Overview

Since its release in February 2014, the NIST Framework for Securing Critical Infrastructure Cybersecurity has become a major part of the national conversation about cybersecurity for critical infrastructure (and beyond). We believe it represents an important step towards large-scale and
specific improvements in security for the United States and internationally. The Center for Internet Security (CIS) was an active participant in the development of the Cybersecurity Framework, and the CIS Critical Security Controls are cited in it as an information reference that can be used to drive
specific implementation.


The Framework is true to the definition of that term – “a set of principles, ideas, etc. that you use when you are forming your decisions and judgments” – and it provides a way to organize, conduct, and drive the conversation about security goals and improvements, for individual enterprises and across communities of enterprises. However, the Cybersecurity Framework does not include any specific risk management process, or specify any priority of actions. Those decisions and judgments are left to the adopters to manage for their specific situations and contexts.

NIST and the CSC-CIS Controls

This is the essence of the relationship between NIST and CIS – CIS represents the actions that are necessary to support the recommendations contained within NIST. Since most regulation is heavily-influenced by NIST this has been an invaluable methodology for us at Pylon to utilize. We believe that for the vast majority of enterprises, including our own, the best approach to solving these problems is to tackle them as a community – not enterprise-by-enterprise. This is the essence of the CIS non-profit community model, and it is embodied in projects like the CIS Critical Security Controls, the CIS Security Configuration Benchmarks, and the National Cyber Hygiene Campaign. We need to band together to identify key actions, create information, share tools, and remove barriers so that we can all succeed. Simply put, the larger the consuming audience of the policies, the more aggressively and comprehensively will they be vetted.

In that spirit, the Center for Internet Security as well as it’s subscribing organizations such as Pylon will continue to support the evolution of the NIST Cybersecurity Framework and also help our community leverage the content, processes, and priorities of the Critical Security Controls as an action mechanism in alignment with the Framework.

NIST 800-53 Listings

  • AC-1: Access Control Policy and Procedures
  • AC-2: Account Management
  • AC-3: Access Enforcement
  • AC-4: Information Flow Enforcement
  • AC-6: Least Privilege
  • AC-7: Unsuccessful Logon Attempts
  • AC-11: Session Lock
  • AC-12: Session Termination
  • AC-17: Remote Access
  • AC-18: Wireless Access
  • AC-19: Access Control for Mobile Devices
  • AC-20: Use of External Information Systems
  • AC-23: Data Mining Protection
  • AC-24: Access Control Decisions
  • AT-1: Security Awareness and Training Policy and Procedures
  • AT-2: Security Awareness Training
  • AT-3: Role-Based Security Training
  • AT-4: Security Training Records
  • AU-2: Audit Events
  • AU-3: Content of Audit Records
  • AU-4: Audit Storage Capacity
  • AU-5: Response to Audit Processing Failures
  • AU-6: Audit Review, Analysis, and Reporting
  • AU-7: Audit Reduction and Report Generation
  • AU-8: Time Stamps
  • AU-9: Protection of Audit Information
  • AU-10: Non-repudiation
  • AU-11: Audit Record Retention
  • AU-12: Audit Generation
  • AU-13: Monitoring for Information Disclosure
  • AU-14: Session Audit
  • CA-2: Security Assessments
  • CA-3: System Interconnections
  • CA-5: Plan of Action and Milestones
  • CA-6: Security Authorization
  • CA-7 Continuous Monitoring
  • CA-8: Penetration Testing
  • CA-9: Internal System Connections
  • CM-2: Baseline Configuration
  • CM-3: Configuration Change Control
  • CM-5: Access Restrictions for Change
  • CM-6: Configuration Settings
  • CM-7: Least Functionality
  • CM-8: Information System Component Inventory
  • CM-9: Configuration Management Plan
  • CM-10: Software Usage Restrictions
  • CM-11: User-Installed Software
  • CP-9: Information System Backup
  • CP-10: Information System Recovery and Reconstitution
  • IA-3: Device Identification and Authentication
  • IA-5: Authenticator Management
  • IA-10: Adaptive Identification and Authentication
  • IR-1: Incident Response Policy and Procedures
  • IR-2: Incident Response Training
  • IR-3: Incident Response Testing
  • IR-4: Incident Handling
  • IR-5: Incident Monitoring
  • IR-6: Incident Reporting
  • IR-7: Incident Response Assistance
  • IR-8: Incident Response Plan
  • IR-9: Information Spillage Response
  • IR-10: Integrated Information Security Analysis Team
  • MA-4: Nonlocal Maintenance
  • MP-3: Media Marking
  • MP-4: Media Storage
  • MP-5: Media Transport
  • PM-5: Information System Inventory
  • PM-6: Information Security Measures of Performance
  • PM-13: Information Security Workforce
  • PM-14: Testing, Training, & Monitoring
  • PM-16: Threat Awareness Program
  • RA-2: Security Categorization
  • RA-5: Vulnerability Scanning
  • RA-6: Technical Surveillance Countermeasures Survey
  • SA-4: Acquisition Process
  • SA-9: External Information System Services
  • SA-11: Developer Security Testing and Evaluation
  • SA-13: Trustworthiness
  • SA-15: Development Process, Standards, and Tools
  • SA-16: Developer-Provided Training
  • SA-17: Developer Security Architecture and Design
  • SA-18: Tamper Resistance and Detection
  • SA-20: Customized Development of Critical Components
  • SA-21: Developer Screening
  • SC-7: Boundary Protection
  • SC-8: Transmission Confidentiality and Integrity
  • SC-15: Collaborative Computing Devices
  • SC-16: Transmission of Security Attributes
  • SC-17: Public Key Infrastructure Certificates
  • SC-18: Mobile Code
  • SC-20: Secure Name/Address Resolution Service (Authoritative Source)
  • SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
  • SC-22: Architecture and Provisioning for Name/Address Resolution Service
  • SC-23: Session Authenticity
  • SC-24: Fail in Known State
  • SC-28: Protection of Information at Rest
  • SC-31: Covert Channel Analysis
  • SC-34: Non-Modifiable Executable Programs
  • SC-39: Process Isolation
  • SC-40: Wireless Link Protection
  • SC-41: Port and I/O Device Access
  • SC-44: Detonation Chambers
  • SI-2: Flaw Remediation
  • SI-3: Malicious Code Protection
  • SI-4: Information System Monitoring
  • SI-6: Security Function Verification
  • SI-7: Software, Firmware, and Information Integrity
  • SI-8: Spam Protection
  • SI-10: Information Input Validation
  • SI-11: Error Handling
  • SI-15: Information Output Filtering
  • SI-16: Memory Protection
Pylon Technology