CJIS. While an audit committee may need more detailed information around each specific standard, using the Cybersecurity Framework can help to simplify reporting and ensure that all requirements are being met. Overall, the framework's wide use and alignment with other standards make it a logical choice for reporting cybersecurity posture.
The cybersecurity framework can be used as a unified approach to report on cybersecurity posture for both information technology and operational technology, including industrial control systems. This is particularly important because cyber-threats can impact both IT and OT systems, and it's important to have a comprehensive view of the organization's cybersecurity posture. By using the cybersecurity framework, you can create a common language and approach to report on cybersecurity across both IT and OT systems, which can make it easier to communicate with stakeholders and decision-makers. It can also help identify gaps and overlaps in cybersecurity controls across the entire organization, which can then be addressed in a more coordinated and efficient manner.
There is One Framework to Rule Them All!
In conclusion, leveraging the NIST Cybersecurity Framework can simplify the process of reporting cybersecurity to City Council and executives. By focusing on the five main objectives of the framework, it becomes easier to identify areas of improvement and report on progress. Additionally, using the framework can save time and effort by aligning with other compliance requirements and even serving as a budget justification tool. It is a versatile and comprehensive framework that can be adapted to various organizational goals and even for combining IT and OT cybersecurity reporting. By utilizing this framework, you can effectively communicate the importance of cybersecurity to decision-makers and ensure that your organization is protected against cyber threats.