The New and Improved NIST CSF 2.0

[Music] as I said I'd like to start on time for those of you who are here on time hope you guys can hear me pretty well um this session is on the new nist cyber security framework which has only been out for a little over a month so uh show of hands how many people here have used the prior in this you the Cy framework at work okay so about half or so um this is more aimed by people who have never been familiar with it but you know hopefully I won't bore you that that H are familiar with it so a little bi biom I'm not going to go into it um I will point out that I

spent seven years doing the wonderful job of being a seric consultant where I went into different companies of different sizes and types and assessed them against various Frameworks and standards and whatnot one of them being the N framework you know 10 when it existed one one when it existed um so I had that exposure to what it was and and assessing companies and dealing with some uh misunderstanding that people had about it and so forth um I I don't do that anymore um but I'm still I still have kind of a hobby if you will of watching these different Frameworks and standards and so forth uh and see how they change and I was involved with all

the work that you know gave us to you know n you know the CSF 20 so kind of rundown we're going to go through some some history and background something about Frameworks and controls uh then we'll get into the the nitty-gritty of this of the new CSF 20o and some of the elements and so forth uh I will also give you a lot of resources and so forth uh for those of you who are curious um because I'm kind of a a nerd about this this is actually the CSF and all the related documents I like to do this I like to print them out because I like paper I'm a Ludy in that that sense and

so I go to office supply store and say Hey you know spiral bound it so this is all the two stuff um this is the all the one one stuff and this is the Privacy framework 10 I'll mention a little bit about that toward the end so history this is the just basic history of this of the CSF is started out back in 2013 with an executive order they started doing some work on it and so forth uh what this doesn't show is there was all lot of public workshops what I found interesting with the CSF versus other Frameworks is that if you wanted to be involved in developing it and input into it you could do so you

know um you if you're familiar with the iso 270001 Frameworks and stuff like that us ordinary folks have will have no chance whatsoever to be involved with that let's let's be honest so most of these Frameworks and standards that that are out there a lot of us you know we won't have an import because it's coming from nist which is a federal agency that we fund with our tax dollars they are very open and open for public input and comments and this sort of stuff and if you want to get involved in these sort of things going forward you may do so so 2014 the first version was was released they did more work and so forth even a

conference in Baltimore which was pretty interesting uh they then have this uh Cy enhancments act which meant the change it from being oh it's just an executive order now it's a federal law that n is to create and develop and maintain the CSF and then in 1 one was released in 2018 so basically four years so we're a little bit beyond that fouryear period and um this is the road they did for 20 you know for 2000 which basically over two years you know requests for input uh comments and so forth uh workshops which were all virtual though this one they did have some working sessions where there was face-to-face meetings uh at the niss headquarters so a lot of

concept papers and drafts and this sort of stuff and all of this was done publicly if you're curious to know what these papers were and the concepts they put forth in the drafts they're all out there for you to pick up and take a look at you know there was no secrecy if like I said these were these were workshops that anyone could go in and be involved in I did you know because they were all public and we had a lot of there was like hundreds and hundreds of people and not just what I find very strange with the CSF is a lot of foreign interest in it you know they they created the N CSF

for you know us you know critical infrastructure yet there has been from the get-go a lot of foreign interest in it th there's like foreign translations and they know a lot of other foreign company countries have taken it and used it as well and then of course finally in February of this year 20 was was released so I wanted to quickly touch on controls hopefully you guys know what controls are but I've always encountered people that that don't or they have a misunderstanding you know so basically just activities that you the people perform or systems to ensure the business objectives are met kind of really kind of lame you know kind of explanation but it is it's sort of like

okay you know if we want to make sure that you're doing things properly this is the process you need to follow to make sure things are done well like okay we want you to do this activity we want you to do this activity and so forth um in it controls there's things such as change management you know are you updating software was that done properly or did you blow things up and and wreck things you know Access Control who has access who determined who who that who got access was that approved um backups Incident Management all these are important security controls um and many times we need to have and the the things is important is

