User:Shawndouglas/sandbox/sublevel27 - Revision history

Shawndouglas: Replaced content with "
TOC
{{ombox | type = notice | style = width: 960px; | text = This is sublevel27 of my sandbox, where I play with features and..."

2023-08-16T20:28:32Z

Replaced content with "<div class="nonumtoc">__TOC__</div> {{ombox | type = notice | style = width: 960px; | text = This is sublevel27 of my sandbox, where I play with features and..."

← Older revision		Revision as of 20:28, 16 August 2023
Line 1:		Line 1:
	==~~6. Considerations when choosing and implementing a cloud solution=~~=		<div class="nonumtoc">__TOC__</div>
	~~[[File:Quanta Computer cloud computing servers at COSCUP 20120819.jpg~~\|~~right\|400px]]Much has been said to this point about [[cloud computing]], the importance~~ of ~~security to the technology, the risks inherent to it~~, and ~~how~~ to ~~manage those risks. We've also looked at cloud computing within the realm of the [[laboratory]] and how security, risk~~, ~~and~~ [[~~risk management~~]] ~~fit into the laboratory's concerns~~. Now it's time to take that knowledge and those concerns directly to the task of choosing one or more cloud services to implement in your lab. (Appendix 1 of this guide provides a list of profiles for top public, hybrid, and multicloud providers to consider.)		{{ombox
			\| type = notice
			\| style = width: 960px;
			\| text = This is sublevel27 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas\|my discussion page]] instead.<p></p>
			}}

	Prior chapters have highlighted the fact that choosing to move towards a cloud-based approach in your organization is a process in itself, a process deserving of a plan. Just as risk management is part of an overall [[cybersecurity]] plan, choosing and implementing a cloud project is part of an overall cloud migration plan.<ref name=~~"BuchananTheUltimate">{{cite web \|url~~=~~https://www.buchanan.com/cloud-migration-project-plan/ \|title~~=~~The Ultimate Cloud Migration Project Plan for SMBs \|publisher~~=~~Buchanan Technologies \|accessdate=28 July 2023}}</ref> By this point, you've hopefully already:~~		==Sandbox begins below==

	* stated the goals of the cloud project and received management buy-in;
	* identified the project stakeholders;
	* developed scope and responsibility documentation;
	* examined and classified your existing—and future—data for criticality, sensitivity, cleanliness, suitability, etc.;
	* identified relevant risks associated with the five risk categories as part of an overall/enterprise risk management assessment; and
	* identified computing requirements and objectives, including the need for any [[data cleansing]] and migration tools.

	Of course, there's more to the cloud migration plan, including documenting and training on processes and procedures, monitoring performance and security controls, and employing corrective action, but those come after you've chosen and implemented your cloud solution(s). The following sections examine what aspects to consider as part of that process, including what an average cloud service provider (CSP) should look like, what to look for in a CSP (including their service agreements), what your organization should ask of itself, and what your organization should be asking of the CSP.


	~~===6.1 What are the various characteristics of an average cloud provider?===~~
	This guide has, at least indirectly, addressed the question of what makes a cloud provider what they are. But let's collect some of those disparate thoughts spread across the prior chapters to paint a portrait of an average cloud provider. Broadly speaking, a cloud provider could be a public cloud provider such as Amazon Web Services (AWS) or Google Cloud, a hybrid cloud provider like Dell Technologies Cloud, a multicloud provider such as VMware Cloud, or any of thousands of software developers offering a [[software as a service]] (SaaS) option. These providers offer one or more services under various service models, using either their own cloud computing infrastructure, or—as is the case with some software vendors—through the use of another company's cloud computing infrastructure. But in the end, they are all offering a service. Yes, there is actually something tangible (a cloud product) associated with this service, but the actual provision, maintenance, security management, etc. of the product is part of the offered service to you, the customer.

