Security Control Framework

Must post first. When performing a gap analysis, one must have an understanding of the desired future or “to be” state. For cybersecurity focused gap analyses, we frequently use IT security controls as the means by which we describe the “to be” (or “should be”) state of IT systems and Information Security Management Programs. There are a variety of guidance documents which list and define sets of security controls. Each of these documents or sets of controls has an underlying framework. One of the newest frameworks that sets forth a collection of “security controls” is the NIST Cybersecurity Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. Mapping and alignment efforts are currently underway to provide guidance to federal agencies and contractors for using NIST CSF and NIST SP 800-53 together since compliance with both is now required of them. Federal contractors and many other businesses are in a position where they must implement both either by contractual requirements or by choice. Research and then prepare a short briefing paper (5 to 7 paragraphs) which explains the following in language suitable for an executive audience: 1. What is the NIST Cybersecurity Framework? (explain how it is organized, i.e. core functions, tiers, etc.) How does the CSF differ from the way that controls are presented in NIST SP 800-53? 2. Compare the NIST CSF functions to the NIST SP 800-53 families of controls (provide 3 to 5 specific examples of overlap or commonalities). Use this document to help you identify overlapping areas: https://www.nist.gov/document/csfsubcategories-sp80053mappingxlsx 3. Discuss the issues or problems that an organization may face in using both the CSF and the 800-53 control sets within a single Information Security Management program.