controls can be policies they can be procedures they can be guidance you know I emphasize that because I've encountered people where said where they ask me oh do you control oh yeah I work with policy procedures and I get a dirty look and I'm like yes dude policies are controls you know it's not just this it's not just some automated system you know if you have a password policy that says our passwords must have this construction great you need to have it in your freaking policies and then you implement it in your system to enforce it they go together so sorry to be pantic about it but I get I've gotten pretty annoyed with uh people not understanding these

sort of Concepts um so here's an example of a control and I'm I use with one which so they have you know have protection against bware pretty straightforward and in version 11 This was um um blanking and the thing with the de cm4 which is malicious code is detected and just so you understand this is what is in the CSF and that's all that's in the CSF doesn't go any any further to it this is why in the CSF that we we match up what are called informative references which we tie into other Frameworks that way we can get into all the big nitty Dy details in those so in this case they they tie this to kit and

2701 and all the others and so forth because it was just easier that way um I'm not sure if you you guys hav looked at the controls in ISO 2702 but they get pretty in depth you I think malware is probably a page or two of information so with the CSF they're not going to put all that into the CSF they make they they're very high level you know controls then they match them up with all these informative references so that you can get into the nitty-gritty now that's in one in 20 they've now changed it they have now it's now part of De CM9 Computing hardware and software and their data are monitored to to find

potentially Adverse Events you know kind of kind of more generic but that's how that's what they've done in the new 20 and of course thing is I I messed up and should have had this in another slide is then you have of course your Frameworks which of course pull together these C these controls as a sort of suggestion this is what you want to have that's where you get your you know your Frameworks like 27,2 NIS 853 uh for those of you in in the session last you know 800 171 and so forth these are collection of Frameworks because unfortunately and this again my experience as a consultant is a lot of people you know if you say like okay

you're now in charge of our security program here at our company what do we need to implement a lot of people were like uh I'm not sure they they basically need to have someone to come in and say okay look yeah here's a list of H 100 controls this is what you need to put into place oh okay great I'll take that and and implement it um so the a lot of people unfortunately need to be given a list of things to do to implement in their system uh to have a secure environment and that's where we get our Frameworks and standards and so forth so on the SEC framewor this was actually the original Lane framework for

improving critical infrastructure cyber security that was the big thing when they roll it out was you know our critical infrastructure you know power plants dams um brid uh uh and all these sort of things and then it kind of went beyond that where it's like oh we can use this for small businesses we can use this for Mom and Pop shops and this sort of thing uh now it's just the N cyber secy framework it's it's as simple as that like said this is the front cover of it it's you very very simple version one uh I said was released in 2014 it was 41 Pages you know as compared some other Frameworks that are like hundreds

version 10 came out like 4 year later 48 pages wasn't that much longer um and of course 20 which came out it's 27 pages and if you find that surprising that's because they pulled out a lot of stuff and put it into supplemental documents which I will talk about um and like I said it's it's it's it's very high level as a framework it is voluntary still um I I have heard of things that within the government space they're now kind of enforcing it with some government agencies uh similar to to fisma um but outside no one has yet started to enforcing its use um I'll be honest I I've been think I would think that with

the importance of like cyber security insurance that some of those organizations might start pushing it but I haven't seen it yet uh I know even with you know because I do do handle the uh the questionnaire we get from our our sub security and carrier they they'll ask things like oh do I have a instant response policy do I have a disaster recovery policy and so on and so forth but I don't see things like oh have you been assessed against the cybery framework you know how do you how does your company stand up against that I haven't seen that yet I keep expecting that but who knows again it is not it is not a one-size

fits all um that's again a problem with Frameworks especially with those people who don't quite get it where I talked about oh you give them a list of you know oh here's 100 controls you know you need to look at those Hunter controls and say like oh yeah this makes sense this makes sense oh this one here this doesn't make sense um you know I'm sorry my company doesn't have a loading dock I don't care about loading dock security and no I'm not joking I'm I'm literally that way we do not have a loading dock at my company I don't care about loading dock security I'm not going to spend any time on that I think