	A cloud service being both a service and a tangible product, the average cloud provider will also intertwine their service with their product as part of their interactions with your lab. When engaging with your lab, they will ideally<ref name="Charles7Things20">{{cite web \|url=https://smallbiztrends.com/2016/10/selling-services.html \|title=7 Things You Need to Know About Selling Services \|author=Charles, J. \|work=Small Business Trends \|date=13 July 2020 \|accessdate=28 July 2023}}</ref>:

	* strike up a good rapport with your organization;
	* make a genuine attempt to understand your organization's needs;
	* assist you with envisioning the positive outcomes using the service;
	* be attentive to you feelings and concerns about their service;
	* provide testimonials and case studies; and
	* demonstrate how they are uniquely positioned to provide their service.

	Again, being a service, the CSP will ideally have a knowledgeable and experienced team of individuals who understand the various aspects of providing a cloud service. It may be difficult to ascertain how knowledgeable and experienced the overall team is, but, assuming your communications become more than an initial inquiry, you may eventually reach a point where you're assigned a service agent. That person will hopefully be able to answer all your questions or be able to quickly get answers for you. Based upon the questions you ask of that agent, you should gain confidence in their knowledge about the product, as well as address how it relates to the industry your laboratory serves. If the cloud provider is providing a SaaS solution, they should be able to demonstrate the solution for you and provide additional feedback in a recorded question and answer session, all of which can be referred back to by your lab at a later date. Tangentially, the CSP and its service agent should also be able to guide you to documentation and even case studies demonstrating how they are able to help your laboratory be successful in the cloud, while also finding that success in a secure and regulated manner.

	Through their interactions with you, the CSP should also be able to demonstrate expertise in security, compliance, and data migration. They may do this through meaningful conversation, as well as by making critical documents such as their SOC 2 audit report available to you. They will also discuss their shared responsibility model with you and what that means contractually. If certain aspects of security appear to be amiss from a proposed contract, the provider will ideally be flexible enough to attach additional clauses and assurances, where reasonable, to help alleviate your lab's security concerns. Data migration concerns should also be addressed by detailing the infrastructure behind the service you want to use and how that infrastructure may impact your lab and its data. This includes addressing the nuances of the CSP's cloud storage and archiving systems, as well as any risk management strategies that may impact your more sensitive data.

	Finally, the CSP should be upfront about support, warranty, and costs. If your laboratory is operating on a twenty-four hour basis and something goes wrong at 2:00 a.m., the CSP should be there to provide support (as long as its stipulated for the services you're contracted for) at that hour. Those cloud services will also come with appropriate warranties for performance, compliance, non-infringement, etc.<ref name="ParksKey18">{{cite web \|url=https://www.internationallawoffice.com/Newsletters/Tech-Data-Telecoms-Media/USA/Hunton-Williams-LLP/Key-Issues-When-Contracting-for-Cloud-Services \|archiveurl=https://web.archive.org/web/20210331232429/https://www.internationallawoffice.com/Newsletters/Tech-Data-Telecoms-Media/USA/Hunton-Williams-LLP/Key-Issues-When-Contracting-for-Cloud-Services \|title=Key issues when contracting for cloud services \|author=Parks, R.S.; Voorheis, K.; Glenn, H.M. \|work=International Law Office \|date=01 May 2018 \|archivedate=28 July 2023 \|accessdate=28 July 2023}}</ref> And the costs provided to you, as well as future price changes, should be transparently communicated to you and your lab at all steps of the professional relationship.

Shawndouglas at 22:44, 27 July 2023

2023-07-27T22:44:55Z

← Older revision	Revision as of 22:44, 27 July 2023
Line 1:	Line 1:
		==6. Considerations when choosing and implementing a cloud solution==
		[[File:Quanta Computer cloud computing servers at COSCUP 20120819.jpg\|right\|400px]]Much has been said to this point about [[cloud computing]], the importance of security to the technology, the risks inherent to it, and how to manage those risks. We've also looked at cloud computing within the realm of the [[laboratory]] and how security, risk, and [[risk management]] fit into the laboratory's concerns. Now it's time to take that knowledge and those concerns directly to the task of choosing one or more cloud services to implement in your lab. (Appendix 1 of this guide provides a list of profiles for top public, hybrid, and multicloud providers to consider.)

