How to align your AWS Strategy with the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a non-profit endeavor based on best practices and using existing standards, originally intended for the Critical Infrastructure Sectors but applicable to organizations of any size and in any sector, aiming to improve their cybersecurity posture, their risk management processes, and their systems resilience. It is currently being considered as a de facto cybersecurity standard.

The CSF offers a risk-based, outcome-focused framework composed of three elements:

NIST Cybersecurity Framework
  • A set of cybersecurity practices, outcomes and controls is the Core, which support the five risk management functions: IdentifyProtectDetectRespond, and Recover. Additionally, these functions have 23 categories and 108 subcategories which represent well defined outcome-based security activities.
  • The capacity and readiness for managing the CSF functions by an organization is characterized by Tiers which are: PartialRisk InformedRepeatable, and Adaptive.
  • The current and desired cybersecurity business postures are communicated through Profiles.

These three elements combined help organizations prioritize and address cybersecurity risks consistently with their business needs.

Regarding Profiles, it’s worthy to mention that the Financial Services Sector Coordinating Council, which is a public-private partnership comprised of 70 financial institutions, tailored the CSF to their requirements and realized that 9 different regulatory requirements could be mapped to the NIST’s “Identify” function. Furthermore, the Healthcare sector did their mapping as well from the HIPAA Security Rule to the NIST CSF and realized that it added an additional layer of security because it was more detailed and added more specificity. Finally, there are Federal agencies and more than 25 states and countries currently developing their cyber defense methodologies in alignment with the CSF.

Some benefits of implementing the NIST CSF are:

  • It has no cost. The guidelines are freely available.
  • Its risk-based approach and its outcome-focused development produces a straightforward integration.
  • It leverages existing accreditations, standards, and controls.
  • It is flexible and adaptive to different sectors and companies.
  • It provides a common classification for risk management.

There are three common consequences identified from the application of the CSF:

  • It helps to reduce the gap between the Current Profile and the Target Profile. This consists of conducting an assessment against the CSF model to determine an organization’s cybersecurity posture and maturity and specify the desired state in order to prioritize resources and effort to achieve it.
  • It improves efficiency identifying capability gaps through the evaluation of current and proposed products and services aligned with the CSF.
  • It facilitates restructuring security teams, processes, and training through clear guidelines.

AWS provides a whitepaper and a spreadsheet in order to assist customers with their alignment to the NIST CSF. The whitepaper splits responsibilities describing Security of the cloud (how AWS should align to the CSF) and Security in the cloud (how the Customer should align to the CSF using AWS services). On the other hand, the spreadsheet organizes the Core functions into separate tabs, where each category is sliced up into subcategories in order to specify which NIST 800-53 control is matched and indicate which AWS Services support it, distinguishes between AWS and Customer responsibilities, and also provides some Informative References.

Incorporating these controls to your AWS infrastructure should be a process driven by business needs and following a progressive approach.