The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) developed the Cyber Security Evaluation Tool (CSET®) to provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture.
CSET then generates questions that are specific to those requirements. Some sample standards include:
- • DHS Catalog of Control Systems Security: Recommendations for Standards Developers;
- • NERC Critical Infrastructure Protection (CIP) Standards 002-009;
- • NIST Special Publication 800-82, Guide to Industrial Control Systems Security;
- • NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems;
- • NIST Cybersecurity Framework;
- • NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities;
- • Committee on National Security Systems Instruction (CNSSI) 1253;
- • INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry; and NISTIR 7628 Guidelines for Smart Grid Cyber Security.
CyberForce leverages enterprises architecture models and frameworks to achieve comprehensive documentation of our customer’s active infrastructure. This data is used to populate the FedRAMP SSP templates for comprehensiveness. The complete system is then subject to a thorough and detailed RMF analysis to zero in on critical assets and assets in the critical path. Once this is done we leverage the NIST 800-53 and FedRAMP standards to undertake complete testing of the system.
As part of the baselining exercise, we leverage Client Staff to accomplish as complete a coverage as possible, as opposed to a statistical model, which is reserved for ongoing checks. This approach is taken to close the door on the would-be hackers banking on systems being left untested over time. We leverage proprietary and standard tools such as DHS CSET and CSAT.
We proceed further into CyberForce created micro-object models to document the results at a granular level. This micro-object oriented model allows us to compile state of security along many slices – such as state of security for a particular geography and for a specific set of systems.
Observations are cross walked to relevant standards as well as any internal client system security framework of controls. It is this Architecture to Artifacts comprehensiveness that is representative of CyberForce’s value.