Sizing Up the NIST Cybersecurity Framework
Carrie Johnson, Government and Industry Relations Manager, SDN Communications
Those of us who work for small businesses regularly perform duties outside our job description. I’ve experienced the “all hands on deck” approach that drives the day-to-day operations of many small and midsize businesses. This approach fittingly applies to cybersecurity, which is no longer a responsibility that can or should be solely reserved for IT.
I was hired by SDN Communications to serve in a government relations and regulatory capacity, but the position soon evolved to include cybersecurity and risk management. Prior to joining SDN, I worked in the U.S. Senate on cybersecurity and telecommunications policy. In one of my last duties as a staffer, I briefed Sen. Tim Johnson about the Cybersecurity Enhancement Act of 2014. The measure cemented NIST’s role as the agency tasked with developing a voluntary, industry-led framework to improve our nation’s cybersecurity preparedness. Little did I know, I’d later find myself leading efforts to work through that very framework.
SDN is a regional broadband provider headquartered in South Dakota, with a fiber-optic network extending into eight states of the Northern Plains. The company has 160 employees and is owned by 17 rural telecom companies serving the state’s most rural and remote areas. Banks, hospitals, schools, first responders and the public rely upon the safe and reliable transfer of information traversing SDN’s network.
SDN had a cybersecurity program in place long before I arrived. But as cyber threats change and grow, so must a company’s approach. SDN saw the NIST Cybersecurity Framework as yet another tool it could use to strengthen its existing operations.
For those who don’t know, the framework consists of five functions, 22 categories, and 98 subcategories, which could be considered best practices. Beginning the process proved a daunting task. SDN had past experience working through government and industry standards, but those previous exercises centered on compliance, not the risk management approach that encompasses the framework.
SDN’s CEO Mark Shlanta, a vocal supporter of the framework, directed his team to use it. He tasked me with assembling an internal working group to evaluate the tool. The “buy in” from executive leadership proved essential because it elevated the project as a company priority and helped get the right people to the table.
Our group grew as we worked through the framework. We quickly realized we needed to loop in additional team members beyond the usual cast of characters involved in information assurance (IT, network operations, etc.). Participation from diverse business units allowed us to evaluate cybersecurity from multiple angles, such as our product team suggesting we review our vendor selection process and human resources proposing new approaches for cyber literacy training.
The group’s initial review of the framework required five hours of deliberation, spread over several meetings. We assigned a present and target score to each subcategory and used our findings to inform our next steps. Our initial top priorities included the formation of a security committee, updating our business continuity and disaster recovery program to include a stronger emphasis on cybersecurity, and creating a vendor review process. As someone who followed the early stages of the framework from within the DC Beltway, it feels as though the framework and I have come full circle. I’ve enjoyed grappling with this tool and seeing how it can be used to improve regional network security.
Use cases on NIST’s Industry Resources webpage offer a great place to start for companies interested in using the framework. The diverse approaches gave me ideas and helped me realize the framework is not a prescriptive tool. A company has creative license to develop a method that best meets its needs.
We also relied upon Federal Communications Commission (FCC) guidance when designing our approach. In addition to the FCC, other federal agencies have released guidance tailored to their critical infrastructure sector. We homed in on FCC’s recommendations geared toward wireline communications operators and small and midsize businesses. This helped SDN prioritize the areas of the framework deserving our closest attention.
Relying upon feedback from my peers within the industry also proved beneficial. I had numerous conversations with companies that had already worked through the framework. Their willingness to provide insight provided a useful sounding board. Instead of re-inventing the wheel, I could pick and choose from a body of past experience.
A discussion with Silver Star Communications, a rural telecom provider in Wyoming, provided useful advice. We incorporated some of their best practices into our approach, including adding a new column to NIST’s Framework Core (XLSX) spreadsheet, titled “$, $$, $$$.” SDN used this column to predict the level of resources necessary to address identified gaps. Upon completion of our initial review, this field helped our team identify the “low-hanging fruit” gap areas that could be improved with limited financial investment.
Working through the framework can be an intimidating task for small organizations. Although the news media often focuses on cyber-attacks targeting the federal government and major national banks and retailers, small businesses are not immune. In fact, one-third of all cyber-attacks affect businesses with fewer than 250 employees. We need targeted training for small and midsize organizations to raise awareness and encourage broader utilization of the framework.
SDN serves as a cybersecurity partner to many businesses within its service territory. After working through the framework, it was clear to SDN that its customers — representing numerous critical infrastructure sectors — would benefit from the framework. SDN also recognized other rural telecom providers could similarly use this tool to boost their cyber defenses.
As a result, SDN, in partnership with the South Dakota Telecommunications Association and Dakota State University, organized a training workshop in May 2016. It attracted 165 attendees and equipped telecom providers and other critical infrastructure operators with the tools to begin applying the framework to their operations.
U.S. Senate Committee on Commerce, Science, and Transportation Chairman John Thune provided the opening remarks for the two-day meeting:
“It’s valuable in my view to have a regional cybersecurity event where South Dakotans and our neighbors can learn about the state of cyber-attacks and security strategies, including how to use the framework for improving critical infrastructure.”
Researchers from NIST, the head of the Department of Homeland Security’s Critical Infrastructure Cyber Community C³ Voluntary Program, and other government and industry experts also shared their insight. The educational resources and videos from the training are available here.
Just as others helped us get the ball rolling, SDN will act as a resource to small and midsize organizations interested in using the framework. Beginning in the last quarter of 2016, SDN began offering the CyberRx tool to jumpstart utilization of the framework by rural telecom companies and other businesses. The beauty of the framework is that it’s flexible and scalable. The framework can serve as a constructive tool for companies ranging in size from SDN’s smallest member company, Beresford Municipal Telephone with seven employees to the Intel Corporation with 100,000 employees in 63 countries.
Small businesses have much to gain by working through the framework. They can use it to build a cybersecurity program from scratch or help strengthen an existing program. It also represents a valuable professional development exercise by extending conversations about cybersecurity and risk management across a company. People are the driving force behind achieving a culture of security. For small businesses, their “all hands on deck” mindset is a strength they can leverage to boost their resilience.
This post originally appeared on Taking Measure, the official blog of the National Institute of Standards and Technology (NIST) on October 31, 2016.
To make sure you never miss our blog posts or other news from NIST, sign up for our email alerts.
About the Author
Carrie leads the SDN Communications’ government and industry relations team and collaborates with departments across the company on cybersecurity and regulatory compliance. Prior to joining SDN, Carrie served as a policy adviser for U.S. Senator Tim Johnson. A native of Yankton, South Dakota, Carrie’s first job was working with horses at a dude ranch.