From: Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP

Sent: Saturday, March 26, 2022 7:31 PM


Cc: Katherine MacFarland; Kevin Stine; Mary Rasmussen

Subject: RFI: Evaluating and Improving Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management


NIST Team,


Thanks for publishing and maintaining the Cybersecurity Framework! It is well-written. Here is my response to your request for information:


High-level feedback:


There is opportunity to increase the number of controls

- 108 controls are attainable for most organizations. However the InfoSec team is left to fill in the gaps

- Resources are limited, controls within risk prioritized tiers could aid with effective mitigation

- Would be helpful to have additional controls, a stop gap between 108 controls and 800-53

- Perhaps existing controls could be expanded to demonstrate levels of maturity

Categories could be enhanced for reporting purposes

- The five categories are high level

- The 23 sub-categories result in skewed reporting

-- Some categories only have two controls

-- In that scenario, one control results in 50 percent compliance

- Would be helpful to organize by or switch to 10-12 domains

There is opportunity to add risk ratings

- High, moderate and low

- Would help businesses prioritize remediation


Detailed feedback to enhance CSF v1.1:


1. Add a guidance field


The ‘NIST CSF Control Description’ field is concise, which leads to confusion and a need for interpretation. Consider adding a ‘Guidance’ field to the CSF PDF and spreadsheet. For example…



NIST CSF Control Description



Governance and risk management processes address cybersecurity risks

Maintain a risk register process to provide senior leadership with transparency in the cybersecurity domain. Risk register entries should be reserved for cybersecurity issues that pose significant risk to the organization (risk mitigate or risk accept). Technical vulnerabilities should only be considered for register entries when extended remediation is proposed (e.g. 60 days or more beyond standard). Discuss register entries in risk governance meetings with cybersecurity and senior leaders present. Meet periodically to maintain risk governance routines (quarterly is recommended).


2. Add a documents and artifacts field


Consider adding a ‘Documents and Artifacts’ field to the CSF PDF and spreadsheet. That would provide guidance for how a given requirement can be validated. For example…



NIST CSF Control Description

Documents and Artifacts


Governance and risk management processes address cybersecurity risks

• Risk register

• Risk governance meeting minutes


3. Enhance the CSF with common controls [Maturity Level One]


It is necessary to implement these foundational controls:

Add a requirement for patching. It is not explicitly mentioned within the CSF.


b. Flesh out the CSF to help ensure controls are in-place and effective. For example:

·   ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners

o New: There is appropriate separation of duties in the Cybersecurity Leader’s reporting structure, such as reporting to the CEO, Chief Risk Officer, Chief Legal Counsel or Board of Directors. When the cybersecurity reports to the IT executive, that is a conflict of interest

o New: The Cybersecurity Leader provides updates to the Board of Directors or similar executive group

·   ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources

o New: An intake process ensures each threat advisory is addressed. Options: (a) When an advisory is received, assign a team member to process it,
(b) Have a periodic meeting to analyze threat intelligence or
(c) Enter each advisory into a log to ensure it is processed

·   ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan

o New: A cybersecurity professional provides guidance when a supplier wants to redline contract security language

·   PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

o New: Access reviews are conducted periodically (quarterly is recommended)

o New: Access reviews are conducted when an employee or contractor changes roles. Legacy accesses are rescinded to preserve separation of duties

o New: Compare a current list of employees and contractors to active system and application accounts. Immediately rescind accesses for departed personnel

o New: Integrate Single Sign-On into web applications to facilitate systematic removal of accesses

·   PR.AT-1: All users are informed and trained

o New: Update this requirement to: “All users are informed, trained and tested to ensure comprehension”

o New: Add a requirement for a phishing test program. Annual security awareness training alone is not sufficient

·   PR.DS-5: Protections against data leaks are implemented

o New: Restrict access to technology commonly used to exfiltrate data such as external storage, Internet storage and personal e-mail (e.g. USB drives, Dropbox and Gmail, respectively)

·   PR.IP-4: Backups of information are conducted, maintained, and tested

o New: Store backups offline to protect from ransomware encryption

·   PR.IP-10: Response and recovery plans are tested

o New: Incident response and business continuity exercises include senior executives, lines of business leaders, information technology, legal and public relations

·   RC.CO-1: Public relations are managed

o New: Establish a Crisis Communications Plan and a Holding Statement template to prepare for an emergency or unexpected event

c. Add a requirement for procedures within sub-programs such as vulnerability management, access control and third party risk management. Procedures provide a focus on process execution and help ensure controls are effective as you know.

- The closest control is 'ID.AM-3: Organizational communication and data flows are mapped'

4. Address threats and countermeasures since 2014 [Maturity Level One]


CSF v1.0 was published in 2014. Version 1.1 was made available in 2018 and is a minor release. It is necessary to add new requirements to adapt to changes in the threat landscape.


a. Consider updating the CSF with ransomware mitigation controls from this advisory:

·   CISA Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks:

b. It is also necessary to update the CSF with recent adversarial tactics. Consider these resources from CISA and NSA for controls to identify and mitigate risk.

·   CISA Alert (AA22-047A): Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology:

·   NSA Network Infrastructure Best Practices:

5. Expand the data security section (PR.DS) [Maturity Level Two]


Separate the core framework into common controls that apply throughout the enterprise (e.g. security awareness) and data security controls that should be implemented where sensitive data is stored, processed or transmitted (e.g. encryption).


a. Add requirements for Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).


b. Add a penetration testing requirement. The use of vulnerability scanning alone may fail to detect significant vulnerabilities. Pen testing is used to address that gap and is commonly used in areas where sensitive data is present. Ethical Hackers leverage suites of security tools to identify vulnerabilities and use that information to gain access. They also use custom scripts, conduct manual tests and strive to exploit business logic. If an organization hosts sensitive information, it makes sense to test with hacking techniques.


c. Add a requirement for a Security Operations Center or active monitoring by cybersecurity personnel 24x7x365.


d. Add a requirement for the cybersecurity program to maintain controls specific to line of business products, services and assets.


