Bitsight NIST CyberSecurity Framework Report Ingrid We provide a report which is a high-level summary of an organization's compliance with the US National Institute of Standards and Technology's cybersecurity Framework using our risk vectors and existing data as evidence. Our automated report makes use of data from our Security Ratings system and can be accessed at any time to help your organization supplement existing self-reporting systems and save valuable time getting started qualifying vendors, and clients through the NIST cybersecurity Framework. Share this report with regulators, auditors, and clients / vendors, so they can get a clear understanding of the cyber security performance of the company and its vendors as it relates to the NIST framework. NIST CSF Version 1.0 Directory Grading Methodology Supported Cybersecurity Framework Subcategories and Evidence Frequently Asked Questions Are All of the Cybersecurity Framework Requirements Covered by Bitsight? How Are Subcategories and Categories Graded? How Are Subcategories Mapped With Evidence? How Can I Obtain a Copy of My Organization's Bitsight NIST Report? How Is the Framework Organized? What Are the High-Level Functions of the Cybersecurity Framework? What Is in a Bitsight NIST Report? What Is the NIST Cybersecurity Framework? Grading methodology For each category, a weight (severity) is assigned to each grouping of risk vectors in a subcategory. Learn how Bitsight Security Ratings are calculated. Supported Cybersecurity Framework Subcategories and Evidence Below is a list of which of our risk vectors support certain subcategories, sorted by high-level function. If a subcategory is not listed, we do not yet support it. Identify Asset Management Risk Assessment Protect Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Detect Anomalies and Events Detection Processes Security Continuous Monitoring Respond Analysis Mitigation Descriptions for each are as they appear in the framework document. ❖ To preserve confidentiality, not all subcategories are shown by default. Special notes regarding its visibility is noted when there are certain conditions for a subcategory to appear in a report. It’s shown in your own report and does not appear in NIST CSF reports of your organization generated by other companies. Function: Identify The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Category: Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Subcategory Details Supporting Bitsight Data ID.AM-2 Software platforms and applications within the organization are inventoried. This control is supported with evidence from the Open Ports risk vector, which has external detection for software and applications within the organization. ❖ Included only if your organization is a Bitsight customer. Assets Category: Risk Assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Subcategory Details Supporting Bitsight Data ID.RA-1 Asset vulnerabilities are identified and documented. This control is supported with evidence of Patching Cadence found to exist on devices during an external scan of the organization's network perimeter. Patching Cadence Server Software Desktop Software ID.RA-3 Threats, both internal and external, are identified and documented. This control is supported with evidence from the Forensics add-on package, which shows threats found to exist on devices during an external scan of the organization's network perimeter. ❖ Included only if your organization has the Forensics add-on package. Forensics ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. This control is supported with evidence of Patching Cadence found to exist on devices during an external scan of the organization's network perimeter. Patching Cadence Server Software Desktop Software Function: Protect Category: Access Control Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. Subcategory Details Supporting Bitsight Data PR.AC1 Identities and credentials are managed for authorized devices and users. Open Ports PR.AC-3 Remote access is managed. This control is supported with evidence of ports found to be open on firewalls and other devices during an external scan of the organization's network perimeter. Open Ports PR.AC-5 Network integrity is protected, incorporating network segregation where appropriate. This control is supported with evidence of ports found to be open on firewalls and other devices during an external scan of the organization's network perimeter. Open Ports Category: Awareness and Training The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Subcategory Details Supporting Bitsight Data PR.AT-1 All users are informed and trained. Botnet Infections Potentially Exploited Security Incidents Category: Data Security Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Subcategory Details Supporting Bitsight Data PR.DS-2 Data-in-transit is protected. This control is supported with evidence of enforced TLS/SSL encryption and certificates, and also TLS/SSL configuration showing validation of correct encryption standards or failing and weak protocols. TLS/SSL Certificates TLS/SSL Configurations PR.DS-5 Protections against data leaks are implemented. We support this control with evidence of a data breach as a result of publicly disclosed security incidents. Security Incidents Category: Information Protection Processes and Procedures Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. Subcategory Details Supporting Bitsight Data PR.IP-1 Open Ports TLS/SSL Configurations PR.IP-3 Open Ports TLS/SSL Configurations PR.IP-7 Protection processes are continuously improved. The Bitsight Security Rating indicates an improving protection process. Botnet Infections Spam Propagation Malware