		Prior chapters have highlighted the fact that choosing to move towards a cloud-based approach in your organization is a process in itself, a process deserving of a plan. Just as risk management is part of an overall [[cybersecurity]] plan, choosing and implementing a cloud project is part of an overall cloud migration plan.<ref name="BuchananTheUltimate">{{cite web \|url=https://www.buchanan.com/cloud-migration-project-plan/ \|title=The Ultimate Cloud Migration Project Plan for SMBs \|publisher=Buchanan Technologies \|accessdate=28 July 2023}}</ref> By this point, you've hopefully already:

		* stated the goals of the cloud project and received management buy-in;
		* identified the project stakeholders;
		* developed scope and responsibility documentation;
		* examined and classified your existing—and future—data for criticality, sensitivity, cleanliness, suitability, etc.;
		* identified relevant risks associated with the five risk categories as part of an overall/enterprise risk management assessment; and
		* identified computing requirements and objectives, including the need for any [[data cleansing]] and migration tools.

		Of course, there's more to the cloud migration plan, including documenting and training on processes and procedures, monitoring performance and security controls, and employing corrective action, but those come after you've chosen and implemented your cloud solution(s). The following sections examine what aspects to consider as part of that process, including what an average cloud service provider (CSP) should look like, what to look for in a CSP (including their service agreements), what your organization should ask of itself, and what your organization should be asking of the CSP.


		===6.1 What are the various characteristics of an average cloud provider?===
		This guide has, at least indirectly, addressed the question of what makes a cloud provider what they are. But let's collect some of those disparate thoughts spread across the prior chapters to paint a portrait of an average cloud provider. Broadly speaking, a cloud provider could be a public cloud provider such as Amazon Web Services (AWS) or Google Cloud, a hybrid cloud provider like Dell Technologies Cloud, a multicloud provider such as VMware Cloud, or any of thousands of software developers offering a [[software as a service]] (SaaS) option. These providers offer one or more services under various service models, using either their own cloud computing infrastructure, or—as is the case with some software vendors—through the use of another company's cloud computing infrastructure. But in the end, they are all offering a service. Yes, there is actually something tangible (a cloud product) associated with this service, but the actual provision, maintenance, security management, etc. of the product is part of the offered service to you, the customer.

		A cloud service being both a service and a tangible product, the average cloud provider will also intertwine their service with their product as part of their interactions with your lab. When engaging with your lab, they will ideally<ref name="Charles7Things20">{{cite web \|url=https://smallbiztrends.com/2016/10/selling-services.html \|title=7 Things You Need to Know About Selling Services \|author=Charles, J. \|work=Small Business Trends \|date=13 July 2020 \|accessdate=28 July 2023}}</ref>:

		* strike up a good rapport with your organization;
		* make a genuine attempt to understand your organization's needs;
		* assist you with envisioning the positive outcomes using the service;
		* be attentive to you feelings and concerns about their service;
		* provide testimonials and case studies; and
		* demonstrate how they are uniquely positioned to provide their service.

		Again, being a service, the CSP will ideally have a knowledgeable and experienced team of individuals who understand the various aspects of providing a cloud service. It may be difficult to ascertain how knowledgeable and experienced the overall team is, but, assuming your communications become more than an initial inquiry, you may eventually reach a point where you're assigned a service agent. That person will hopefully be able to answer all your questions or be able to quickly get answers for you. Based upon the questions you ask of that agent, you should gain confidence in their knowledge about the product, as well as address how it relates to the industry your laboratory serves. If the cloud provider is providing a SaaS solution, they should be able to demonstrate the solution for you and provide additional feedback in a recorded question and answer session, all of which can be referred back to by your lab at a later date. Tangentially, the CSP and its service agent should also be able to guide you to documentation and even case studies demonstrating how they are able to help your laboratory be successful in the cloud, while also finding that success in a secure and regulated manner.

