Skip to main content

NIST Cybersecurity Framework v2 Mapping to Cybersecurity Science Core Themes

As a seasoned cybersecurity scientist with extensive experience across various analytical, auditing, and investigative roles, I bring a unique lens to the NIST Cybersecurity Framework Version 2.0 (CSF 2.0). While the traditional application of the CSF often leans towards mapping its categories to security controls, this article intends to pivot from the usual engineering-focused interpretations. Here, we delve into the CSF 2.0 with an eye on the seven interrelated core themes of cybersecurity science: 

  1. Risk: The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events.
  2. Attack Analysis: The study and investigation of attack methods and pathways, focusing on understanding and anticipating attacker behavior and methodologies.
  3. Measurable Security: Establishing quantifiable metrics and benchmarks to evaluate the effectiveness of security measures and controls.
  4. Agility: The ability to rapidly adapt and respond to new threats, changing requirements, and evolving technological landscapes.
  5. Human Factors: Recognizing and accounting for the human element in cybersecurity, including user behavior, education, and the interface between humans and systems.
  6. Common Language: Developing and using a standardized set of terms and concepts that enable clear communication and understanding among diverse stakeholders in the cybersecurity field.
  7. Core Principles: Fundamental doctrines and guidelines that form the foundation of effective cybersecurity practices and policies.

This analysis aims to unfold the framework from a cybersecurity science standpoint, highlighting its applicability and relevance to roles that encompass analysts, auditors, investigators, and other key cybersecurity science figures in this domain. By doing so, we endeavor to offer insights that resonate more with the day-to-day realities and strategic nuances of cybersecurity science professionals.

The NIST CSF 2.0 is structured into several functions, each containing specific categories and subcategories. Each subcategory within these functions can be related to the seven core themes of cybersecurity science (Risk, Attack Analysis, Measurable Security, Agility, Human Factors, Common Language, and Core Principles). Here's an overview based on the content of the CSF 2.0:

GOVERN (GV)

Organizational Context (GV.OC) - The circumstances — mission, stakeholder expectations, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood

  • Subcategories: GV.OC-01 to GV.OC-05
  • Relevance: Addresses Risk and Human Factors by understanding the organizational mission and stakeholder expectations, and manages legal, regulatory, and contractual requirements.

Risk Management Strategy (GV.RM) - The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

  • Subcategories: GV.RM-01 to GV.RM-07
  • Relevance: Focuses on Risk, Measurable Security, and Core Principles through establishing risk management objectives, determining risk appetite, and integrating cybersecurity risk into enterprise risk management processes.

Cybersecurity Supply Chain Risk Management (GV.SC) - The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions 

  • Subcategories: GV.SC-01 to GV.SC-10
  • Relevance: Linked to Risk, Common Language, and Core Principles by establishing a supply chain risk management program, and integrating supply chain security practices into cybersecurity risk management.

Roles, Responsibilities, and Authorities (GV.RR) - Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated

  • Subcategories: GV.RR-01 to GV.RR-04
  • Relevance: Addresses Human Factors and Core Principles by establishing accountability for cybersecurity risks and integrating cybersecurity into human resources practices.

Policies, Processes, and Procedures (GV.PO) - Organizational cybersecurity policies, processes, and procedures are established, communicated, and enforced

  • Subcategories: GV.PO-01 to GV.PO-02
  • Relevance: Relates to Common Language and Core Principles by establishing, communicating, reviewing, and updating policies for managing cybersecurity risks.

Oversight (GV.OV) - Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy

  • Subcategories: GV.OV-01 to GV.OV-03
  • Relevance: Tied to Measurable Security and Core Principles by using risk management outcomes to inform and adjust the strategy.


IDENTIFY (ID)

Asset Management (ID.AM) - Assets (e.g., data, hardware software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy

  • Subcategories: ID.AM-01 to ID.AM-08
  • Relevance: Pertains to Risk and Measurable Security through the maintenance of inventories of hardware, software, and data, and managing these assets throughout their lifecycle.