6. Add a risk management section [Maturity Level Three]


a. One of the most significant categories is Risk Assessment (ID.RA). I've interpreted that as:


"Threat Landscape and Controls Analysis: Conduct risk analysis, resulting in a formal report. Start by considering the inherent risk of the organization. Provide an overview of potential adversaries, techniques for compromising data and the cybercrime ecosystem. Describe the potential for impact, while citing reliable sources. Reference the organization’s risk tolerance. Describe the organizations assets. Pivot into cybersecurity with protection boundaries, control framework and risk assessments. Provide fair and balanced analysis by documenting risk mitigation and recent accomplishments in that domain. Detail residual risk with recommendations for new processes and controls. Conclude with a summary statement that praises the organization’s risk culture, with recognition for conducting risk analysis." (Reference: Program Maturity - Cybersecurity and Operational Risk Management)


Hoping the CSF can be updated with a similar statement with mid-level detail.


b. Add a Risk Mitigation Controls Menu within an appendix. Provide a listing of optional controls, with a description of risk mitigation properties. Reference my zero trust controls menu as an example.


Using an appendix with a list of options helps ensure the entire listing of controls is not mandated by policy or within a contractual requirement.


c. Add a requirement for cybersecurity metrics, KPIs and KRIs to be communicated to management.


7. Add a strong risk management section [Maturity Level Four]


The concept of strong risk management is typically adopted by those with a low risk tolerance such as financial institutions, government entities and pharmaceutical companies. Some organizations may decide to opt-out of this level of maturity due to their business model or cost. Therefore, the following topics are recommendations.


a. Add a recommendation for a Quality Assurance function separate from operations to validate whether critical cybersecurity controls are in place and effective.

b. Add a recommendation for operational functions and lines of business to declare self-identified audit issues, with a metric to measure to what extent the control environment is improving over time.


c. Add a recommendation to adopt the zero trust security model within security architecture and change management. Include mid-level detail for clarity, such as core components, data sources and variations of zero trust architecture approaches:


·        Policy engine, administrator and enforcement point

·        Continuous diagnostics and mitigation (CDM) system

·        Industry compliance system

·        Threat intelligence feeds

·        Network and system activity logs

·        Data access policies

·        Enterprise public key infrastructure (PKI)

·        ID management system

·        Security information and event management (SIEM) system

·        Enhanced identity governance

·        Micro-segmentation

·        Network infrastructure and software defined perimeters

Refer readers to NIST 800-207 for additional details. No need to reinvent the wheel.


d. Add a recommendation to maintain an insider threat program. Reference reputable practices such as Carnegie Mellon’s Common Sense Guide to Mitigating Insider Threats.


e. Add a recommendation to conduct threat hunting. Endpoint protection and SIEM security monitoring alone are not sufficient. Cybersecurity professionals should actively search for threat actors within the IT environment. It is necessary to detect adversaries quickly (dwell time and mean time to detect). Early detection can mean the difference between an incident and a data breach.


8. Implement maturity level labeling within the CSF


Map each requirement to a maturity level within the CSF PDF and spreadsheet.


Maturity Level




Core cybersecurity framework

A framework communicates the minimum controls required to protect an organization.


Common Controls

Controls in this category are viewed by many as necessary and common sense in a cybersecurity context. Some may view this maturity level as filling gaps in the control framework, basic due diligence.


Risk management

Communicate control framework requirements for risk assessment and risk management. It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape.


Strong risk management

At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.


This approach would provide a middle ground between NIST CSF and 800-53. Keep in mind that most civilian organizations do not have massive funding like the federal government.


I've always loved that the CSF gives businesses options based on their risk appetite. This approach preserves that flexibility, with options to increase maturity and mitigate risk.


9. Risk prioritize controls


Implement risk-prioritized mapping of controls within the CSF PDF and spreadsheet. Reference this research, MITRE ATT&CK versus NIST 800-53. This table displays which controls mitigate the largest number of adversary tactics and techniques.


NIST 800-53 Rev 5 Control

# MITRE ATT&CK Mappings

System Monitoring


Configuration Settings


Baseline Configuration


Access Enforcement


Least Privilege


Malicious Code Protection


Least Functionality


Continuous Monitoring



This is just a sampling of the highest occurrences. There are many more rows.

10. Publish more quick start guides


The NIST Quick Start Guide for Ransomware is a good resource. Here are recommendations for additional guides.


·   Network segmentation

·  Preventing data exfiltration

·   Threat hunting

·  Program architecture

·   Metrics, KPIs and KRIs

·  Security operations center

·   Risk assessments

·  Risk register process

·   Incident response

·  Strategic planning

·   Business continuity

·  Disaster recovery

·   Vulnerability management

·  Identity and access management

·   Third party risk management

·  Cyber threat intelligence











NIST Team: Thanks so much for your efforts to protect our country! Feel free to reach out to me with questions or comments.




Gideon T. Rasmussen | CISSP, CRISC, CISA, CISM, CIPP | Consultant

Virtual CSO, LLC | |


The opinions expressed here are my own and not necessarily those of my current or past employers.