		Through their interactions with you, the CSP should also be able to demonstrate expertise in security, compliance, and data migration. They may do this through meaningful conversation, as well as by making critical documents such as their SOC 2 audit report available to you. They will also discuss their shared responsibility model with you and what that means contractually. If certain aspects of security appear to be amiss from a proposed contract, the provider will ideally be flexible enough to attach additional clauses and assurances, where reasonable, to help alleviate your lab's security concerns. Data migration concerns should also be addressed by detailing the infrastructure behind the service you want to use and how that infrastructure may impact your lab and its data. This includes addressing the nuances of the CSP's cloud storage and archiving systems, as well as any risk management strategies that may impact your more sensitive data.

		Finally, the CSP should be upfront about support, warranty, and costs. If your laboratory is operating on a twenty-four hour basis and something goes wrong at 2:00 a.m., the CSP should be there to provide support (as long as its stipulated for the services you're contracted for) at that hour. Those cloud services will also come with appropriate warranties for performance, compliance, non-infringement, etc.<ref name="ParksKey18">{{cite web \|url=https://www.internationallawoffice.com/Newsletters/Tech-Data-Telecoms-Media/USA/Hunton-Williams-LLP/Key-Issues-When-Contracting-for-Cloud-Services \|archiveurl=https://web.archive.org/web/20210331232429/https://www.internationallawoffice.com/Newsletters/Tech-Data-Telecoms-Media/USA/Hunton-Williams-LLP/Key-Issues-When-Contracting-for-Cloud-Services \|title=Key issues when contracting for cloud services \|author=Parks, R.S.; Voorheis, K.; Glenn, H.M. \|work=International Law Office \|date=01 May 2018 \|archivedate=28 July 2023 \|accessdate=28 July 2023}}</ref> And the costs provided to you, as well as future price changes, should be transparently communicated to you and your lab at all steps of the professional relationship.

Shawndouglas: Blanked the page

2021-09-06T13:11:24Z

Blanked the page

← Older revision		Revision as of 13:11, 6 September 2021
Line 1:		Line 1:
	~~==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework==~~
	[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg\|right\|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed<ref name="MillerOMB19">{{cite web \|url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ \|title=OMB’s regulatory review is creating a backlog of cyber standards \|author=Miller, J. \|work=Federal News Network - Reporter's Notebook \|publisher=Hubbard Radio Washington DC, LLC \|date=03 September 2019 \|accessdate=23 July 2020}}</ref> but in the works.<ref name="NISTSecandPrivRev5Draft20">{{cite web \|url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft \|title=Security and Privacy Controls for Information Systems and Organizations (Final Public Draft) \|work=Computer Security Resource Center \|author=National Institute of Standards and Technology \|date=28 April 2020 \|accessdate=23 July 2020}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web \|url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final \|title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=22 January 2015 \|accessdate=23 July 2020}}</ref>

	The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.

	The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

	You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final NIST Special Publication 800-171, Revision 2]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.

	This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

	~~===4.1 NIST Cybersecurity Framework===~~
	The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web \|url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet \|title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience \|publisher=U.S. Deapartment of Homeland Security \|date=March 2013 \|accessdate=23 July 2020}}</ref> Building off the frameworks of NIST Special Publication 800-53 (Revision 4), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web \|url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 \|title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 \|author=Chang-Gu, A. \|work=Praetorian Security Blog \|publisher=Praetorian Security, Inc \|date=02 March 2015 \|accessdate=23 July 2020}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=23 July 2020}}</ref>

	Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web \|url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 \|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds \|author=Dark Reading Staff \|work=Dark Reading - Attacks/Breaches \|publisher=Informa PLC Informa UK Limited \|date=30 March 2016 \|accessdate=23 July 2020}}</ref>:

	* Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
	* Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
	* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.

