DON’T REINVENT THE WHEEL: PHIL AGCAOLI ON THE CYBER SECURITY FRAMEWORK
The government shutdown has delayed efforts by the National Institute of Standards and Technology (NIST) to put forth their draft of the Federal Cybersecurity Framework (CSF), having missed the October release deadline and potentially threatening the February 2014 final document deadline mandated by President Obama’s cyber security executive order issued earlier this year.
But NIST’s delays as a result of political wrangling has not stopped one key player from pushing forward with his own proposal on how to structure the framework in a simplified manner that takes advantage of already existing standards like NIST SP800-53, ISO 27001, CCS CSC, NERC CIP, ISA 99 and COBIT, among others.
Phil Agcaoli ( @Hacksec, aka PhilA) a venerated security industry leader who published his proposal on Oct. 10 to coincide with the deadline NIST missed. The full document can be downloaded here (Excel File).
Agcaoili’s Framework proposal reflects that fact that most critical infrastructure entities are already adhering to a number of valid security standards, and that the guidelines should not be so complicated that it turns into a process of essentially “reinventing the wheel.”
Agcaoili, who helped shape the direction of cloud computing as a founding member of the Cloud Security Alliance (CSA) and inventor/co-author of the Cloud Controls Matrix (CCM), has applied the same cross-standard mapping strategy previously used by the CSA, creating a Framework proposal which draws on the existing standards to create a cohesive set of guidelines that most of the affected entities already are familiar with.
The work is based on the Preliminary Draft of the Cybersecurity Framework (CSF) that NIST released prior to the recent workshop held in Dallas, where scores of subject matter experts gathered to offer input on the Framework’s makeup, one of four such workshops held to date.
“It is a compilation of the suggestions that I’ve heard from the San Diego workshop, the Dallas workshop and via the Internet since the Five Functions were established. My hope in releasing it was to continue the momentum generated by the deadlines of the Executive Order and the Presidential Policy Directive (PPD-21), to continue public discourse on the CSF, and with the hope to influence NIST, DHS, and the White House teams responsible for EO/PPD implementation,” Agcaoili said.
Agcaoili began writing the proposal at the workshop in San Diego in response to NIST’s request for participants to fill in the Category and Sub-category columns during the open sessions.
“I’ve done this before and instantly recognized the pattern that existed with many of the security standards, and thought that the Cloud Security Alliance Cloud Controls Matrix (CCM) could assist in this exercise since it’s an open source security controls framework that already cross mapped fourteen other popular security standards,” Agcaoili explained.
He drew on resources from several teams which activated to support his version of the framework, including global security standards bodies, risk management experts, and evidence teams that are able to dissect which controls are apt to fail most often.
“I submitted the proposal for review, assistance, and feedback as an individual security practitioner committed to this industry and not as an employee of a telecom, a member of the cable industry, nor as a member of the communications sector,” Agcaoili said. “As an aside, the communications sector reviewed this material and incorporated it into a redline version of the Discussion Preliminary Draft of the Cybersecurity Framework for NIST’s review before the government shutdown.”
What Agcaoili attempted to do first and foremost is not create a new security standard, but instead to unify the fractured security groups in the industry that established the various security standards.
He also sought to use the evidence already available to identify trends in control failures to help narrow down exactly what elements to actually protect first, and then unify the risk management practices to better gauge where the industry is at, and what the next steps should be to help minimize overall risk.
“I wanted to do this without stymieing innovation, increasing the burden of cost, and by helping small-to-large companies elevate their security posture to better ensure cyber security,” Agcaoili said.
Key to Agcaoili’s strategy included addressing the fracturing of security standards in the Information Security industry by harmonizing the various security standards through a controls mapping exercise already done by the CSA, and addressing the fracturing of risk management and security assessment practices in the Information Security industry (assessment/survey, prioritization, and planning) while providing a broad approach to assess adoption and security capability.