I can skip that and focus on the important things as well as this is also something that people don't quite get is you get that list of 100 controls you need to be doing a risk assessment and realize oh um we need to add some to that list no one seems to want to talk about that but that's that's how Frameworks work this is the basic component of the Cy framework it's three parts the core which are basic the controls that's where most people focus on profiles which you know again gets into like you know where you're at where you want to be what's the Gap and address it and then the third part which I don't care

for and most people don't seem to care for which is the implementation tiers which gets into a sort of maturity model that's not quite a maturity model uh so again to more nity about the the framework uh it is now six functions it used to be five so it's been an improve a change um the next one is course our categories and I think I thought this was kind of when I start looking at the numbers is it's 22 categories the last version was 23 the first one was 22 so there's been no no change in the category numbers and then the subcategories which gets more more granular it's not a big change either what it's now 107 it was

106 you know what they also do is they they they crossmap the subcategories to the new thing this time is implementation examples I'll talk about that shortly and then the informative references however these two are not in the document they're online because the idea is that they're going to be expanding and adding to them and this sort of stuff so they're not going to put it in the actual document itself so that's also how it they're able to keep the document shorter profiles have done a lot of big work on profiles so now we have the concept of not just a your current profile and your future profile but this idea of a community profile which I

think is very very powerful and then um you know the tears this if you this is the logo for the CSF which I've always liked so that's the original logo with one one and this is the new one so I said they've added you know they had the identify protect detect respond recovery which are the which are the five chords they add the sixth one and I was thinking how are they going to do that going they cram it in into the circle and said the sixth one is govern and then did it this way which I think is wonderful because the idea is that govern is kind of like the foundation for the other

five the another thing I like about this being a circle is again you get people who are like you know oh so I start here and I go D and I'm done and no you're not because the circle is better because you start typically with identify and you work your way around get to recovery and guess what comes next you start all over again and make improvements and it's it's it's it's going to be continuous Improvement or continuous process Improvement however it needs to be an ongoing activity you got to be doing better you go through one year and you come back and you say okay let's do another risk assessment see what we're doing what can we doing better you know

and so forth and you know for my for my company we get assessed by other Frameworks and standards and whatnot and sorry when they come back the next year it's not going to be oh we're going to do the same thing it's like oh we're at a new version we need more stuff and you need to do better and you need to add this stuff so it it's I like the circle better because hopefully it puts in people's mind that it's it's continuous you know never stops keeps on rolling uh this is also the way I a lot of these Graphics by the way are pulled from the document itself so yes

Pi up you said mostly Identify say happens resp well the idea is that when you're setting up your framework and where you're where what you have the first thing is you want to know you you start with identify because you have to find out what it is you have to secure that's the idea and you might that might seem strange but I've gone to companies where like I and say hey could you give me your inventory of your hardware and your software and I get like H the thing is you can't secure what you don't know what you have that's why you have to know what what Hardware do you have what systems do you have what data

do you have once you have that then I can figure out how to protect it and and detect it respond is Oh Heaven forid you have it you do have an incident and then you recover for it but that's that's why we talk about you talk you start with identify you figure out what the heck you have so this is also the idea is that you have your functions now six categories and then you get into subcategories um another one here that's all again from the from the book where you also you talk you tie in all the C subcategories into the the implementation examples and the informative references so these are the these are

the six functions and most of them are pretty straightforward you know govern establish and monitor the organization cyber security risk management strategy expectations and policy you know you're letting your ground B what is your policy what is your posture you know what are your risks you know are you a Health Care Organization that has to worry about protecting Phi or are you a retail organization that has to worry about protecting credit card information you know or your defense contract where you dealing with very sensitive information whatever that may be you know that's all going to be different you know it's not one size fits all different organizations have different needs identify again you know you understand your risk but to do that

you have to understand what the heck you have protect you put in Safeguard to protect that detect you know you're watching for that activity you know whether it's a uh Security operation Center or automated tools or what have you you you respond you respond to a detected Incident That's your instant response you know practices and recover that's your disaster recovery get back up and running um honestly when I deal with a lot of it a lot of infos people most of them seem to want to hang around in the detect protect area that's that that's that's the cool place you know oh I'm I'm red team I'm blue team that's there um you know and then your ins