	However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web \|url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity \|title=Why a Risk-Based Approach Leads to Effective Cybersecurity \|author=BizTech Staff \|work=BizTech \|publisher=CDW LLC \|date=20 December 2017 \|accessdate=23 July 2020}}</ref><ref name="DanielSmarter18">{{cite web \|url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ \|title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds \|author=Daniel, M. \|work=Cyber Threat Alliance Blog \|date=25 January 2018 \|accessdate=23 July 2020}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web \|url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework \|title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework \|publisher=National Institute of Standards and Technology \|date=16 April 2018 \|accessdate=23 July 2020}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web \|url=https://www.nist.gov/cyberframework/new-framework \|title=New to Framework \|work=Cybersecurity Framework \|publisher=National Institute of Standards and Technology \|date=18 November 2019 \|accessdate=23 July 2020}}</ref> the framework is likely to be further embraced in some form worldwide.

	It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />

	~~==References==~~
	~~{{Reflist\|colwidth=30em}}~~

Shawndouglas: Updated citations

2020-07-23T16:57:03Z

Updated citations

Shawndouglas: Grammar tweaks

2020-05-28T17:37:57Z

Grammar tweaks

Shawndouglas: /* NIST Cybersecurity Framework */

2019-12-20T19:07:29Z

NIST Cybersecurity Framework

← Older revision		Revision as of 19:07, 20 December 2019
Line 8:		Line 8:
	This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.		This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

	===NIST Cybersecurity Framework===		===4.1 NIST Cybersecurity Framework===
	The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web \|url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet \|title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience \|publisher=U.S. Deapartment of Homeland Security \|date=March 2013 \|accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53, Revision 4; COBIT 5; and the ISO 27000 series of standards; the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web \|url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 \|title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 \|author=Chang-Gu, A. \|work=Praetorian Security Blog \|publisher=Praetorian Security, Inc \|date=02 March 2015 \|accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=19 December 2019}}</ref>		The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web \|url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet \|title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience \|publisher=U.S. Deapartment of Homeland Security \|date=March 2013 \|accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53, Revision 4; COBIT 5; and the ISO 27000 series of standards; the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web \|url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 \|title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 \|author=Chang-Gu, A. \|work=Praetorian Security Blog \|publisher=Praetorian Security, Inc \|date=02 March 2015 \|accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=19 December 2019}}</ref>

Shawndouglas at 18:37, 20 December 2019

2019-12-20T18:37:58Z

← Older revision		Revision as of 18:37, 20 December 2019
Line 20:		Line 20:

	It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />		It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />

			==References==
			{{Reflist\|colwidth=30em}}

Shawndouglas: Created page with "==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework== File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|4..."

2019-12-20T18:37:31Z

Created page with "==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework== File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|4..."

New page

==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework==
[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg|right|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed but in the works.<ref name="MillerOMB19">{{cite web |url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ |title=OMB’s regulatory review is creating a backlog of cyber standards |author=Miller, J. |work=Federal News Network - Reporter's Notebook |publisher=Hubbard Radio Washington DC, LLC |date=03 September 2019 |accessdate=19 December 2019}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=19 December 2019}}</ref>

The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals. The controls are also split out into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.

This guide leans heavily on SP 800-53 despite its mild complexity and due to its thoroughness, keeping in mind ways to present cybersecurity planning from a more neutral, non-governmental organization approach. In fact, at the end of this guide, in Appendix 1, you'll find a somewhat simplified version of mostly "low" baseline controls and control enhancements, with a few select "moderate" and "high" mixed in. However, despite best efforts, some of the wording of those controls—particularly those that directly address networking issues—couldn't be simplified, and the overall collection of controls may still prove daunting to individuals not well versed in the technical language of cybersecurity. In that case, the NIST Cybersecurity Framework may prove a more comfortable framework to work with.