“I also attempted to provide a simple approach to assess adoption or at least highlight what’s available that use a 0-5 scale that roughly follows CMMI. I used the current security assessment approach that I’ve been subjected to for the past decade by Big Five consultants, through my cyber liability insurance carriers and underwriters, and used by security assessment companies helping me assess our readiness to achieve ISO 27001 certification, GAPP (for privacy), SOX compliance, etc,” Agcaoili said. “This area is still very nascent, but there are common approaches already being used in our industry.”
AGCAOILI’S TAKE ON THE NIST PRELIMINARY DRAFT
The EO directed the NIST to produce “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” Of most relevance, the framework “shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”
“It accelerated from just five functions that have appeared in security vendor marketing literature since the mid-90′s to light speed with a compliance regime no different than PCI DSS, having a grading system based on tiers of implementation and “Profiles” that depict target tiers to come,” Agcaoili said.
But the CSF lacks any guidance for enterprises to prioritize their implementation activities.
“In its current form, the CSF will be perceived as overwhelming and the lack of prioritization of 88-121 sub-categories will leave most mid- and small-sized companies, and many larger companies as well, uncertain as to where to direct their limited human and financial capital,” Agcaoili said.
He also says that the current CSF provides no insight into how critical cost-benefit analyses will be integrated into the final Framework. “NIST was tasked with producing a cost-effective framework and these considerations must be embedded into the final CSF,” Agcaoili lamented.
Furthermore, Agcaoili says there is no information to convey what constitutes “adoption” or “implementation” of the Framework, only vague guidance.
“The requirement for the Framework to be flexible would suggest that enterprises have the ability to implement security measures based on an assessment of their current and evolving risk as it relates to cyber security threats and vulnerabilities,” Agcaoili explained. “Besides using an existing company’s risk management approach, this analysis is also part of an enterprises’ overall cost-benefit considerations.”
The CSF also lacks a workable risk assessment methodology that can serve as a guide for companies to assess implementation priorities. Agcaoili believes more mature entities should have the option to use their existing risk management methodology or be provided one with guidance that can be used to evaluate selected components within the Framework using a commonly cited risk management methodology, which would be beneficial for less mature entities.
“The framework instructs organizations to ‘determine desired tiers at the category level,’ but does not offer clear guidance as to what the tier means or the agreed upon industry criteria associated to assess each tier or provide the necessary business rational for such categorization,” Agcaoili said. “NIST should consider morphing aspects of the Tier and Profile concept into a risk assessment guide, which allows for the characteristics of a compliance regime.”
Finally, Agcaoili feels that the Framework should assess privacy from the perspective of how security standards impact user privacy, not from the perspective of setting privacy standards for the industry.
“Appendix B in the draft framework proposes practices and standards in the area of privacy, in particular data protection standards around personally identifiable information (PII), and appears to be totally disconnected from the rest of the document and from Appendix A,” Agcaoili noted.
“While personally identifiable information certainly should be protected, those protections should be encompassed in the broader security practices, not called out as a separate section,” he continued. “Further, there are other efforts underway within government, including at the FTC, to address privacy concerns, so the privacy overlay should be whether or not the proposed cyber security measures create privacy concerns, and how to mitigate those concerns, not to suggest specific privacy protections.”
FRAMEWORK ENHANCEMENT SUGGESTIONS
Having examined the shortcoming in the current Cybersecurity Framework draft, it’s time to see where the rubber meets the road. Agcaoili was kind enough to take some time out of his busy schedule to outline for our readers how his proposal is organized, and where to find key elements in his document.
The First Tab – Getting Started:
Agcaoili said he used the CCS CSC “Action Plan” approach to simplify how organizations can get started using the CSF.
“There were numerous requests in Dallas for a simple implementation guide and 6 steps asking a company to implement and assess the Evidence-based Priority Controls is a great place to start,” he said. “I also include the statement to apply all of the controls, so companies can continue to do more to ensure overall security. This is something echoed in the 2013 DBIR, and in the CSC conclusion and application sections.”