response folks they're kind of like over here a little bit and your Disaster Recovery sometimes we kind of don't even think of Disaster Recovery as being infosec people and then of course the Govern you know it's like oh God those those are the those are those compliance people you know so that you know the the thing is if if you work in the Pro you know if you are inos and you're working up upwards in the in the in your career you find out that no you need to understand more of it and it all works together okay and then of course this one you know goes into showing what it is um things that are broken out and

most of them it's pretty straightforward I mean recovery you know you execute your instant response plan you know you do Communications okay detect okay continuous monitoring okay that's your you know seam tool and this sort of stuff all always watching you know always watching always watching and that let you know and of course you know if you have anything you want to analyze it was that really an issue or was it you know some idiot you know kicking a can or what have you I wanted to go a little bit more further into some of these to get you understand like so so govern has like organizational context you know things like you know having a mission

stakeholder expectation all that really boring dull stuff that most of us don't care about but is really important um you know your risk management strategy you know what are your priorities your constraints a lot of this is going to be unfortunately be done more by your upper management um than the practitioners roles were responsibilities you know who's doing what you know that gets into into things like a rasky chart you know who's responsible for this who's responsible for that you know who's your inst response team and stuff like that you know have your policy put into place um you know your oversight you know who's watching all that sort of stuff and then what's become bigger is your

your whole supply chain risk management you know companies are not a monolith a lot of them are now relying upon other companies um you know most companies like oh well yeah we rely you know we're putting our stuff in the cloud okay great now you rely upon their security oh we're using Office 365 they that's where our email is so you're really appying upon that so a lot of companies get really really complex where they go in and they're having like half a dozen or a dozen other companies they have to rely upon not just you know your msps your M ssps your your Cloud vendors and so forth where is not everything is done in house

anymore um and you had to rely upon that want to make sure that that hey you know you had to say like oh it's over in the cloud we don't have to worry about it you do identify is pretty straightforward asset management and again assets are not just Hardware it's also your software it's your data it's your facilities all that sort of stuff you need to understand what that is you know again I when I got into companies I say like okay what data do you have and where is it and I'm like I it's it's it's in the system yeah that doesn't work um and I'm I'm not being I'm being silly but unfortunately I I've had these

conversations then of course you risk of something you need to understand you know what are the risks to your organization and and what things that you you know you face and then of course you you know you want to improve it again I talked about that earlier continuous process Improvement doing better you did okay this year what can you do better next year because the bad guys they're going to come after you and they're going to do do better next year so you need to make improvements as well protect um you know again first off is your basically your I am identity and access management pretty straightforward awareness and training you know you guys are doing security awareness training

right on a regular basis right uh data security you're managing consistently uh platform security hardware and software and so forth you know even if it's virtualized and then of course you you know this concept of resilience if You' hopefully you've heard that term before of cyber resilience you know that is if something happens can your system recover um if you think about it it's like a tree tree in the being blown in the wind you know it gets pushed over but but do it come right back that's resilient versus it gets pushed over and it snaps and breaks it's not resilient uh detect is in continuous monitoring that's become bigger and bigger uh whether it's automated whether it's AI

whether it's sock or all of them and then of course you need to you know do analysis that's one thing I've always seen with incident response is oh yes we got a report is it legit or is it not legit um you know my place we we use um you know certain you know tool and every so often we get this weird ass alert and like okay okay what the heck's going on you go talk to our it admin and like okay are you doing something did you cause oh yeah yeah that was me okay great I don't have to worry about it because if it if it wasn't you then I got to worry and the respond this of course

your instant management you know analysis reporting and communication uh again people kind of forget that is that yeah you have if you have an incident you may be having to report to law enforcement as the case may be um and of course you need mitigate that issue and then recovery it's again that executing your recovery plan and again communication both internal and external uh I think one thing I've always heard is that you know you don't want to have an incident and find out about it because the reporter are showing up at your doorstep because your your data has been exfiltrated or something or uh as I as I had with one of my clients and know I'm

