The NIST Cybersecurity Framework (CSF) is a voluntary guidance document intended to assist organizations in managing and mitigating cybersecurity risks. The CSF provides a common taxonomy and language for understanding, assessing, prioritizing, and communicating cybersecurity risks, as well as links to additional guidance, such as existing standards, guidelines, and best practices for managing those risks.
Through our Software Compliance Testing service for NIST CSF,we assess and test vendors’ software solutions to ensure they support NIST CSF guidance. After a thorough evaluation, we feature these solutions on our website.
NIST CSF Compliance Testing Controls
Compliance Testing for NIST CSF relies on credible, objective testing controls based on the intent of NIST CSF guidance. This approach incorporates insights from consultants’ perspective, and various specialists, including affected software vendors, developers, users, and industry groups, to align with organizational needs. NIST CSF compliance testing controls cover the following software controls categories:
Application and DevOps Security
PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle. This subcategory under the Protect function emphasizes incorporating security practices throughout the software development lifecycle, aligning with DevOps principles.
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle. This subcategory highlights the importance of considering supply chain security, which is crucial in a DevOps environment relying on various third-party tools and services.
ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties. This encourages incorporating security testing within the development process, a key aspect of DevOps security.
Asset Inventory and Management
ID.AM: The entire category of Asset Management under the Identify function focuses on identifying and managing assets.
ID.AM-01, ID.AM-02, ID.AM-04: These subcategories explicitly mention maintaining inventories for hardware, software, services, and systems, including those provided by suppliers.
ID.AM-08: This subcategory emphasizes managing systems, hardware, software, services, and data throughout their lifecycles, crucial for a comprehensive asset inventory.
Awareness and Training
PR.AT: The Awareness and Training category under the Protect function addresses this directly.●
PR.AT-01 and PR.AT-02: These subcategories highlight providing awareness and training to all personnel and those in specialized roles to ensure they are aware of cybersecurity risks and possess the necessary knowledge and skills.
Backup and Recovery
PR.DS-11: Backups of data are created, protected, maintained, and tested. This subcategory emphasizes the importance of data backups and their protection.
RC.RP: The entire Incident Recovery Plan Execution category under the Recover function focuses on restoring operations after an incident.
RC.RP-03: This specifically mentions verifying the integrity of backups before using them for restoration.
Audit and Compliance Management
GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed. This addresses the need to understand and comply with relevant regulations.
GV.OV: The Oversight category focuses on reviewing cybersecurity risk management activities and using the results to make improvements, which is essential for audit and compliance.
Data Security
PR.DS: This category under the Protect function focuses on managing data securely to ensure confidentiality, integrity, and availability.
PR.DS-01, PR.DS-02, PR.DS-10: These subcategories detail protecting data at rest, in transit, and in use, covering a wide range of data security scenarios.
Endpoint and Device Protection
PR.PS: The Platform Security category under the Protect function addresses securing hardware and software components.
PR.AA-06: This subcategory emphasizes managing and monitoring physical access to assets, a critical aspect of endpoint protection.
PR.PS-01, PR.PS-02, PR.PS-03: These subcategories emphasize managing configurations, maintaining software and hardware, and ensuring secure disposal, all crucial for endpoint protection.
Identity Management and Access Control
PR.AA: This entire category focuses on managing access to physical and logical assets and ensuring that access is granted based on authorized identities and privileges.
PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-04, PR.AA-05: These subcategories detail managing identities, authenticating users and devices, managing access permissions, and enforcing the principle of least privilege.
Incident Response
RS: The entire Respond function focuses on taking appropriate action regarding detected cybersecurity incidents.
RS.MA, RS.AN, RS.CO, RS.MI: These categories cover various aspects of incident response, from management and analysis to reporting, communication, and mitigation.
Logging and Threat Detection
DE.CM: This category focuses on continuously monitoring assets for anomalies and indicators of compromise, a core aspect of threat detection.
PR.PS-04: This subcategory specifically mentions generating and making log records available for
continuous monitoring.
DE.AE: The Adverse Event Analysis category deals with analyzing collected data to identify and understand potential cybersecurity incidents.
Network Security
PR.IR-01: Networks and environments are protected from unauthorized logical access and usage. This specifically addresses securing networks from unauthorized access.
ID.AM-03: Maintaining representations of authorized network communication and data flows can contribute to understanding and securing network activities.
Posture and Vulnerability Management
ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded. This is a fundamental activity in vulnerability management.
ID.RA-06: Choosing, prioritizing, and planning risk responses based on identified vulnerabilities are important parts of managing an organization’s security posture.
Risk Assessment and Management
ID.RA: The entire Risk Assessment category focuses on understanding the organization’s cybersecurity risks.
GV.RM: The Risk Management Strategy category addresses establishing priorities, risk tolerance, and strategies for managing risk.
Software Bill Of Materials (SBOM)
While the term “Software Bill Of Materials” (SBOM) is not explicitly mentioned, some subcategories relate to the concept:
ID.AM-02: Maintaining inventories of software, services, and systems can be seen as a step towards having an SBOM.
GV.SC-04 and GV.SC-07: Knowing and assessing suppliers and their products, particularly for software components, aligns with the principles of SBOM.
Zero Trust Network Access
While not explicitly mentioned, some subcategories support the principles of Zero Trust:
PR.AA-03: Authenticating users, services, and hardware aligns with the principle of “never trust, always verify.”
PR.AA-05: Enforcing the principle of least privilege and separation of duties are core aspects of a Zero Trust approach.
Continuous Evaluation Process
Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the NIST CSF compliance testing controls. The continuous evaluation process will monitor new cybersecurity regulations and standards compliance requirements or frameworks best practices and update testing criteria to drive software compliance effectiveness and quality over the long term.