NIST Cybersecurity Framework (CSF)

NIST Cybersecurity Framework (CSF)

Aligning to the NIST CSF in the AWS Cloud

First Published January 2019 Updated October 12, 2021

Notices

Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided "as is" without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

? 2021 Amazon Web Services, Inc. or its affiliates. All rights reserved.

Contents

Intended audience ...............................................................................................................1 Introduction ..........................................................................................................................1 Security benefits of adopting the NIST CSF.......................................................................3 NIST CSF implementation use cases.................................................................................4

Healthcare ........................................................................................................................4 Financial services.............................................................................................................5 International adoption.......................................................................................................5 NIST CSF and AWS Best Practices ...................................................................................6 CSF core function: Identify...............................................................................................7 CSF core function: Protect.............................................................................................11 CSF core function: Detect ..............................................................................................14 CSF core function: Respond..........................................................................................16 CSF core function: Recover...........................................................................................17 AWS services alignment with the CSF .............................................................................19 Conclusion .........................................................................................................................20 Appendix A ? Third-party assessor validation ..................................................................21 Contributors .......................................................................................................................22 Document revisions...........................................................................................................22

Abstract

Governments, industry sectors, and organizations around the world are increasingly recognizing the NIST Cybersecurity Framework (CSF) as a recommended cybersecurity baseline to help improve the cybersecurity risk management and resilience of their systems. This paper evaluates the NIST CSF and the many AWS Cloud offerings public and commercial sector customers can use to align to the NIST CSF to improve your cybersecurity posture. It also provides a third-party validated attestation confirming AWS services' alignment with the NIST CSF risk management practices, allowing you to properly protect your data across AWS.

Amazon Web Services

NIST Cybersecurity Framework (CSF)

Intended audience

This document is intended for cybersecurity professionals, risk management officers or other organization-wide decision makers considering how to implement a new or improve an existing cybersecurity framework in their organization. For details on how to configure the AWS services identified in this document, contact your AWS Solutions Architect.

Introduction

The NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework, or CSF) was originally published in February 2014 in response to Presidential Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," which called for the development of a voluntary framework to help organizations improve the cybersecurity, risk management, and resilience of their systems. NIST conferred with a broad range of partners from government, industry, and academia for over a year to builda consensus-based set of sound guidelines and practices.

The Cybersecurity Enhancement Act of 2014 reinforced the legitimacy and authority of the CSF by codifying it and its voluntary adoption into law, until the Presidential Executive Order on "Strengthening the Cybersecurity of Federal Networksand Critical Infrastructure" signed on May 11, 2017, mandated the use of CSF for all U.S. federal entities.

While intended for adoption by the critical infrastructure sector,the foundational set of cybersecurity disciplines comprising the CSF have been supported by government and industry as a recommended baseline for use by any organization, regardless of its sector or size. Industry is increasingly referencing the CSF as a de facto cybersecurity standard.

1

Amazon Web Services

NIST Cybersecurity Framework (CSF)

In Feb 2018, the International Standards Organization released "ISO/IEC 27103:2018 -- Information technology-- Security techniques -Cybersecurity and ISO and IEC Standards." This technical report provides guidance for implementing a cybersecurity framework leveraging existing standards. In fact, ISO 27103 promotes the same concepts and best practices reflected in the NIST CSF; specifically, a framework focused on security outcomes organized around five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks. Adopting this approach can help organizations achieve security outcomes while benefiting from the efficiencies of re-using instead of re-doing.

Credit: Natasha Hanacek/NIST

According to Gartner, the CSF is used by approximately 30 percent of U.S. privatesector organizations and projected to reach 50 percent by 2020.1 As of the release of this report, 16 U.S. critical infrastructure sectors use the CSF and over 21 states have implemented it.2 In addition to critical infrastructure and other private-sector organizations, other countries, including Italy and Israel, are leveraging the CSF as the foundation for their national cybersecurity guidelines.

