Cavirin is pleased to announce the inclusion of the latest framework from NIST – the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 draft. The latest revision is a major update to the original 2014 document, and includes a common security vocabulary to help with cyber supply chain management. For example, a small business selecting a cloud service provider or a federal agency contracting with a system integrator.
The overall framework is divided into five Framework Core Functions:
- Identify (ID) - Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect (PR) - Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect (DE) - Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond (RS) - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover (RC) - Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Cavirin’s automated technical controls address specific categories and sub-categories within these functional areas, covering over 4300 individual tests spread across Windows and Linux operating systems. It directly addresses below cybersecurity controls depending upon the target of evaluation (Windows or Linux OS):
- CM-8 - Vulnerability scans are performed
- IP-1 - Baseline configuration
- RA-1 - Asset vulnerabilities are identified
- AC-4 - Access permissions and authorizations are managed
- CM-7 - Monitoring is performed
- AC-6 - Identities are proofed and bound to credentials
- PT-1 - Audit/log records are determined
- AC-3 - Remote access is managed
- AC-5 - Network integrity is protected
- DS-4 - Adequate capacity to ensure availability is maintained
- DS-5 - Protections against data leaks are implemented
- AC-1 - Identities and credentials are issued, managed, verified, revoked, and audited
The Cybersecurity Framework defines 7 steps for establishing a cybersecurity program:
Cavirin’s automated system aligns with the above defined 7 steps.
- Step 1 – It helps you to identify and scope your cybersecurity elements. It provides a unified mechanism to prioritize and scope your on-premises infrastructure components as well as cloud resources. You begin by discovering these resources on Cavirin’s platform.
- Step 2 - In the orientation phase, you begin identifying departments and units and what infrastructure elements each is using. On Cavirin’s platform, You then create asset groups to reflect your organization units and segregate infrastructure elements based on departments.
- Step 3 – At this stage, you scan your asset groups against the Cybersecurity framework. Cavirin’s platform provides, out of the box, automated technical controls, mapped to the various framework requirements. Such controls are automatically customized and tuned to match the target of evaluation. For example, if the target is a Windows machine, a particular set of safeguards are evaluated against a specific NIST Cybersecurity control requirement. If the target is a Linux OS, the safeguards are automatically chosen to match the target capabilities.
- Step 4 – Once the assessment against the cybersecurity framework is complete, you are presented with a risk assessment report. The report provides control areas, risk assessment scoring and also the details to mitigate and manage the risks.
- Step 5 – You then evaluate the risk assessment report and determine what your target posture looks like. You can also tune in the assessment to match your unique organization specific risks.
- Step 6 – Once you have identified the target, the Cavirin platform helps you identify the controls gaps and provide analytics on top of various control requirements.
- Step 7 – The platform then supports you to create action plans. The action plans could be mitigating the risks by remediating the control gaps or could be integrating the finding with a ticketing or incident management systems.
Cavirin platform also provides various other risk evaluating controls out of the box. NIST 800-53 and NIST 800-171 are also supported. NIST 800-53 is considered to be the gold standard for Security and Privacy Controls. The platform covers several controls aligned with NIST 800-53 guidance:
- NIST Technical Controls
- AC-2 - Account Management
- AC-3 - Access Enforcement
- AC-4 - Information Flow Enforcement
- AC-6 - Least Privilege
- AC-7 - Unsuccessful Logon Attempts
- AC-8 - System Use Notification
- AC-9 - Previous Logon (Access) Notification
- AC-10 - Concurrent Session Control
- AC-11 - Session Lock
- AC-12 - Session Termination
- AC-17 - Remote Access
- AU-2 - Audit Events
- AU-3 - Content Of Audit Records
- AU-4 - Audit Storage Capacity
- AU-5 - Response To Audit Processing Failures
- AU-6 - Audit Review, Analysis, And Reporting
- AU-8 - Time Stamps
- AU-9 - Protection Of Audit Information
- AU-11 - Audit Record Retention
- AU-12 - Audit Generation
- CA-2 - Security Assessments
- CM-11 - User-Installed Software
- IA-2 - Identification And Authentication
- IA-3 - Device Identification And Authentication
- IA-5 - Authenticator Management
- MP-2 - Media Access
- MP-4 - Media Storage
- RA-5 - Vulnerability Scanning
- SC-2 - Application Partitioning
- SC-4 - Information In Shared Resources
- SC-5 - Denial Of Service Protection
- SC-6 - Resource Availability
- SC-7 - Boundary Protection
- SC-8 - Transmission Confidentiality And Integrity
- SC-13 - Cryptographic Protection
- SC-23 - Session Authenticity
- SC-28 - Protection Of Information At Rest
- SC-41 - Port And I/O Device Access
- SI-4 - Information System Monitoring
- SI-6 - Security Function Verification
- SI-7 - Software, Firmware, And Information Integrity
- SI-8 - Spam Protection
NIST 800-171 is provides several controls for handing Controlled Unclassified Information. Cavirin platform provides several controls aligned with it.
- 11.2 Scan for vulnerabilities
- 4.9 Control and monitor user-installed software
- 12.1 Periodically assess the security controls
- 1.2 Limit information system access to the types of transactions
- 14.6 Monitor the information system
- 5.1 Identify information system users, processes acting on behalf of users, or devices
- 1.9 Provide privacy and security notices
- 5.2 Authenticate (or verify) the identities
- 1.1 Limit information system access to authorized users
- 3.7 Compare and synchronize internal system clocks with an authoritative source
- 1.12 Monitor and control remote access sessions
- 1.3 Control the flow of CUI
- 1.14 Route remote access via managed access control points
- 3.4 Alert in the event of an audit process failure
- 3.8 Protect audit information
- 3.1 Create, protect, and retain information system audit records
- 1.8 Limit unsuccessful logon attempts
- 13.11 Employ FIPS-validated cryptography
- 1.10 Use session lock
Cavirin platform provides a comprehensive series of NIST based risk assessment frameworks aligned with various controls based on the respective targets of evaluation. Not only NIST but there are several other risk and compliance based controls present on the platform. It also provides hybrid infrastructure support along with support for container ecosystem.