Understanding the Fundamentals of Cybersecurity Frameworks

Published by Richard Caralli

In the past decade, cyber threats to companies and governments have dramatically increased. Digital attacks, such as ransomware and data exfiltration, have become more sophisticated with each passing year. Consequently, the costs associated with cyberattacks have risen as well.

Organizations and governments can sufficiently measure their threat readiness and maturity by adopting a cybersecurity framework. Researchers and analysts have been developing frameworks for more than 20 years to institutionalize intelligent processes to mitigate cyber risk.

This topic was explored during the recent cybersecurity framework webinar hosted by Axio. During the presentation, Axio Co-Founder and President David White and I discussed the foundational elements and use cases of frameworks and much more.


Cybersecurity Frameworks: Five Structural Elements

Cybersecurity frameworks and maturity models have been evolving since the mid-1980s. Since that time, frameworks have become more thoughtful and complex, but they still generally include five basic elements as described below.  Of the five elements, the first two are ubiquitous in cybersecurity frameworks, while the others are exhibited in more advanced and robust frameworks.  Understanding these elements can help you define your use case, establish your framework requirements, and establish those frameworks that align with your objectives.  With that said, let’s examine five structural elements of cybersecurity frameworks

1.   Provides definition for a cybersecurity program or function.

It may sound somewhat obvious, but it’s nonetheless important  — every framework works to define the basics of what a cybersecurity program or specific cybersecurity function should look like, explains the purpose of the framework itself, and details the applicability of the model for different organization types. It also will outline a set of essential security activities that an organization or government should be engaging in and the desired outcomes of the program. If the objective of the framework is unclear and you can’t envision how it will meet your use case, it may be because the reason why it exists is poorly defined.  This can occur when a framework attempts to be a one-size-fits-all which might make it too general to be useful.

2.   Articulates specific practices and how to select them based on your unique organizational context.

A good framework achieves its purpose by framing a set of activities and practices that, when implemented, achieve a set of defined and measurable objectives.  You should be able to clearly discern how a set of specific practices help you define, implement, and operate a corresponding organizational process.  For example, if the framework you select includes a set of practices for vulnerability management, you should clearly be able to develop and implement a vulnerability management process that uses the practices and achieves an organizational objective: to identify and remediate vulnerabilities on a timely basis.   Well-developed frameworks not only provide a set of practices but help you to select the practices that will work best in your organizational context.  And the framework practices should be grounded in a set of controls that are put in place to “anchor” the practices and keep them in check—operating as expected and providing obvious evidence when the controls are failing or have failed.  In some cases, the controls will be prescribed directly by the framework—or the framework may reference a control catalog such as NIST 800-53  which provides security and privacy controls that provide “protective measures for systems, organizations, and individuals.” These controls are smartly designed to “facilitate risk management and compliance with applicable federal laws, executive orders, directives, regulations, policies, and standards.”

3.   Provides implementation guidance.

Just because a good framework includes sufficient practices and controls to outline a process, it doesn’t mean that you’ll have all of the knowledge or information you need to implement these practices.  Let’s go back to the vulnerability management example and examine a seemingly simple practice:  Identify vulnerabilities.  Anyone who has worked in this space knows there are a million sources of vulnerability information that must be curated and consumed in a way that makes them actionable.  And, curating these vulnerabilities might involve the use of tools and supplementary processes that drive many layers deep into the organization.

Frameworks that provide implementation guidance contribute to the challenge of turning practices and controls into processes that are definable and executable.  Implementation guidance answers questions such as How do we do this?  What tools do we need? Who does this activity?  How often is it performed?    And, beyond implementation details, more advanced frameworks provide guidance on additional considerations that are essential to making the framework “stick.”  For example, in the well-regarded NIST Cybersecurity Framework (CSF), the documentation suggests implementation “tiers” that should be used based on how much cybersecurity risk exists for an organization. The NIST CSF tiers align with the practices an organization uses and “reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.” When selecting a tier to implement, an organization or government should consider “current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.”

This is also the area where maturity models shine above many frameworks.  A maturity representation—cast in the likeness of CMMI or CERT-RMM, as we see in CMMC—can provide guidance that goes beyond practice implementation to provide for institutionalizing features:  the supplementary practices you perform to create an enduring culture around the practices.  These features include practices for defining processes, developing process plans, assigning roles and responsibilities, providing training, defining the artifacts of the process, and establishing oversight and success measurement.

4.   Provides for observable evidence of practice implementation

How do I know when I’m doing a practice as intended?  How do I know I’m achieving the desired outcome?

Sometimes, the best way to know you’ve done something right is to have an example to compare against.  A framework that provides observable elements gives you a way to confirm that the practice is in place—because you can see the results and compare them to a baseline. Practice artifacts provide a tangible target that the organization can clearly aim for, and upon inspection, can be reasonably sure the practice is being performed.  For example, a ticketing system that captures critical vulnerabilities and assigns them for remediation is observable evidence of one or more practices in a typical vulnerability management process.  Achievable artifacts not only provide a tangible representation of the practice, but help to translate a framework from a paper document to something that the organization can hold up as visible proof of implementation.