Servers Unsolicited Communications Potentially Exploited SPF Domains DKIM Records TLS/SSL Certificates TLS/SSL Configurations Open Ports DNSSEC Web Application Headers Patching Cadence Insecure Systems Server Software Desktop Software Mobile Software Mobile Application Security File Sharing Security Incidents PR.IP-8 Effectiveness of protection technologies is shared with appropriate parties. Using the Bitsight Security Ratings product within an organization is a way to share information about their security effectiveness. ❖ Only shown in your own report if your organization is a Bitsight customer. Does not appear in a NIST CSF report on your organization generated by others. Bitsight Security Rating PR.IP-12 A vulnerability management plan is developed and implemented. The use of the Bitsight platform and the generation of a Bitsight Security Ratings Report is a significant part of the vulnerability management program. As such, they should demonstrate the implementation of a program. ❖ Included only if your organization is a Bitsight customer. Category: Maintenance Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Subcategory Details Supporting Bitsight Data PR.MA-1 Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools. This control is supported with evidence of the currency of several software systems – servers, desktop, and mobile devices indicating one's capacity to maintain these systems up-to-date. Patching Cadence Server Software Desktop Software Category: Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Subcategory Details Supporting Bitsight Data PR.PT-4 Communications and control networks are protected. We support this control with evidence of ports found to be open on firewalls and other devices during an external scan of the organization's network perimeter. Open Ports Function: Detect Category: Anomalies and Events Anomalous activity is detected in a timely manner and the potential impact of events is understood. Subcategory Details Supporting Bitsight Data DE.AE-2 Detected events are analyzed to understand attack targets and methods. This control is supported with evidence from the Forensics add-on package, which shows details of malware communications found to exist on devices during an external scan of the organization's network perimeter. ❖ Included only if your organization has the Forensics add-on package. Forensics DE.AE-3 Event data are aggregated and correlated from multiple sources and sensors. This control is supported with the use of the Bitsight Security Ratings product, which aggregates and correlates data from multiple external sources and sensors. ❖ Included only if your organization is a Bitsight customer. Botnet Infections Spam Propagation Malware Servers Unsolicited Communications Potentially Exploited SPF Domains DKIM Records TLS/SSL Certificates TLS/SSL Configurations Open Ports DNSSEC Web Application Headers Patching Cadence Insecure Systems Server Software Desktop Software Mobile Software Mobile Application Security File Sharing Security Incidents Category: Detection Processes Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Subcategory Details Supporting Bitsight Data DE.DP-4 Event detection information is communicated to appropriate parties. Using the Bitsight Security Ratings product within an organization is a way to share information about their security effectiveness. ❖ Only shown in your own report if your organization is a Bitsight customer. Does not appear in NIST CSF reports on your organization generated by others. Bitsight Security Rating DE.DP-5 Detection processes are continuously improved. A Bitsight Security Rating trend reflects whether an organization does or does not improve their detection processes over time. Botnet Infections Potentially Exploited File Sharing Category: Security Continuous Monitoring The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Subcategory Details Supporting Bitsight Data DE.CM-1 The network is monitored to detect potential cybersecurity events. This control is supported with evidence of Compromised Systems events, such as botnets, spam, and malware attempting to communicate from within an organization's network. This information can be found during an external scan of the organization's network perimeter; with evidence of a data breach as a result of publicly disclosed security incidents. Botnet Infections Malware Servers Unsolicited Communications Potentially Exploited DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events. This control is supported with evidence of user activity where files are shared over the BitTorrent protocol from within an organization's network. This information can be found during an external scan of the organization's network perimeter. File Sharing DE.CM-4 Malicious code is detected. This control is supported with evidence of Compromised Systems events, such as botnets, spam, and malware attempting to communicate from within an organization's network. This information can be found during an external scan of the organization's network perimeter. Botnet Infections Potentially Exploited DE.CM-5 Unauthorized mobile code is detected. This control is supported with evidence of Compromised Systems events, such as botnets, spam, and malware attempting to communicate from within an organization's network. This information can be found during an external scan of the organization's network perimeter. Botnet Infections Potentially Exploited DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events. This control is supported with evidence through the Bitsight for 4th Party Risk Management product, which shows service provider relationships and their Bitsight Security Ratings. ❖ Included