Applying Outcomes to NIST Frameworks and Publications

In April 2018, the most recent version of the Framework for Improving Critical Infrastructure Cybersecurity (Framework), was published by the National Institute of Standards and Technology (NIST). While the Framework was developed to improve cybersecurity risk management in critical infrastructure systems, it can be used by organizations in any industry. In fact, according to research from the Identity Defined Security Alliance, 42% of organizations leverage the Framework.

For those organizations utilizing the Framework and other publications from NIST and interested in further boosting their security posture through Identity Defined Security, we’ve provided a mapping of Identity Defined Security Outcomes to NIST Cybersecurity Framework v1.1SP 800-207 Zero Trust ArchitectureSP 800-63 Digital Identity Guidelines. You can find the references to these documents in each of the applicable Identity Defined Security Outcomes. In addition, the below table maps the NIST Cybersecurity Framework v1.1 to Identity Defined Security Outcomes.

NIST Cybersecurity Framework v 1.1IDSA Security Outcomes
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managedIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discovered
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity eventsIDSO-007: Expected user behavior is used for authentication
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performedIDSO-006: Device characteristics are used for authentication
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processesIDSO-001: User accounts and entitlements are granted through governance-driven provisioningIDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioningIDSO-009: Access is revoked upon detection of high-risk events associated with an identityIDSO-010: Re-attestation is triggered based on a high risk eventIDSO-011: All privileged access is periodically attestedIDSO-012: Access to sensitive data is periodically attestedIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discoveredIDSO-017: User’s identity is systematically proven throughout the identity lifetime
PR.AC-3: Remote access is managedIDSO-001: User accounts and entitlements are granted through governance-driven provisioningIDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioningIDSO-009: Access is revoked upon detection of high-risk events associated with an identityIDSO-010: Re-attestation is triggered based on a high risk eventIDSO-011: All privileged access is periodically attestedIDSO-012: Access to sensitive data is periodically attestedIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discoveredIDSO-017: User’s identity is systematically proven throughout the identity lifetime
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of dutiesIDSO-015: User access rights are granted according to the principle of least privilegeIDSO-016: Privileged access rights are granted according to the principle of least privilege
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactionsIDSO-010: Re-attestation is triggered based on a high risk eventIDSO-011: All privileged access is periodically attestedIDSO-012: Access to sensitive data is periodically attestedIDSO-017: User’s identity is systematically proven throughout the identity lifetime
PPR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transactionIDSO-006: Device characteristics are used for authenticationIDSO-007: Expected user behavior is used for authenticationIDSO-008: All privileged access requires multi-factor authentication
RS.MI-2: Incidents are mitigatedIDSO-009: Access is revoked upon detection of high-risk events associated with an identity
RS.RP-1: Response plan is executed during or after an incidentIDSO-009: Access is revoked upon detection of high-risk events associated with an identity
NIST SP 800-207; Zero Trust Reference ArchitectureIDSA Security Outcomes
2: Does the device used for the request have the proper security posture?IDSO-006: Device characteristics are used for authentication
2: Overall, enterprises need to develop and maintain dynamic risk-based policies for resource access and set up a system to ensure that these policies are enforced correctly and consistently for individual resource access requests,IDSO-008: All privileged access requires multi-factor authentication
2.1.3: Access to individual enterprise resources is granted on a per-session basisIDSO-015: User access rights are granted according to the principle of least privilegeIDSO-016: Privileged access rights are granted according to the principle of least privilegeIDSO-017: User’s identity is systematically proven throughout the identity lifetime
2.1.4: Access to resources is determined by dynamic policy—including the observable state of client identity, application/serIDSO-007: Expected user behavior is used for authenticationIDSO-015: User access rights are granted according to the principle of least privilegeIDSO-016: Privileged access rights are granted according to the principle of least privilegeIDSO-017: User’s identity is systematically proven throughout the identity lifetime
2.1.4: Behavioral attributes include, but not limited to, automated subject analytics, device analytics, and measured deviations from observed usage patterns.IDSO-007: Expected user behavior is used for authentication
2.1.4: Requesting asset state can include device characteristics such as software versions installed, network location, time/date of request, previously observed behavior, and installed credentials.IDSO-006: Device characteristics are used for authentication
2.1.6: This includes the use of multifactor authentication (MFA) for access to some or all enterprise resources.IDSO-008: All privileged access requires multi-factor authentication
3: Continuous diagnostics and mitigation (CDM) systemIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discovered
3: Data access policiesIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discovered
3: The PE uses enterprise policy as well as input from external sources (e.g., CDM systems, threat intelligence services described below) as input to a trust algorithm (see Section 3.3 for more details) to grant, deny, or revoke access to the resourceIDSO-009: Access is revoked upon detection of high-risk events associated with an identity
3: CDM systems are also responsible for identifying and potentially enforcing a subset of policies on non-enterprise devices active on enterprise infrastructure.IDSO-006: Device characteristics are used for authentication
3.1: The approaches include enhanced identity governance–driven, logical microsegmentation, and network-based segmentation.IDSO-001: User accounts and entitlements are granted through governance-driven provisioning
3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.IDSO-001: User accounts and entitlements are granted through governance-driven provisioningIDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioning
6.3: Subject provisioning is a key component of ZTA.IDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioning
NIST SP 800-63; Digital Identity GuidelinesIDSA Security Outcomes
A4.2: General requirements that apply to identity proofing for assurance levels IAL2 and IAL3.IDSO-017: User’s identity is systematically proven throughout the identity lifetime
A4.4: IAL2 specific requirements for presence, resolution, evidence, validation, verification, confirmation and security controls.IDSO-017: User’s identity is systematically proven throughout the identity lifetime
A4.5: IAL3 specific requirements for presence, resolution, evidence, validation, verification, confirmation and security controls.IDSO-017: User’s identity is systematically proven throughout the identity lifetime
A5: lists requirements to resolve, validate, and verify an identity and any supplied evidence. The requirements are intended to ensure claimed identity is actual identity of subject.IDSO-017: User’s identity is systematically proven throughout the identity lifetime
B4.3: Authenticator Assurance Level 3 (AAL3). Privileged access is to the most sensitive data which requires MFA based on proof of possession of a key through a cryptographic protocol.IDSO-008: All privileged access requires multi-factor authentication
B4.5: Table 4-1 shows permitted authenticator types for MFA to achieve AAL3.IDSO-008: All privileged access requires multi-factor authentication
B5.1: documents permitted authenticator types for MFA.IDSO-008: All privileged access requires multi-factor authentication

Background

READY TO MAKE AN IMPACT?

Let's work together to help everyone become more secure.