5.   Provides a way to measure and improve

No framework is worth implementing if you can’t use it to continuously improve your organization.  Practices, implementation guidance, and artifacts are elements of a framework that can benefit from regular inspection and correction.  Taking measurements when a practice appears to be out of control and failing to achieve its objectives is essential for long-term success.  For example, if a framework defines a practice for remediation of critical vulnerabilities within 30 days and you observe in your ticketing system that these vulnerabilities are aging significantly beyond 30 days before they are fixed, your process is not working.  You now have an opportunity to evaluate what is impeding progress and fix it.  A framework that defines how to measure a practice or associated process and know when it is no longer producing the intended outcomes gives you a jump-start on a continuous improvement approach—one that is encouraged and required as organizational processes mature.


The Use Cases for Frameworks

Part of choosing the right framework is to understand why you are using it.  A use case establishes the conditions under which the framework will operate and how it will achieve your organization’s unique cybersecurity goals.  Consider these four basic questions when building your use case to support framework selection.

1.   Does it guide the implementation, evolution, and continuous improvement of your cybersecurity program?

Perhaps the most crucial use case for a framework is that it must be usable to guide the implementation of a new program or the evolution and improvement of an existing one. As the organization grows, can the framework adapt to and support your changing strategy and needs over time?

A good framework will provide a roadmap for initial adoption and care-and-feeding over time.  For example, the NIST CSF suggests following these basic and repeatable steps to start or enhance a program:

  • Prioritize and Scope
  • Orient
  • Create a Current Profile
  • Conduct a Risk Assessment
  • Create a Target Profile
  • Determine, Analyze, and Prioritize Gaps
  • Implement Action Plan

If you’re a student of process improvement, you might recognize the plan-do-check-act (PDCA) architecture of NIST’s adoption roadmap—indeed, any good framework should either include such an element or be easily incorporated into your existing PDCA method.

2.   Does it guide the tactical implementation of practices and controls?

Good frameworks give you the head-start needed to get the basic practices and controls in place, and then provide a means to build on early success.  In the NIST 800-53 framework, foundational practices and controls are articulated along with guidance for implementation.  Additionally, a framework that provides broad coverage of the expanse of cybersecurity activities can guide you to implement practices and controls that, on the surface, may not be apparent contributors to a viable security program.  For example, NIST 800-53 covers a wide range of cybersecurity processes including access, awareness, training, auditing, monitoring, identification, authentication, incident response, maintenance, physical protection, and more.

3.   Will it help you guide technology acquisition and rationalization?

Let’s face it:  a paper framework is only usable to the extent that you can tangibly implement processes in the organization that bring the framework to life.  And in a technology-laden world, processes are typically aided by people to operate them and tools to automate them.  A great framework can not only help you choose the right tools for the job, but also help you implement them in a way that ensures the process objectives are met.  Many organizations create and implement their cybersecurity programs “tools-first” without considering the people and processes needed to operate them—and thus, the tools pile up and are never used.  (Monitoring tools come to mind!)  A great framework can not only help you choose the right tools, but also to rationalize the ones you already have—reducing cost, increasing effectiveness, and making processes stick.

4.   Can you use it to measure progress?

Measurement is one of the key aspects of adopting a framework and making it work in the long run.  Sadly, many frameworks don’t provide metrics that can be measured over time to ensure the framework continues to meet your needs.  At a minimum a framework should provide guidance for measuring

  • Implementation success: Are the practices, controls, processes, meeting their objectives?  Are you able to observe the prescribed artifacts of the framework?
  • Maturity / capability: Can you measure the degree to which your framework is institutionalized and part of the culture?  Can you measure the attributes—such as documentation, RACI charts, policies, etc.—that support the “stickiness” of the process?
  • Continuous improvement: Can you identify when a process is failing to achieve its objectives? When it’s drifting from its process definition and supporting policies?  When you need to take action to realign to the process?

Learn More about Maturity Models and Security Frameworks from Axio

If your organization wants to adopt a cybersecurity framework, Axio can help you determine your next steps. Axio offers free single-user assessments for frameworks including NIST CSF, C2M2, and more. On top of this, paid subscribers can receive reviews for important models such as CMMC, CIS 20, or custom setups. Try the free tool here to learn more.


About the author:

Richard Caralli is the Lead GRC Consultant for Seiso LLC.  He is responsible for helping customers to implement GRC programs that achieve their unique cybersecurity, regulatory, and compliance goals and requirements.  Most recently, Caralli held various senior level positions in information technology and cybersecurity in the oil and gas industry.  Previously, he was the Technical Director of CERT’s Risk and Resilience Directorate at Carnegie Mellon’s Software Engineering Institute where he was the lead architect of the CERT® Resilience Management Model (CERT-RMM), a process improvement-focused maturity model for managing operational resilience, much of which has been incorporated into various models including the Cybersecurity Maturity Model Certification (CMMC). Caralli has over 30 years of experience in developing, implementing, and operating information security risk assessment, analysis, and management technologies and delivered coursework in these disciplines to graduate and executive education students at Carnegie Mellon’s Heinz College. Prior to joining CERT in 2001, Caralli led accounting and IT audit teams in the banking, manufacturing and oil and gas industries.