Select Page
Alan Levine Answers Your NSIT CSF Questions

Alan Levine Answers Your NIST CSF Questions

CISO Interviews, Alan Levine

Alan Levine, cybersecurity advisor and recently retired CISO for Alcoa, recently presented “True North: A Path to NIST Cybersecurity Framework Success.” Alan’s presentation generated lots of great questions, which he graciously answered below. If you missed his presentation or would like to watch it again, you can view it below.

There are tools in the marketplace that provide ongoing assessments that evaluate whether or not an organization is in compliance with CSF. Could you recommend one in particular?
It’s very hard for me to make specific tool or service recommendations. Nevertheless, the beauty of CSF is that you can do it yourself, without a tool, and spend only internal resources.

You said to pick one framework, however, most organizations already have regulatory requirements (FFIEC, NCUA, HIPAA, HITRUST, PCI, etc). Do I still need the CSF?
You may not. If an organization has already adopted a particular framework (for finance, healthcare, or anything else that’s sector-specific), then it makes less sense to move to CSF.  Now, if you have a choice, CSF is a cleaner approach and may also be easier to implement than FFIEC or PCI.

Are there any good resources that will help document the path to true north? What would you look for in a good documentation resource? 
There are lots of free models for policy, but less for testing specific to NIST standards. It’s important that any documentation for your processes (test results, for example) fits your specific program.

We have adopted CIS Top 20 Critical Security Controls as a basic/foundational approach to cybersecurity and would like to adopt NIST CSF? What steps should we take?
Good news - this is the natural progression and you’ve done the hard work already. Integrate what you can and avoid any duplicate efforts.

When should an organization use NIST 800-171 instead of NIST CSF?
I recommend using 171 when it is required (CMMC level 3, for example).  Otherwise, 171 is too much for most organizations.

What's the adoption rate of NIST 800-171 vs CSF?
CSF is adopted much more often, because it is a smaller lift for most organizations. 171 is typically adopted by regulated organizations.

What is the CMMC?
The Cybersecurity Maturity Model Certification, or CMMC, is the US Defense Department’s most recent effort to secure the defense industrial base supply chain. CMMC is an outgrowth of the DFAR for cybersecurity, which relies heavily on NIST 800-171. The change with CMMC is that an organization’s maturity level can be measured and assessed, and that self-attestations have been replaced with formal audits.

Is there a CSF specific to medical device security? 
CSF is not sector-specific, however, NIST does offer advice specifically by sector, in its 1900 level publications.  Click here for an example.

Are there standards for Higher Education?
NIST appears to be developing a set of advice for higher education.  Click here for the current status.

True North: A Path to NIST Cybersecurity Framework Success

Please click here for a copy of Alan's PowerPoint presentation. Also, if you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before he...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue a life in the...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Our Sponsors

Kiteworks
DarkSquare
Share This