Risk Assessment (ID.RA) - The organization understands the cybersecurity risk to the organization, assets, and individuals.

  • Subcategories: ID.RA-01 to ID.RA-09
  • Relevance: Focuses on Risk, Attack Analysis, and Measurable Security by identifying vulnerabilities, receiving cyber threat intelligence, and determining the impact and likelihood of threats.

Improvement (ID.IM) - Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all Framework Functions

  • Subcategories: ID.IM-01 to ID.IM-04
  • Relevance: Linked to Agility and Core Principles through continuous evaluation and identification of improvements in cybersecurity risk management processes.


PROTECT (PR)

Identity Management, Authentication, and Access Control (PR.AA) - Access to physical and logical assets is limited to authorized users, services, and hardware, and is managed commensurate with the assessed risk of unauthorized access 

  • Subcategories: PR.AA-01 to PR.AA-06
  • Relevance: Addresses Measurable Security, Human Factors, and Core Principles by managing identities, credentials, and physical access to assets.

Awareness and Training (PR.AT) - The organization’s personnel are provided cybersecurity awareness and training so they can perform their cybersecurity-related tasks

  • Subcategories: PR.AT-01 to PR.AT-02
  • Relevance: Tied to Human Factors by providing cybersecurity awareness and training to personnel and specialized roles.

Data Security (PR.DS) - Data is managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information

  • Subcategories: PR.DS-01 to PR.DS-11
  • Relevance: Relates to Measurable Security and Core Principles through protecting the confidentiality, integrity, and availability of data in various states (at-rest, in-transit, in-use) and managing data throughout its lifecycle.

Platform Security (PR.PS) - The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability 

  • Subcategories: PR.PS-01 to PR.PS-06
  • Relevance: Focuses on Measurable Security and Core Principles by applying configuration management practices, maintaining software and hardware, and integrating secure software development practices.

Technology Infrastructure Resilience (PR.IR) - Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience

  • Subcategories: PR.IR-01 to PR.IR-04
  • Relevance: Addresses Measurable Security and Core Principles by protecting networks, ensuring technology asset resilience, and maintaining resource capacity for availability.

DETECT (DE)

Continuous Monitoring (DE.CM) - Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

  • Subcategories: DE.CM-01 to DE.CM-09
  • Relevance: Primarily related to Attack Analysis and Measurable Security by monitoring networks, the physical environment, and computing environments to find potentially adverse events.

Adverse Event Analysis (DE.AE) - Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

  • Subcategories: DE.AE-02 to DE.AE-08
  • Relevance: Pertains to Attack Analysis by analyzing adverse events to understand associated activities and determining the impact and scope of events.


RESPOND (RS)

Incident Management (RS.MA) - Responses to detected cybersecurity incidents are managed 

  • Subcategories: RS.MA-01 to RS.MA-05
  • Relevance: Concerns Attack Analysis, Agility, and Human Factors by managing responses to cybersecurity incidents, categorizing and prioritizing incidents, and applying criteria for incident recovery.

Incident Analysis (RS.AN) - Investigation is conducted to ensure effective response and support forensics and recovery activities

  • Subcategories: RS.AN-03, RS.AN-06 to RS.AN-08
  • Relevance: Aligns with Attack Analysis by performing analysis to determine the root cause of an incident and preserving incident data integrity.

Incident Response Reporting and Communication (RS.CO) - Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies

  • Subcategories: RS.CO-02 to RS.CO-03
  • Relevance: Tied to Human Factors and Common Language by notifying stakeholders of incidents and sharing information with internal and external stakeholders.

Incident Mitigation (RS.MI) - Activities are performed to prevent expansion of an event and mitigate its effects

  • Subcategories: RS.MI-01 to RS.MI-02
  • Relevance: Linked to Agility and Attack Analysis by containing and eradicating incidents.


