Tier 1:Partial

Tier 2:Risk Informed

Tier 3:Repeatable

Tier 4:Adaptive

Implementing the NIST Cybersecurity Framework (CSF)

Continuous Security Assessment and Remediation for the Hybrid Cloud

Develop the organizational understanding to manage security risk to systems,

assets, data, and capabilities.

ID.AM Asset ManagementID.BE Business EnvironmentID.GV GovernanceID.RA Risk AssessmentID.RM Risk ManagementID.SC Supply Chain Risk Management

ID.RA Risk AssessmentThe organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1 Asset vulnerabilities are identified and documented• CCS CSC4• COBIT 5• ISA 62443-2-1:2009• ISO/IEC 27001:2013• NIST SP 800-53 Rev. 4

• ID.RA-1 Asset vulnerabilities are identified and documented

• ID.RA-2 Cyber threat intelligence and vulnerability information is received from information sharing forums and sources

• ID.RA-3 Threats, both internal and external, are identified and documented

• ID.RA-4 Potential business impacts and likelihoods are identified

• ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

NIST SP 800-53 Rev. 4• CA-2 CA-7 CA-8• RA-3 RA-5• SA-5 SA-11• SI-2 SI-4 SI-5

Red Hat Enterprise Linux 7CA-2: Ensure separate partition exists for /tmpCA-2: Ensure nodev option set on /tmp partitionCA-2: Ensure nosuid option set of /tmp partitionCA-2: Disable Automounting

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Protect (PR)

Respond (RS)

Recover (RC)

PR.AC Access ControlPR.AT Awareness and TrainingPR.DS Data SecurityPR.IP Information Protection Processes and ProceduresPR.MA MaintenancePR.PT Protective Technology

DE.AE Anomalies and EventsDE.CM Security Continuous MonitoringDE.DP Detection Processes

RS.RP Response Planning RS.CO CommunicationsRS.AN AnalysisRS.MI MitigationRS.IM Improvements

RC.RP Recovery PlanningRC.IM ImprovementsRC.CO Communications

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk

Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and

Prioritize Gaps

Step 7: Implement Action Plan

Identify (ID)Function

Detect (DE)

Category

Sub-categories

InformativeReferences

and Controls

1

4

Individual controls mapped to specific tests against the Target of

Evaluation – RHEL 7

Ensure separate partition exists for /tmpBenchmark: NIST RedHat Linux 7 Benchmark SCAPReferenceID: xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_separate_partition_exists_for_tmp

SpecificPolicy

CSF Goals

Cavirin curated policy packs do the heavy lifting in mapping the framework to actionable recommendations

3Desired Tier impacts Target Profile

Defined by:• Risk Management Process• Integrated Risk Management Program• External Participation• Cyber Supply Chain Risk Management

5 Cavirin Implementation

Implement Action Plan

Create Current Profile

Assess and Prioritize Gaps

Conduct Risk Assessment

OrientPrioritize and Scope

2Cavirin automates the suggested NIST process

References:https://www.nist.gov/cyberframeworkhttps://http://static.cavirin.com/hubfs/whitepapers/Cavirin%20CSF%20WP.pdfhttps://www.cavirin.com/solutions/nist-support.html

• Describe current and target state• Identify and prioritize opportunities for improvement• Assess progress and communicate across organization• Complement existing processes and programs