I am working on a security project with a colleague, and instead of tackling one of the bigger standards we decided to create a road map and work towards it. Essentially, the goal is to align with NIST 800-53. That framework is way too complex for an environment with essentially a non-existent security policy. Instead, we will tackle the CIS Critical Security Controls (SANS Top 20, CSC, or whatever else you want to call it) first, then the NIST CyberSecurity Framework (CSF), and then tackle the NIST 800-53.
The CSC is designed with the idea that it focuses on the most critical controls, so it is the best starting point. By layering NIST CSF we add more controls, but they are less critical. Finally, NIST 800-53 is where we would hit a level of maturity. The nice thing with all of these is that the frameworks do build on each other. Controls in CSC can be mapped to the CSF and 800-53, and the controls in CSF can be mapped to 800-53. This means that work done on one control isn’t wasted. The issue that we had was actually understanding what that meant for the overall project. How much mapping was actually happening?
Before getting into the answer to that question we’ll look at the controls discussed.
The CSC framework has 20 controls, NIST CSF has 98 controls, and NIST 800-53 has 256 controls.
Here are links to info about each control:
CSC Poster This shows all the controls, a bit of detail on each, the background of the CSC, and has the mapping info for other controls.
To actually get the CSC controls you have to sign up here. There’s some good info there, which includes a file with the mapping info in Excel format, the controls in Excel, a PDF with more detail on each control, and a PDF on testing and validating an environment based on the CSC framework.
Then there’s the NIST 800-53, which can be found here.
Now, a quick note: This info is based off CSC v.6, NIST CSF (I believe it’s 1.0, but I can’t find version info) and NIST 800-53 Rev. 4.
With the mapping of controls I only wanted to find unique controls that were mapped. There are often times where multiple controls map to a single control. I counted the first, and excluded the subsequent. This means that controls later in the list are likely to have fewer mappings listed as they are not mapping to unique controls. Also, just because a control is mapped does not mean it is complete. It’s more like it is started, and will likely need to be revised when looking at the higher frameworks.
On to the fun-
If you complete the CSC then it would map to 67 of the 98 CSF Controls (68.37%)
If you complete the CSC then it would map to 114 of the 256 800-53 Controls (44.53%)
If you complete the CSF then it would map to 155 of the 256 800-53 Controls (60.55%)
If you complete the CSC, then do the CSF it would map to 193 of the 256 800-53 Controls (75.39%)
As you can see, there’s definately a benefit to working through the controls in this order.
Now, like a good student, I am going to show my work. The attached Excel file is a list of all the mapping info. I compiled information from the above sources to make this. The layout is the same as I had previously used. The first four tabs list the details of the controls that are mapped, as well as the controls that are missed. Then there are three “Summary” tabs with the specific control data removed.