TL:DR "NIST CSF compliance" is meaningless because the NIST CSF isn't a set of things you must do - it's a set of things you can do, with no guidance about which ones you should do.

There is no mapping from "we are doing this" to "this is our maturity level". There isn't a standard set of questions to answer, let alone a guide to what the "right" answer is. And there can't be, because what's "right" for one organisation is going to be wrong for other organisations - too much or too little, or simply just not the right balance between Confidentiality, Integrity and Availability.

Key Quotes:
"the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements"

Or in context:
"The decision about how to apply it is left to the implementing organization. There sometimes is discussion about “compliance” with the Framework, and the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. Nevertheless, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing and mean something very different to various stakeholders."

The framework is best understood as a long list of good things to be doing, organised into a very sensible structure to unify our conversation, by providing common terminology.

There are 5 functions, broken into Categories and Subcategories.

There are links to other standards for subcategory. If you consider those links as being a type of #include statement, it's a candidate for the world's longest 48 page document.

But there are no tests, no way to score a subcategory, no way to collate your subcategory scores into any kind of overall pass/fail, let alone a maturity score.

Yes, the framework contains 4 'Tiers'.

But, quote:
"Tiers do not represent maturity levels. Tiers are meant to support organizational decision making". Tiers are for thinking about how you manage cybersecurity risk, they aren't a measure of how cybersecure you are.

The NIST CSF is a brilliant starting point for building your own score sheet, and yes, I've done that, and yes it works well. But that's my score (OK, my organisation's core), it's not NIST's score. It's not going to be the same score that someone else would give if they use their own NIST CSF based score sheet.

Their score and my score would be comparable only in the sense that it becomes meaningful to ask: why did you give different scores to XYZ subcategory? And that's a potentially useful conversation, but different numeric scores may well both be valid, because they reflect different priorities and therefore measure different things differently.

Let me give an example:
ID.RA-5: "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk".

This is not a yes/no question. This is not something that can be meaningfully answered on a 5 point Likert scale.

A proper answer to this question requires significant investigation of an organisation's documented processes, but also their actual practices.

You cannot just ask 'do you do this?' or 'on a scale of 1 to 5, how much do you do this?' If you try, the answer is always "yes" and, almost always, "we're 5 out of 5".

To be repeatable, you need to record far more than just the number, you need to document the process you used to obtain that answer. You need to document what to look at, and how to compile a numerical rating, and how to weight those ratings into the overall score.

Your answer, using your process, is quite going to be different to someone else's answer using a different process. And it should be.

Last quote "the Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity"

It's not a maturity model or a compliance checklist As it says on the tin, it's a framework. It helps us hold a conversation.

--------------
All quotes from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

@Tarah

#NistCSF #MaturityModels #Compliance #CyberSecurity #CyberSecurityFramework