A Ransomware Framework for Cyber-Readiness
Takeaways:
- The National Institute of Standards and Technology (NIST) has been an under-recognized driver of consistent progress in the face of flux surrounding the Cybersecurity Maturity Model Certification (CMMC).
- As part of that progress, NIST released the Cybersecurity Framework Profile for Ransomware Risk Management—a new framework of controls to address ransomware—in September 2021
- The Ransomware Framework supports cyber-readiness by building on the core focus areas of the existing 110+ controls of the NIST 800-171 specifications for Controlled Unclassified Information (CUI) that forms the basis for CMMC.
- Even the smallest businesses can adopt the Ransomware Framework to increase cyber-readiness.
The continuing ramp-up in ransomware attacks highlights the cybersecurity challenges for each member of the Defense Industrial Base (DIB). Like any ecosystem, the DIB’s supply network interdependencies among its members increase the vulnerabilities and the responsibilities of the prime contractors who organize their sub-suppliers for a common business objective. Each prime faces the multi-layered task of attesting to the cyber-readiness of their smallest sub-suppliers who typically lack an IT staff and often lack the knowledge that they are even part of the DIB. The Cybersecurity Maturity Model Certification aims to help each sub-supplier strengthen its own cybersecurity and growth.
For now, the implementation of CMMC remains in flux despite basic controls of CMMC remaining well-defined based on consistent progress by the National Institute of Standards and Technology. In September 2021, NIST released a new draft Ransomware Framework that even the smallest businesses can adopt for Ransomware cyber-readiness.
The advantage for each DIB supplier organization is that they can build on any work done to date on NIST 800-171 specifications for Controlled Unclassified Information (CUI). The Ransomware Framework also builds on the more general Privacy Framework for any organization protecting the private information of its customers, partners, and suppliers. According to NIST’s Framework, the Ransomware Profile aligns organizations’ ransomware prevention and mitigation requirements, objectives, risk appetite, and resources with the elements of Cybersecurity.
“Now there’s a cyberattack every 40 seconds. One in ten of [the] 1.8 billion websites leads you to malware. Cybercrime damages are in the trillions of dollars. And, as we all know, ransomware has become a scourge affecting all Americans across society…CISA was created to be something very different….a hybrid public-private collaborative where collaboration is baked into our DNA.”
— Jen Easterly, Cybersecurity and Infrastructure Security Agency Director; US Army Lieutenant Colonel (Ret.)
The Cybersecurity and Infrastructure Security Agency’s new Director, Jen Easterly, spent a career in military service where she helped establish the U.S. Cyber Command and then went on to a cybersecurity leadership role at Morgan Stanley. On August 6, 2021, Director Easterly introduced herself to the hacker community by making a video appeal for an urgent whole of nation strategy. Her willingness to reach out to the hacker community emphasizes the priority CISA puts on recruiting America’s talent from every realm of cyber expertise.
The success of Director Easterly’s strategy will require greater commitment on cyber-readiness from two whole of nation perspectives for the DIB:
Stronger alignment across CISA and all the US government cabinet departments including the Department of Commerce which includes NIST.
More effective mobilization of applied learning and teaching across the private sector and education community.
As DIBCo CEO, who leads an innovative small operation with no internal IT staff summarizes:
“We can’t afford not being cybersecure; But we also can’t afford getting mixed signals from different government agencies on how to use our limited resources for strengthening cyber-readiness as part of our everyday commitment to continuity of operations.” —DIBCo CEO
By Ted Rybeck Chair, Benchmarking Partners, & Chair, NDTA Cybersecurity Best Practices Committee