The Second Tab – Framework Core vPA:
This section uses NIST’s five Functions, Categories, and Subcategories from the Dallas workshop, but more simply breaks out the Informative References and uses the Cloud Security Alliance CCM’s controls mappings which includes the holistic security frameworks listed in the Dallas discussion prelim draft and Privacy controls already found in the CCM.
“The difference is that NIST’s Dallas-version of the Discussion Preliminary Draft of the Cybersecurity Framework has all of the Information References listed in a single square,” Agcaoili said. “What NIST established is confusing in that in one box they cite multiple references, so you start asking yourself if you should apply all of the cited security standard controls, one of them, or none of them.”
Agcaoili said that in its current form, NIST basically established a new and unique security controls standard, an entirely new construct in which secure a company. For example, the information references do not have corresponding ISO 27001 or COBIT or NIST 800-53 controls for each of the rows that NIST identified for each of the standards.
“They mixed and matched and didn’t complete the cross standard mapping process. This is an issue in that if a company is already ISO 27001 certified it begs the question of what else is missing with ISO versus the CSF, since there are other CSF control requirements in each row and no corresponding ISO 27001 control,” Agcaoili said. “You have to ask yourself what else are you supposed to be doing?”
In contrast, Agcaoili’s proposal slices up each of the prominent, holistic security standards in each of their own columns, effectively providing the visibility that shows that each standard works independently for the Cybersecurity Framework.
“The cross mappings provide a way to demonstrate interoperability between the standards and thoroughness and/or important focus areas for each standard,” Agcaoili said.
 Buttons in the Spreadsheet
This is for additional navigation features. If you click the “1″ button on the upper left hand side of the spreadsheet (or the default view), it shows an unpopulated CSF that is in a framework shell-view that can be used wide-open and interpreted by all.
If you then click the “2″ button on the upper left hand side of the spreadsheet, it explodes the CSF to show all of the individual mappings. If you click the “2″ button on the top row on the left hand side of the spreadsheet, it explodes all of the Informative References and the Critical Infrastructure Sectors/Sub-sectors view that can be tailored by each Sector/Sub-sector.
Agcaoili says that one of the biggest issues in the Information Security industry is that we have too many security standards, and still not enough adoption of these standards.
“Cross mapping these core and regularly cited security standards shows that all of them have commonalities. They were built to secure a company,” Agcaoili said. “Frankly, following any one of them and being able to honestly demonstrate adoption at this point will raise the level of security at any and every company.”
Follow up work and notes for this tab:
In column AC (ISA 99 IEC 62443): Agcaoili has asked the ISA 99 co-chairs to map their controls into this version of the CSF.
Agcaoili shared this work a month ago with ISO, ISACA, NIST, CCS, NERC, and ISA. The British Standards Institute (BSI), Holistic Information Security Practitioners Institute (HISPI), and Cloud Security Alliance (CSA) teams have also been engaged. Responses so far have been positive.
Agcaoili also alerted ISACA (owners of GAPP and TSP) and the AICPA SOC author and liaison into the AICPA of what I’ve done with the CSF to incorporate their auditable privacy controls and industry guidance directly into the CSF and integrated with the security controls. More on this with the Privacy commentary.
The CSA is willing to work with NIST on usage of the Cloud Controls Matrix (CCM) with the CSF.
Remember that the CCM is based on ISO 27001 and HITRUST, so it was written as a security standard to secure a company. We re-wrote those standards to also apply to multi-tenant companies.
The Third Tab – Evidence-based Priority Controls:
This tab identifies what is most important to implement. Companies seeking to be more thorough in applying security controls will go back to the Second Tab and apply the other important controls identified there.
Agcaoili said consistent questions emerged in the process, namely:
What’s most important to do? What’s most critical?
Where do I start?
What evidence do you have that this will secure cyberspace?
