The small business owner wants to stay focused on business operations, not potential cyber threats. Establishing a standard of care for cybersecurity is not easy. Yet, fortunately, there are many available security frameworks that can be useful when developing your own standard of care. This article, the second in our series on this important topic, reviews five common approaches.
Every business has its own important data and critical systems to protect. In some industries, the cybersecurity needs are further complicated by compliance and regulatory requirements such as PCI DSS, Sarbanes-Oxley and HIPAA. Reviewing security frameworks to create a customized standard of care can help individual business better manage cybersecurity needs.
The five security frameworks considered here all offer documented processes to address information security controls, manage risks, and reduce vulnerabilities. Defining policies and procedures shaped by these standards, IT personnel can prioritize tasks to reach cybersecurity goals. We will look in greater detail at:
- National Institute of Standards and Technology’s NIST 800-53
- National Institute of Standards and Technology’s NIST 800-171
- Center for Internet Security’s CIS Controls®
- the new Cybersecurity Maturity Model Certification (CMMC)
- Health Insurance Portability and Accountability Act (HIPAA)
Security Frameworks: NIST SP 800-53
What it is: More of a reference book than anything else, this extensive collection of information security standards was first published in 1990. Now in its fifth revision, this publication covers Security and Privacy Controls for Information Systems and Organizations.
Who it is for: The U.S. National Institute of Standards and Technology (NIST) offers exhaustive guidelines for safeguarding classified data in federal systems where resources and expertise are at the highest level. While a great catalogue for identifying specific security controls, it is far too exhaustive for any reasonable small business to consider in its entirety as a benchmark.
Security Frameworks: NIST SP 800-171
What it is: NIST SP 800-171 was created by identifying a subset of the 800-53 controls to secure confidential unclassified information in private company systems. Revised in 2020, NIST SP 800-171 covers Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. The framework “provides agencies with recommended security requirements for protecting the confidentiality of CUI.” There are 14 overall sections, all of which are requirements for compliance.
Who it is for: Department of Defense (DoD) contractors and service providers must adhere to NIST SP 800-171 under the DoD’s procurement regulations (DFARS). NIST SP 800-171 is freely available with documentation available for an organization to self-certify. This framework can be a good fit for manufacturing or other industries that need a clear catalogue of security controls for subnets that contain sensitive data.
Security Frameworks: CIS Controls®
What it is: This set of twenty controls from the Center for Internet Security is a great starting point for any organization seeking direction. The document is divided into Basic, Foundational, and Organizational controls. These controls provide a thorough listing of technical controls and best practice configurations to help reduce overall risk.
The Basic CIS Controls are critical elements in furthering an organization’s cybersecurity:
- Inventory and control of hardware assets — Calls for the business to identify all devices connected to its network and keep an accurate and up-to-date inventory.
- Inventory and control of software assets — Recommends ensuring “only authorized software executes and all unauthorized software is blocked from executing on assets.”
- Continuous vulnerability management — Addresses vulnerability scanning and software updates to ensure operating servers are running the latest security updates.
- Controlled use of administrative privileges — Calls for the separation of Internet browsing, email, or similar activities from accounts used for administrative activities.
- Secure configuration for hardware and software on mobile devices, laptops, workstations and servers — Suggests the documentation of standard security configurations, and catalogs exceptions, and prompts the configuration of alerts for any unauthorized changes.
- Maintenance, monitoring and analysis of audit logs — Calls for the business to “collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack” a practice we highlighted recently in our first Calyptix Genius Briefing.
Who it is for: The CIS approach is helpful for any organization to recognize the need for continual improvement. The controls are a great framework for an organization of any size to take actionable steps towards better cybersecurity. It is process focused, and recognizes there is no one silver bullet solution.
Security Frameworks: CMMC
What it is: The Cybersecurity Maturity Model Certification (CMMC) is the newest entrant to the game. The CMMC primarily targets the defense industry sector to enhance CUI protection. In the past, contractors could self-certify their cybersecurity compliance with NIST SP 800-171. Now, though, they must get a third-party assessment. The CMMC v certifies contractors at one of five levels of cybersecurity maturity.
Level 1 adheres to “basic cyber hygiene” practices. Level 3 has a management plan in place of “good cyber hygiene” and includes 110 of the controls from NIST 800-171 to safeguard CUI. Meanwhile, at Level 5, the contractor demonstrates standardized and optimized processes providing more sophisticated capabilities to detect and respond to advanced persistent threats.
Who it is for: All DoD contractors are expected to obtain a CMMC certification. That’s at all supply chain tiers, regardless of size or geography. Yet a stated goal of the CMMC is “to be cost-effective and affordable for small businesses.” This framework is a roadmap for a small business to become CMMC certified for DoD contracts.
Note: The interim rule for CMMC became effective November 30, 2020, but it is subject to Congressional Review, which has been delayed until at least June 2021.
Security Frameworks: HIPAA
What it is: The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules outline the need for a comprehensive information security program. This industry-focused standard of care has more than 150 individual requirements, including cybersecurity controls, to secure Protected Health Information (PHI). Failing to comply is costly, and thus should be top of mind for any organization that interacts with or retains PHI, regardless of size.
The HIPAA Security Rule “deals specifically with electronically stored PHI (ePHI) and stipulates three classes of safeguards required for ePHI – administrative, physical, and technical – to ensure the confidentiality, integrity, and availability of ePHI.” Its primary goal is to protect individuals from falling victim to identity theft, fraud, or other abuse.
The Security Rule does not require specific technology solutions. Determining which security measure to implement is based on what is reasonable and appropriate for the specific organization, given its unique characteristics.
Who it is for: HIPAA compliance is a top concern for hospital administrators, medical practice managers, doctors, and associated businesses that provide services to healthcare organizations. Anyone who will come into contact with PHI needs to understand and incorporate HIPAA regulations into its processes.
Since the Security Rule does not provide specific security measures, healthcare organizations subject to HIPAA can find technical guidance to supplement their approach with controls specified in the CIS Controls, CMMC, or SP NIST 800-171.
Taking Action on Cybersecurity
Using the information in these security frameworks, a small business or MSP can shape a standard of care that makes sense for that specific environment. Starting with the NIST will likely be overwhelming, as that is the highest level of security rigor. After all, it is intended for the protection of Top Secret classified government data. More suitable for SMBs, the CIS Controls and the CMMC provide concise frameworks, detailed security controls, and graduated levels or tiers.
Each of these frameworks has common threads around the need for inventorying hardware and software, monitoring, reporting, and taking action on threats. The next and final article in this series will explore the MSP’s responsibility around standards of care.
One way to tackle the complexity? Employ a simple, all-in-one solution that provides network security and management. The Calyptix network firewall saves time and money, while enabling Zero Trust, two-factor authentication through Gatekeeper and stopping bad actors in their tracks through Geo Fence.
Learn how AccessEnforcer meets your HIPAA compliance needs.