===NIST Cybersecurity Framework===
The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web |url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet |title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience |publisher=U.S. Deapartment of Homeland Security |date=March 2013 |accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53, Revision 4; COBIT 5; and the ISO 27000 series of standards; the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web |url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 |title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 |author=Chang-Gu, A. |work=Praetorian Security Blog |publisher=Praetorian Security, Inc |date=02 March 2015 |accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=19 December 2019}}</ref>

Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web |url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 |title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds |author=Dark Reading Staff |work=Dark Reading - Attacks/Breaches |publisher=Informa PLC Informa UK Limited |date=30 March 2016 |accessdate=19 December 2019}}</ref>:

* Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
* Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.

However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web |url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity |title=Why a Risk-Based Approach Leads to Effective Cybersecurity |author=BizTech Staff |work=BizTech |publisher=CDW LLC |date=20 December 2017 |accessdate=19 December 2019}}</ref><ref name="DanielSmarter18">{{cite web |url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ |title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds |author=Daniel, M. |work=Cyber Threat Alliance Blog |date=25 January 2018 |accessdate=19 December 2019}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web |url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework |title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=16 April 2018 |accessdate=19 December 2019}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=New to Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=18 November 2019 |accessdate=19 December 2019}}</ref> the framework is likely to be further embraced in some form worldwide.

It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />

← Older revision		Revision as of 17:37, 28 May 2020
Line 1:		Line 1:
	==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework==		==4. NIST Special Publication 800-53, Revision 4 and the NIST Cybersecurity Framework==
	[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg\|right\|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed ~~but in the works.~~<ref name="MillerOMB19">{{cite web \|url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ \|title=OMB’s regulatory review is creating a backlog of cyber standards \|author=Miller, J. \|work=Federal News Network - Reporter's Notebook \|publisher=Hubbard Radio Washington DC, LLC \|date=03 September 2019 \|accessdate=19 December 2019}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web \|url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final \|title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=22 January 2015 \|accessdate=19 December 2019}}</ref>		[[File:National Cybersecurity Center of Excellence MOU Signing (7024892089).jpg\|right\|450px]]Originally released in 2005, NIST's [https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final Special Publication 800-53, Revision 4]: ''Security and Privacy Controls for Federal Information Systems and Organizations'' has since gone through four revisions, with a fifth delayed<ref name="MillerOMB19">{{cite web \|url=https://federalnewsnetwork.com/reporters-notebook-jason-miller/2019/09/ombs-regulatory-review-is-creating-a-backlog-of-cyber-standards/ \|title=OMB’s regulatory review is creating a backlog of cyber standards \|author=Miller, J. \|work=Federal News Network - Reporter's Notebook \|publisher=Hubbard Radio Washington DC, LLC \|date=03 September 2019 \|accessdate=19 December 2019}}</ref> but in the works.<ref name="NISTSecandPrivRev5Draft20">{{cite web \|url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft \|title=Security and Privacy Controls for Information Systems and Organizations (Final Public Draft) \|work=Computer Secutiry Resource Center \|author=National Institute of Standards and Technology \|date=28 April 2020 \|accessdate=28 May 2020}}</ref> The SP 800-53 cybersecurity standards framework is largely a control framework that "provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations ... from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional)."<ref name=NISTSP800-53_18">{{cite web \|url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final \|title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=22 January 2015 \|accessdate=19 December 2019}}</ref>

	The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals. The controls are ~~also split out~~ into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.		The security controls—which act as recommended safeguards or countermeasures to protecting the integrity and availability of the information system, as well as the privacy and retention of the system's information—are classified by the complexity of and risks associated with the information system, using classifications of "low," "moderate," and "high." Though controls can be applied from just one classification, organizations and agencies are free to select additional controls from other categories and tailor them to their needs and goals.

			The controls are organized into 17 different families, and those families can have both baseline controls and control enhancements. The baseline controls are what they sound like: the core controls to be implemented as part of the security family's goal. For example, the first family ''Access control'' has a baseline control "AC-2 Account management," which recommends the organization develop a series of account management steps for its information systems. Additionally, "AC-2 Account management" has control enhancements, which can be selectively chosen to bolt on additional requirements to the base control. "AC-2 (3) Account management: Disable inactive accounts" is a control enhancement that further stipulates the system be able to automatically disable an inactive account after a designated period of time.