“This is a minimal version of the CSF with evidence-based prioritization of controls based on analysis from multiple breach analysis groups–HISPI, Verizon DBIR, Mandiant, Trustwave, Microsoft, and SANS/Australian DSD,” Agcaoili said. “It identifies 23 controls that had the most failures in 2011 and 2012.”
The Fourth Tab – Evidence-Based Control Failures:
This tab represents which controls have failed via each of the major breach analysis reports and help us validate what’s most important.
“Multiple breach analysis reports go as far back as 2005 to provide the most comprehensive view. HISPI and Verizon have analysis since 2007 while SANS has analysis (which I’d like to see) for over a decade that delivered their data,” Agcaoili said.”I’ve asked the groups with DHS to determine if they can come to consensus on this using their data/evidence.”
Security Index Tab:
This section contains an approach to self-assess and gauge security program capability and maturity using the venerated CMMI approach, and avoids having to create criteria to assess the Security Index.
“I’ve challenged the (1-year old) ES-C2M2 approach because I disagree with the criteria to determine each level. Depending on the company, sector, sub-sector, etc. assessing the level/tier, maturity implementation level is subjective and will take a while for the various Sectors, Sub-sectors, companies, interest groups, and agencies to determine,” Agcaoili said.
“The criteria is simply too difficult to obtain at this point, while assessing one’s Security Index using CMMI is standard operating procedure for audit firms as they’ve come in to assess and, possibly, benchmark my program at numerous companies. so I’ve added the Continuous Process Improvement logo using the NIST 5 Functions to remind companies that they need to continuously assess their level of security.”
Agcaoili also added charts to provide a simple view on their Security Index, saying he has already used this construct for executives at Cox Communications to convey their program maturity, areas of opportunity, and help him lead into his roadmap and subsequent funding request.
Risk Register Tab:
This tab seeks to identify several thorough risk assessment methodologies to use, shows the foundation of enterprise risk management used in the ISACA COSO Enterprise Risk Management (ERM) framework, and also shows several Risk Registers and how to begin to document risk findings, assess priority, and develop a coinciding roadmap.
“I believe that a Risk Index and targets/goals/plans are a simpler and more benign way to go versus Profiles and Tiers or direct maturity models and implementation levels,” Agcaoili said. “An Index and Plan allows individual companies and/or sectors to assess where they are at, and doesn’t prevent anyone from doing more, automating checks (e.g. CAG from SANS), etc., including:”
From a risk perspective, how do you implement controls based on solid risk decisions?
How can the masses do it?
How can all assess their level of risk? Assess safety for their customers?
How can any company, small or large, use risk management principles to assess their controls maturity?
Prioritize what needs to be done, and set a bar for themselves (a goal or a target), to have better security practices?
How can they do all of this and communicate it to their executives, to their teams, to their business, and to the government?
Original Example based on CSA CCM Tab:
This final tab shows Agcaoili’s original CSA CCM mapping used in the San Diego workshop that gave him the idea for all of this.
The point of Agcaoili’s exhaustive exercise in producing this proposal is that NIST does not have to invent a new security standard, but instead just need to cite which ones to use and to help identify common truths in each standard, which he believes will simplify adoption, the ultimate endgame here.
“NIST could have even just figured out how to make a light version of NIST 800-53, but instead with the Dallas release they effectively created a document that cites numerous other standards and specific controls that effectively establish the CSF as a whole new standard,” Agcaoili argues.
“Their Discussion Preliminary Draft will most likely just coerce all companies to instantiate a compliance program to assess, implement, monitor, and manage compliance with the CSF,” Agcaoili warned.
Feedback on Agcaoili’s proposal welcome – leave a comment below…
Anthony M. Freed, who writes for The State of Security, is Tripwire’s Community Engagement & Social Media Coordinator, and has a passion for translating security techno-babble into the language of enterprise risk abatement for the business class. Prior to joining the Tripwire team, Anthony was an infosec journalist and editor who authored numerous feature articles, interviews, and investigative reports which were sourced and cited by dozens of major media outlets