not making this up um when they had interpole show up because a secretary got got spoofed to send money to a terorist account so okay so one thing you might you what they did was they did a lot of reworking one was thing was like you know they had this whole new frame you know this new profile or are they creating new stuff but what they basically did was they kind of reshuffled and move things around um you know so there wasn't you know so they I went through and did did a look at stuff and there's actually a document if you're if you're that curious about it there is a PDF they created that shows all the thing they

moved around so for instance the governance stuff a lot of that they just pulled over from identify in some other areas and put into into governance so they moved about 28 they also merged and moved about 32 um you know there are 14 new ones but they did leave things unchanged and one thing kind of initially threw me off when I was going through it is that they they didn't anything that they left in place they didn't renumber them from the prior version what initially I thought was like well that was kind of weird and like well no no that makes sense because if you if you'd use one one and you had identifi things a certain numbers it

doesn't mess you up because they've renumbered them so if you look at at the subcategories you'll see gaps in the numberings in some cases because it didn't do renumbering um initially threw me off because I was doing a count I'm like going you know oh yeah oh it's it's nine here oh no no no it's not nine because there's five they removed but uh that's what they did um so this is kind of what again when it looks like in the in some of the documents where you have categories you have the subcategories now this picture was taken from the drafts so that shows like where the former ones are see like formerly these in the final version all

that is is gone so implementation example I said this is a new one this this show potential ways to achieve each outcome and it's only available online so this is what it looks like so in this case here we have the organization mission is understood and forms cyi risk management so example share the organization's Mission through vision and mission statements marketing and service strategies to provide a basis for identifying risk that may impede that mission okay pretty straightforward but at least it gives PE people an idea because I know for a lot of people if I if I tell them this they're going to be like I what I don't know what to do but

if we give them this they're like okay I think I understand how to do that um and by also by this being online I think that the idea is that we can have more EX example you see in this one here there's only one example where this one has two so it it's add of people being able to add to it now the informative references that was really you I felt those was really important in one one in version one and one one within the document there was only five so they listed cobit uh the critical security controls um 27,1 and 853 um and then of course if you look at that you're wait a minute

where's PCI where's whatever your favorite frame rare standard is where is that so in one one even though they kept the same five they had you know they added more uh but to make it easier on this this was basically look if you got some framework or standard or whatever that you want to crossmap into CSF great that's on you to do the work and give it to us and we'll put it up on our website we're not going to do the work for you um which is probably good because some of these things get get updated um you know like the critical security controls uh we're up to version eight now um I think when they first started

with the CSF it was a version like six or seven and in some cases I wasn't even sure what version they were talking about so this is something really important that by doing this it kind of offloaded a lot of work off of nist on these other organizations um as I said in 2o there are no informative references whatsoever in the document itself it's all online um and unfortunately there's only like a a two or three um so there's a lot of work that needs to be done in that regards and this is actually a a screenshot of that online you know this if you this is one way you can pull it out an Excel

spreadsheet so you can see how it's done where you got the category subcategories the implementation examples and then the informative references so these are the cross you know different matches up and so forth not so many at this point because it's it's only been kind of the N documents but as it goes on and we get more and more of them um that's going to be pretty packed because in the old version there was like like 30 or 40 informative references and so forth so CSF profiles this is really important because this is a way to figure out where your what your company currently stands against the CSF where your future is and then you know so the

idea is you have current which is where you're at or trying to Future where you want to be at and then of course you want to have a gap analysis where where your gaps and address it now what has become really powerful with profiles has been the concept of of profile and the idea of that is pretty simple it's like okay okay I'm a hospital let's say you know what should i' be doing with the CSF as a hospital you know maybe I'm not too certain but hopefully maybe some Hospital organization has come out and say like oh here is our recommended Hospital Community profile for the CSF that you can follow and that makes it

easy for people to say like oh this is what I need to implement and what I need to be doing um and that's what they did did with the prior one and they're really really emphasizing that uh and it BEC BEC very very powerful because then you can have okay you're in the you're in the financial area okay maybe your insurance or banking maybe there's a banking profile that exists or Insurance you know agent profile and so forth that makes it easier because then you're not just like oh this is my what I kind of like think is the best best way to do it you can have someone at a higher level much more knowledable come and say this

is what we recommend you should do because you're in our industry and you can follow that also they've kind of using the the Profiles In general as a way to implement the CSF the idea being that you figure out where you're at figure out where you need to go and use that as your method to implement the CSF um because the old section they had on implementing has basically gone out the window the idea here is of course you take in objectives and expect ations and whatnot you know to create your current profile and your target profile um this is also taken from the document the idea is you know you Scope it gather information create that

profile analyze gaps Implement and what I've been saying repeat do it again do it again the next year tears um as I said I don't like the tears a lot of people don't like the tears uh you don't have to use the tears um it's a way of looking at kind of like the maturity of your organization when it comes to security uh they have four levels um and they course assess it against different things such as your process you know risk management so forth uh one thing with all maturity models is I don't care whether it's you got three levels or levels or what have you a lot of people have this idea that they got

to get to the top level and you don't because you need to go to the the whatever level is best for your organization because as you try to go to higher levels it'll be a higher cost but is it really to your benefit you know that's a big mistake what people make all that they've said it with the CSF was that they would least like companies to be at level two whether you are going to go to three or four will depend upon your organization if it makes sense for your organization um so again these are the and the thing is with the te is it's a maturity model it's not really a maturity model which is why I don't like

it I prefer a true maturity model myself um and of course they talking about risk governance management third party risk when I think of a maturity model again this is what is a degree of formality optimization of processes going from ad hoc you know ad hoc C to your pants you know oh we'll fix it as we we do best whereas you're more formally defined like oh this is how this is our step- toep process of building machine we've reviewed it we know it works and we're being consistent and so forth um you they can be process oriented people process technology I'm more familiar with the CMM cmmi um I actually was from or it organization

that was officially cmmi level three so I'm familiar with this uh I know a lot of people don't like it because I think a lot of overhead but um we didn't get outsourced because we were so efficient so I see is it a value sorry C capability maturity model it it came originally from Carnegie melon and worked from that mainly for software engineering but now I've been expanded El outside of software engineering so CMI integrated goes beyond that um we were an IT organization that was officially CMI level three so um so this is this is it level one up to five and and please note five is not optimized it's optimizing um but you get to four or

five that's very very difficult a lot of lot of expense um and and you'll get the people who go like oh yeah but there's also a level zero that's where you got like you're doing nothing you're you're you're horrible and then you get this the the wag to like oh yeah yeah but there also the the level negative one or the ones are even worse than that so uh there's a lot of ination also with privacy um I'll just say this about privacy because a lot of people misunderstand it um quickly um because you you think about it's like like oh well I don't want to see my my diary that's private private or secure security PR is

the same thing no it's not um here's the easiest way to think about it security is dealing with access privacy is dealing with usage and we need it together because we don't want you to access my data because I don't want you to misuse my data that's more when you get into privacy in the healthcare realm we're using privacy in the terms of how you use that data see so as I you know issue with data processing that we get a lot about like okay well you know I in a hospital okay I can't use that data to like sell you stuff and you know you know things like that but there is a lot of O there's a lot of overlap

between security and privacy but there are some other things that kind of change that doesn't um and of course there's the Privacy framework from NIS as well and there is actually overlap between it um it's going to be kind of interesting where things are going so some of the next steps like I said it was actually released 20 was released in February so it's a little over a month old uh as I noted um we need a h heck of a lot more formative references there's very very little um they've created a lot of supplemental materials which I'll talk about but they need to be finalized or several that are in initial public draft still um and I'm not sure if people