	You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.		You'll notice that SP 800-53 is designed with federal information systems in mind. However, the framework still holds applicable to organizations who aren't affiliated with a federal agency or organization, though with some modification. With some consideration in that regard, NIST also developed [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final NIST Special Publication 800-171, Revision 1]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'', which is a somewhat simplified version of SP 800-53 with mappings to both NIST SP 800-53 controls and ISO/IEC 27001:2013 controls.
Line 9:		Line 11:

	===4.1 NIST Cybersecurity Framework===		===4.1 NIST Cybersecurity Framework===
	The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web \|url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet \|title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience \|publisher=U.S. Deapartment of Homeland Security \|date=March 2013 \|accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53, Revision 4; COBIT 5; and the ISO 27000 series of standards; the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web \|url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 \|title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 \|author=Chang-Gu, A. \|work=Praetorian Security Blog \|publisher=Praetorian Security, Inc \|date=02 March 2015 \|accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=19 December 2019}}</ref>		The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web \|url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet \|title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience \|publisher=U.S. Deapartment of Homeland Security \|date=March 2013 \|accessdate=19 December 2019}}</ref> Building off the frameworks of NIST Special Publication 800-53 (Revision 4), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web \|url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 \|title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 \|author=Chang-Gu, A. \|work=Praetorian Security Blog \|publisher=Praetorian Security, Inc \|date=02 March 2015 \|accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=19 December 2019}}</ref>

	Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web \|url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 \|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds \|author=Dark Reading Staff \|work=Dark Reading - Attacks/Breaches \|publisher=Informa PLC Informa UK Limited \|date=30 March 2016 \|accessdate=19 December 2019}}</ref>:		Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web \|url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 \|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds \|author=Dark Reading Staff \|work=Dark Reading - Attacks/Breaches \|publisher=Informa PLC Informa UK Limited \|date=30 March 2016 \|accessdate=19 December 2019}}</ref>:
Line 17:		Line 19:
	* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.		* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.

	However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web \|url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity \|title=Why a Risk-Based Approach Leads to Effective Cybersecurity \|author=BizTech Staff \|work=BizTech \|publisher=CDW LLC \|date=20 December 2017 \|accessdate=19 December 2019}}</ref><ref name="DanielSmarter18">{{cite web \|url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ \|title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds \|author=Daniel, M. \|work=Cyber Threat Alliance Blog \|date=25 January 2018 \|accessdate=19 December 2019}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web \|url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework \|title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework \|publisher=National Institute of Standards and Technology \|date=16 April 2018 \|accessdate=19 December 2019}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web \|url=https://www.nist.gov/cyberframework/new-framework \|title=New to Framework \|work=Cybersecurity Framework \|publisher=National Institute of Standards and Technology \|date=18 November 2019 \|accessdate=19 December 2019}}</ref> the framework is likely to be further embraced in some form worldwide.		However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web \|url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity \|title=Why a Risk-Based Approach Leads to Effective Cybersecurity \|author=BizTech Staff \|work=BizTech \|publisher=CDW LLC \|date=20 December 2017 \|accessdate=19 December 2019}}</ref><ref name="DanielSmarter18">{{cite web \|url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ \|title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds \|author=Daniel, M. \|work=Cyber Threat Alliance Blog \|date=25 January 2018 \|accessdate=19 December 2019}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web \|url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework \|title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework \|publisher=National Institute of Standards and Technology \|date=16 April 2018 \|accessdate=19 December 2019}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web \|url=https://www.nist.gov/cyberframework/new-framework \|title=New to Framework \|work=Cybersecurity Framework \|publisher=National Institute of Standards and Technology \|date=18 November 2019 \|accessdate=19 December 2019}}</ref> the framework is likely to be further embraced in some form worldwide.

	It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />		It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />