An Introduction to Security Frameworks

Lloyd McCoy Jr.By Lloyd McCoy, Market Intelligence Manager

A key takeaway from RSA Conference 2019 was the importance of security frameworks. They encompass security best practices and help government agencies keep their heads above water amid all the cyber threats that are out there. When breaches do occur at the federal level, the post-mortem usually reveals some deficiencies in compliance.

For the federal government, the National Institute of Standards and Technology (NIST) is the primary source for security standards. The Office of Management and Budget (OMB) requires that agencies comply with NIST guidance. If you sell technology to the government, it’s important that you be familiar with security frameworks, because they play a big factor in why agencies buy what they buy in terms of security tools and services.

Security frameworks can largely be split into three categories: Control, Program and Risk.

The purpose of control frameworks is to identify a baseline set of controls, assess the state of technical capabilities, prioritize the implementation of controls and develop an initial roadmap for the security team. It’s important to become familiar with NIST SP 800-53, an important publication that catalogs security and privacy controls, because it helps agencies measure their impact. Government departments and agencies use NIST SP 800-53 to inform their purchasing decisions, specifically around incident response, configuration management, risk assessment and access control solutions.

Read more of this post

%d bloggers like this: