The NIST Cybersecurity Framework (CSF) is a voluntary guidance document intended to assist organizations in managing and mitigating cybersecurity risks. The CSF provides a common taxonomy and language for understanding, assessing, prioritizing, and communicating cybersecurity risks, as well as links to additional guidance, such as existing standards, guidelines, and best practices for managing those risks.
Through our Software Compliance Testing service for NIST CSF, we assess and test vendors’ software solutions to ensure they support NIST CSF guidance. After a thorough evaluation, we feature these solutions on our website.
Compliance Testing for NIST CSF relies on credible, objective testing controls based on the intent of NIST CSF guidance. This approach incorporates insights from consultants’ perspective, and various specialists, including affected software vendors, developers, users, and industry groups, to align with organizational needs. NIST CSF compliance testing controls cover the following software controls categories:
PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle. This subcategory under the Protect function emphasizes incorporating security practices throughout the software development lifecycle, aligning with DevOps principles.
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle. This subcategory highlights the importance of considering supply chain security, which is crucial in a DevOps environment relying on various third-party tools and services.
ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties. This encourages incorporating security testing within the development process, a key aspect of DevOps security.
ID.AM: The entire category of Asset Management under the Identify function focuses on identifying and managing assets.
ID.AM-01, ID.AM-02, ID.AM-04: These subcategories explicitly mention maintaining inventories for hardware, software, services, and systems, including those provided by suppliers.
ID.AM-08: This subcategory emphasizes managing systems, hardware, software, services, and data throughout their lifecycles, crucial for a comprehensive asset inventory.
PR.AT: The Awareness and Training category under the Protect function addresses this directly.
PR.AT-01 and PR.AT-02: These subcategories highlight providing awareness and training to all personnel and those in specialized roles to ensure they are aware of cybersecurity risks and possess the necessary knowledge and skills.
PR.DS-11: Backups of data are created, protected, maintained, and tested. This subcategory emphasizes the importance of data backups and their protection.
RC.RP: The entire Incident Recovery Plan Execution category under the Recover function focuses on restoring operations after an incident.
RC.RP-03: This specifically mentions verifying the integrity of backups before using them for restoration.
GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed. This addresses the need to understand and comply with relevant regulations.
GV.OV: The Oversight category focuses on reviewing cybersecurity risk management activities and using the results to make improvements, which is essential for audit and compliance.
PR.DS: This category under the Protect function focuses on managing data securely to ensure confidentiality, integrity, and availability.
PR.DS-01, PR.DS-02, PR.DS-10: These subcategories detail protecting data at rest, in transit, and in use, covering a wide range of data security scenarios.
PR.PS: The Platform Security category under the Protect function addresses securing hardware and software components.
PR.AA-06: This subcategory emphasizes managing and monitoring physical access to assets, a critical aspect of endpoint protection.
PR.PS-01, PR.PS-02, PR.PS-03: These subcategories emphasize managing configurations, maintaining software and hardware, and ensuring secure disposal, all crucial for endpoint protection.
PR.AA: This entire category focuses on managing access to physical and logical assets and ensuring that access is granted based on authorized identities and privileges.
PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-04, PR.AA-05: These subcategories detail managing identities, authenticating users and devices, managing access permissions, and enforcing the principle of least privilege.
RS: The entire Respond function focuses on taking appropriate action regarding detected cybersecurity incidents.
RS.MA, RS.AN, RS.CO, RS.MI: These categories cover various aspects of incident response, from management and analysis to reporting, communication, and mitigation.
DE.CM: This category focuses on continuously monitoring assets for anomalies and indicators of compromise, a core aspect of threat detection.
PR.PS-04: This subcategory specifically mentions generating and making log records available for
continuous monitoring.
DE.AE: The Adverse Event Analysis category deals with analyzing collected data to identify and understand potential cybersecurity incidents.
PR.IR-01: Networks and environments are protected from unauthorized logical access and usage. This specifically addresses securing networks from unauthorized access.
ID.AM-03: Maintaining representations of authorized network communication and data flows can contribute to understanding and securing network activities.
ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded. This is a fundamental activity in vulnerability management.
ID.RA-06: Choosing, prioritizing, and planning risk responses based on identified vulnerabilities are important parts of managing an organization’s security posture.
ID.RA: The entire Risk Assessment category focuses on understanding the organization’s cybersecurity risks.
GV.RM: The Risk Management Strategy category addresses establishing priorities, risk tolerance, and strategies for managing risk.
While the term “Software Bill Of Materials” (SBOM) is not explicitly mentioned, some subcategories relate to the concept:
ID.AM-02: Maintaining inventories of software, services, and systems can be seen as a step towards having an SBOM.
GV.SC-04 and GV.SC-07: Knowing and assessing suppliers and their products, particularly for software components, aligns with the principles of SBOM.
While not explicitly mentioned, some subcategories support the principles of Zero Trust:
PR.AA-03: Authenticating users, services, and hardware aligns with the principle of “never trust, always verify.”
PR.AA-05: Enforcing the principle of least privilege and separation of duties are core aspects of a Zero Trust approach.
Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the NIST CSF compliance testing controls. The continuous evaluation process will monitor new cybersecurity regulations and standards compliance requirements or frameworks best practices and update testing criteria to drive software compliance effectiveness and quality over the long term.