only if your organization has Bitsight for 4th Party Risk Management. Bitsight for 4th Party Risk Management DE.CM-7 Monitoring of unauthorized personnel, connections, devices, and software is performed. This control is supported with evidence of employee file sharing and the possibility that confidential information might have been shared. Botnet Infections Potentially Exploited File Sharing DE.CM-8 Vulnerability scans are performed. This control is supported with evidence of server or desktop software vulnerabilities found to exist on devices during an external scan of the organization's network perimeter. Patching Cadence Server Software Desktop Software Function: Respond Category: Analysis Analysis is conducted to ensure adequate response and support recovery activities. Subcategory Details Supporting Bitsight Data RS.AN-1 Botnet Infections Potentially Exploited RS.AN-3 Forensics is performed. This control is supported with evidence from the Forensics add-on package, which shows details of malware communications found to exist on devices during an external scan of the organization's network perimeter. ❖ Included only if your organization has the Forensics add-on package. Forensics Category: Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Subcategory Details Supporting Bitsight Data RS.MI-1 Incidents are contained. This control is supported by how the Bitsight Security Rating drops after an event occurs and then levels off after it is contained. Botnet Infections Potentially Exploited Security Incidents RS.MI-2 Incidents are mitigated. This control is supported with evidence of the Bitsight Security Rating, which levels off or improves after incidents are mitigated. Botnet Infections Potentially Exploited Security Incidents RS.MI-3 Patching Cadence Frequently Asked Questions Are All of the Cybersecurity Framework Requirements Covered by Bitsight? We (Bitsight) support functions and requirements categories where our risk vectors and data can be used. Some framework requirements can only be fulfilled by examining certain aspects of an organization from within. While we can help support a company's compliance from the outside using our data sources, certain mappings where we have no visibility into an organization, for example, an inventory of “physical devices and systems within the organization,” will need to be assessed through other channels. How Are Subcategories and Categories Graded? Categories are color-coded (blue, yellow, and red) based on the individual evidence grades for each subcategory. These evidence grades are sourced directly from our Security Ratings data. Blue indicates overall good evidence grades, and therefore strong coverage within the subcategory; yellow means that the company could improve in a few areas, and red means the company needs to make significant improvements to their cybersecurity posture. Subcategories that we don't support aren't counted in the grading system or shown in the report. How Are Subcategories Mapped With Evidence? We look at the requirements of a subcategory and see which of our risk vectors help cover those requirements. Our evidence-to-category mappings have been verified by experienced NIST framework professionals. How do I obtain a copy of my organization's Bitsight NIST report? Go to Reports ➔ View NIST CSF Report for your organization to download the report and share it with stakeholders. How is the framework organized? From the cybersecurity Framework document: Functions organize basic cybersecurity activities at their highest level. Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.” Subcategories further divide a Category into specific outcomes of technical and/or management activities. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.” What Are the High-Level Functions of the Cybersecurity Framework? In order: Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. What is in a Bitsight NIST report? The Bitsight NIST report shows all of the requirements to meet the standards and best practices set forth by the cybersecurity Framework that we are able to match with evidence, along with color indicators that reflect the degree to which an organization has coverage within the Cybersecurity Framework in each of those areas. Example: Within the “Identify” function, there is an “Asset Management” category and “ID.AM2” subcategory. It has the “Software platforms and applications within the organization are inventoried” criteria. Our Open Ports data provide evidence for supporting the requirements of this category, because it is able to provide information detailing which software platforms and applications an organization is using, from an outside-in approach. What is the NIST cybersecurity Framework? The cybersecurity framework is a set of industry standards and best practices to help organizations manage cybersecurity risk, issued by the US National Institute of Standards and Technology. It references globally recognized standards for cybersecurity. It can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. The official NIST Cybersecurity Framework documentation (PDF) is available for download. Recommended reading: NIST: Cybersecurity Framework FAQS Framework Basics PwC: Why You Should Adopt the NIST Cybersecurity Framework February 16, 2021: Refreshed risk vector mapping and its associated context. July 17, 2018: Breaches renamed and recategorized to“Security Incidents.” Related articles How are Bitsight Security Ratings Calculated? Portfolio Assessment Report TLS/SSL Finding Remediation & Remediation Verification How is the Web Application Headers Risk Vector Assessed? Finding Behavior Feedback 0 comments Please sign in to leave a comment.