RECOVER (RC)

Incident Recovery Plan Execution (RC.RP) - Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents

  • Subcategories: RC.RP-01 to RC.RP-06
  • Relevance: Related to Risk, Agility, and Core Principles by executing recovery plans, prioritizing recovery actions, and confirming the restoration of normal operations.

Incident Recovery Communication (RC.CO) - Restoration activities are coordinated with internal and external parties

  • Subcategories: RC.CO-04
  • Relevance: Pertains to Human Factors and Common Language by communicating recovery activities and progress to internal and external stakeholders.

The exploration of NIST CSF v2.0 through the prism of cybersecurity science roles has unveiled a multifaceted and nuanced understanding of the framework. Each subcategory, when examined against the backdrop of the seven core themes of cybersecurity science, demonstrates its intrinsic value beyond the typical security control mappings. This analysis bridges the gap between the theoretical underpinnings of the framework and its practical applications in the daily functions of cybersecurity scientists. It underscores how the CSF 2.0 is not merely a set of guidelines for security engineering but a dynamic and robust tool for risk analysts, threat intelligence analysts, incident responders, forensic investigators, and other cybersecurity science roles. By recontextualizing the NIST CSF v2.0 in this light, we reaffirm its significance as a comprehensive, versatile, and indispensable resource in the ever-challenging and evolving landscape of cybersecurity science.

Popular posts from this blog

The Interconnected Roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and IT in Modern Organizations

In the rapidly evolving digital landscape, understanding the interconnected roles of Risk Management, Information Security, Cybersecurity, Business Continuity, and Information Technology (IT) is crucial for any organization. These concepts form the backbone of an organization's defense strategy against potential disruptions and threats, ensuring smooth operations and the protection of valuable data. Risk Management is the overarching concept that involves identifying, assessing, and mitigating any risks that could negatively impact an organization's operations or assets. These risks could be financial, operational, strategic, or related to information security. The goal of risk management is to minimize potential damage and ensure the continuity of business operations. Risk management is the umbrella under which information security, cybersecurity, and business continuity fall. Information Security is a subset of risk management. While risk management covers a wide range of pot...

Attack Path Scenarios: Enhancing Cybersecurity Threat Analysis

I. Introduction A. Background on Cybersecurity Threats Cybersecurity threats are an ongoing concern for organizations of all sizes and across all industries. As technology continues to evolve and become more integral to business operations, the threat landscape also becomes more complex and sophisticated. Cyber attackers are constantly seeking new ways to exploit vulnerabilities and gain unauthorized access to sensitive data and systems. The consequences of a successful cyber attack can be severe, including financial losses, reputational damage, and legal consequences. Therefore, it is critical for organizations to have effective cybersecurity strategies in place to identify and mitigate potential threats. B. Definition of Attack Path Scenarios Attack Path Scenarios are a type of threat scenario used in cybersecurity to show the step-by-step sequence of tactics, techniques, and procedures (TTPs) that a cyber attacker may use to penetrate a system, gain access to sensitive data, and ach...

A Deep Dive into the Analysis and Production Phase of Intelligence Analysis

Introduction In the complex and ever-evolving world of intelligence, the ability to analyze and interpret information accurately is paramount. The intelligence cycle, a systematic process used by analysts to convert raw data into actionable intelligence, is at the heart of this endeavor. This cycle typically consists of five stages: Planning and Direction, Collection, Processing, Analysis and Production, and Dissemination. Each stage plays a vital role in ensuring that the intelligence provided to decision-makers is accurate, relevant, and timely. While all stages of the intelligence cycle are critical, the Analysis and Production phase is where the proverbial 'rubber meets the road.' It is in this phase that the collected data is evaluated, integrated, interpreted, and transformed into a form that can be used to make informed decisions. The quality of the intelligence product, and ultimately the effectiveness of the decisions made based on that product, hinge on the rigor and ...