familiar with the Baldridge cyber security Excellence Builder um so nist has a program called the uh the Baldridge Excellence program to get companies to be be be more quality and they created a the the bald cyber Excellence Builder you know way back you know 2019 but it's at level it's tied to version 11 so we need to have a new version um and this is now starting to do an update of the Privacy framework so if privacy is your bag you might want to take a look into it this is the this is the what they have on the website um except there's a little problem uh we're in quarter 2 we haven't even gotten any concept

papers that was supposed to be in quarter quarter one so they've kind of slipped so there's been no concept papers yet there's been no workshops scheduled yet and we're already in Q Q2 so uh maybe they kind of slipped I don't know and I'm a little bit concerned because they seem to think they're going to get this all done this year and roll out version 11 beginning next year um maybe a little bit too ambitious I don't know but uh because I do have to worry about privacy as well where I'm at so I'll probably be I will definitely keep an eye on this so some resources um Mist actually has a lot of resources so the first that's their

website for all cyber security stuff um if you want the Privacy framework that's the next one uh nice framework I'm not sure if you're familiar with that basically that's a framework to set down standards for infosec jobs and responsibilities um so there's a lot of coverage they actually I didn't really know this but they actually have a whole small business cyber corner now um and then I mentioned about the Baldridge that's where you can go for that of course if you go to cyber security you can go to related programs and go from there so it's pretty pretty straightforward um so these are the these are the other documents they've created which I have copies of so

they've got a resource and overview guide a small business quick start guide using or organizational profiles using the tiers Enterprise risk management cyber risk management and then a guide to creating the community profiles and some of them actually several of them uh if you see ipd that means initial public draft so they not they haven't been finalized yet um and I'm also I'm kind of a document nerd um does anyone notice a problem with my list here okay uh where is sp 1304 I noticed a gap there so I I don't know is that a plan you know document that they're still working on or what so um you know I notice those sort of

things so but I'm I'm weird um that's actually the the website for the small business corner I mentioned uh training um there is no official training for for the cyber security framework okay okay um the only one I'm very familiar with is from isaka but they're built it around you know you using cobit to implement the CSF and I'm like I never quite figured that one out if you're not familiar with this organization this one has been really been pushing their certifications and their whole program built upon the CSF um these are two books you can get them off of Amazon you can go to the website and I just saw on LinkedIn they've got a

they now have a partnership of some sort with with uh HP Enterprise to push out their training and this sort of stuff so if that's if that's your bag that's that's something to look at certification uh you especially in light of what was the the session before me on the cmmc and their whole framework and you know the whole system of certifications uh and the thing is I've seen the same for ISO 270001 and cobit and all these other Frameworks where you as a your company can be certified to be compliant with the framework and people can be certified to be compliant or can know it there isn't any and as far as I know and I base this upon

conversations when I've gone to these workshops this is not interested in this they're not they don't want to push you know any official oh you know n CSF certified company and all they don't they don't want to get into that um so good or bad I don't see that changing um but I just know from the workshops they're like yeah no so um because I've I've seen some silly stuff with this I I when I was a consultant I had companies were like oh yeah we want to be certified again you know we want you to come assess us against the CSF and give us our CSF rating number and I'm like rating number what what are you

talking about you know I I'm fairly knowledgeable about it and there I not never heard of any sort of rating number for the CSF but I guess some people out there think that um I I'm kind of a book nerd and I've always been kind of disappointed that no one has really come out with a you know complete Dummies book for the CSF or anything like that uh the only only people done it has been isaka and it's tied to their you know using Coit to implement the CSF you whatever guys so uh so some conclusions uh I had a hope that we're going to get rid the te yeah I I guess you know that sucks to be

me um obviously they're going to have to continue to add to the informative references I'm I'm hoping that we'll get um more examples they continue to add to the website I I mean I was really really impressed I went looked at all the stuff they had there they've been doing a lot of good stuff up on their website and hey you know we paid for it so let's make you put it to use um they've had a lot of good you know all the new supplemental information all the quick start guys was great um one thing that was missing and this is more if you're familiar with it from the old days was they always had a road