Since Fiscal Year 2016, U.S. federal agency Federal Information Security Modernization Act (FISMA) metrics have been organized around the CSF, and now reference it as a "standard for managing and reducing cybersecurity risks." According to the FY16 FISMA Report to Congress, the Council of the Inspectors General on Integrity and Efficiency (CIGIE) aligned IG metrics with the five CSF functions to evaluate

2

Amazon Web Services

NIST Cybersecurity Framework (CSF)

agency performance and promote consistent and comparable metrics and criteria between Chief Information Officer (CIO) and Inspector General (IG) assessments.

The most common applications of the CSF have manifested in three distinct scenarios:

? Evaluation of an organization's enterprise-wide cybersecurity posture and maturity by conducting an assessment against the CSF model (Current Profile) determine the desired cybersecurity posture (Target Profile), and plan and prioritize resources and efforts to achieve the Target Profile.

? Evaluation of current and proposed products and services to meet security objectives aligned to CSF categories and subcategories to identify capability gaps and opportunities to reduce overlap/duplicative capabilities for efficiency.

? A reference for restructuring their security teams, processes, and training.

This paper identifies the key capabilities of AWS service offerings available globally that U.S. federal, state, andlocal agencies; global critical infrastructure owners and operators; as well as global commercial enterprises can leverage to align to the CSF (security in the cloud). It also provides support to establish the alignment of AWS Cloud services to the CSF as validated by a third-party assessor (security of the cloud) based on compliance standards, including FedRAMP Moderate3 and ISO 9001/27001/27017/27018.4

This means that you can have confidence that AWS services deliver on the security objectives and outcomes identified in the CSFand that you can use AWS solutions to support your own alignment with the CSF and any required compliance standard. For U.S. federal agencies, in particular, leveraging AWS solutions can facilitate your compliance with FISMA reporting metrics. This combination of outcomes should empower you with confidence in the security and resiliency of your data as you migrate critical workloads to the AWS Cloud.

Security benefits of adopting the NIST CSF

The CSF offers a simple-yet-effective construct consisting of three elements ? Core, Tiers, and Profiles. The Core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as Informative References) that support the five risk management functions ? Identify, Protect, Detect, Respond, and Recover. The Tiers characterize an organization's aptitude and maturity for managing the CSF functions and controls, and the Profiles are intended to convey the organization's "as is" and"to be" cybersecurity postures. Together, these three

3

Amazon Web Services

NIST Cybersecurity Framework (CSF)

elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs.

It is important to note that implementation of the Core, Tiers, and Profiles are the responsibility of the organization adopting the CSF (for example, government agency, financial institution, commercial start-up, and so on). This paper focuses on AWS solutions and capabilities supporting the Core that can enable you to achieve the security outcomes (Subcategories) in the CSF. It also describes how AWS services that have been accredited under FedRAMP Moderate and ISO9001/27001/27017/27018 align to the CSF.

The Core references security controls from widely-adopted, internationally-recognized standards such as ISO/IEC 27001, NIST 800-53, Control Objectives for Information and Related Technology (COBIT), Council on Cybersecurity (CCS) Top 20 Critical Security Controls (CSC), and ANSI/ISA-62443 Standards-Security for IndustrialAutomation and Control Systems.

While this list represents some of the most widely reputed standards, the CSF encourages organizationsto use any controls catalogue to best meet their organizational needs.The CSF was also designed to be size-, sector- and country-agnostic; therefore, public and private sector organizations should have assurance in the applicability of the CSF regardless of the type of entity or nation-state location.

The CSF encourages organizationsto use any controls catalogue to best meet their organizational needs. The CSF was also designedto be size-, sector- and country- agnostic; therefore, public and private sector organizations should have assurance in the applicability of the CSF regardlessof the type of entity or nation- state location.

NIST CSF implementation use cases

Healthcare

The U.S. Department of Health and Human Services completed a mapping of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)5 Security Rule to the NIST CSF. Under HIPAA, covered entities and business associates must comply with the HIPAA Security Rule to ensure the confidentiality, integrity and availability of protected health information.6 Since HIPAA does not have a set of controls that can be assessed or a formal accreditation process, covered entities and business associates,

4

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download