map document that kind of laid out their kind of their plans of what they kind of felt needed to be coming from from the CSF and they don't have it this time and I don't know if it's just they're so working on it or what I kind of missed that um it was interesting uh I we Contin to see more groups in organization Contin to use it I said I I've always been very Amazed by how how much International interest has been with the CSF you know when I went to some of the workshops they actually had have whole sessions with you know people from foreign governments there to talk about it and this sort of stuff you know

we created it for for us in the US but it's to me it's amazing how how much uh interest it is overseas um I still hope to see more resources I mean to me when I see third parties come out with books and other resources that shows the PO arious something and I just it's kind of surprising to me that we haven't seen more but that's me and maybe you know that's just my idea so any questions I I certainly want to get feedback uh on this because um I I try to improve this I'm actually trying to offer this at at some other conferences so I like feedback I'm Pally looking for things like like ew you

spent too much time on blah that was dumb I wanted to hear more about this you know because obviously this is kind of like my view of what I thought was important and I'm trying toid avoid not going too deep down the rabbit hole with stuff um and try to give a good mixture but certainly I want to hear from other people so uh

yes there isn't that's that's part of the problem is that was that was that was thing that was something that was brought up at past workshops of metrics and measurement and this sort of stuff and that was in the that was used to be in the in the road map and they've never really addressed that and and to a degree n is sort of like like like I we don't they didn't really want to do that they were hoping to push it off to some nebulous someone else will take care of it and no one has because I know as an assessor that's one thing that a lot of the companies were probably coming us

like like well I want to be cuz I want to compare us against these guys and I'm like you know exact exactly and there really isn't one I don't know how it can be especially when n is like going like like not us you know leave us out of it I'm like so just augment something saying earlier I think very ear your anyone use the framework but I think that in light of the's recent regulations that been Ru making on cyber security so that requires disclosure but more importantly actually requires you have a risk program and so it is a facto pressure for every publicly traded company to actually use a framework but in addition to that one really

interesting thing that they that appes only that mege or you have signicant amount of private these sorts of things that you really should at least approach byal La

enforc yeah I think it should it's something that's coming but it just has been kind of nebulous like that I kind of expected that with like the cyber security um cyber Insurance because I mean I get questionnaires from them and like well do you have this this this and I'm like why can't you say like hey have you been assessed against hyur framework and how did you stand in this sort of stuff um and it probably could be part of like there's no real measurement against it that maybe that's why that hasn't happened you know for my company I have to deal with high trust and sock one and two so that's my that's our assessment so if you come to me and

my company like have you been like yeah I trust sock one and two here you go leave me alone you know

but yeah or even the last session on the cmmc because I used to I was kind of involved with that because I came an RP you I read as a practitioner in that you know and I saw that sort of the issues with that but yeah it's it's a it's a big thing in the overall in the whole industry yeah I would say that

see but I would just say to everybody here You' probably already done this but where

goes

yeah think

yeah I mean I've been kind of expecting something like that for the last several years and just kind of surprised that we haven't really seen it in fact with my our uh cyber security Insurance you know we just this this like like a month ago we got their questionnaire that was more aimed at ransomware but it was all like oh do you have an in response you know you know plan do you have Disaster Recovery do you have backups are they REM mutable blah blah blah blah blah and nothing like oh have you had a assessment or this sort of stuff

uhas well even more on that I mean I know this from experience where I was an ionization and we moved because we put in the processes in place we got out of the firefighting mode and got into like oh now we can we can give value back to our our our company because we have we we are Building Systems consistently and we're not going in chasing our tail and going and fixing things but sadly when I go and talk to other it people my peers and explain this they're like like I don't have time for that I'm I'm I'm firefighting I can't get out of firefighting because I'm firefighting and I'm like oh God you

know but

right

okay local public government entities to framework going to now Florida Shield those organizations if and I'm not sure that currently is just public sector but those things typically come outed as models so Insurance probably follow things like that yeah but that's pending that's big because that work in public sector the lever with getd do that because now prot yeah anything else thank you for your time I'm going to be here all day if you want to me [Music]

[Music]