Preparing for a self-attestation of NIST CSF

Preparing for a self-attestation of NIST CSF involves no certification by a third-party assessor; however, the preparation process is the same as when preparing for meeting any other compliance requirements.

The People

After you’ve made the decision to self-attest the NIST CSF, here’s something to keep in mind when drafting your self-attestation preparation strategy. Create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team is also beneficial.

The NIST CSF process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for your self-attestation. You should account for a loss in productivity and ensure you are staffed accordingly.

The Process

The process can be broken down into three major components:

Step 1: Understanding the NIST CSF Requirements

It is important for you to know what the NIST CSF requirements are and plan accordingly. NIST CSF is not one-size-fits-all; each organization decides which functions, categories, and subcategories to comply with. NIST CSF functions, with their categories and subcategories, are:

1. Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
   1. Asset management (ID.AM)
   2. Business environment (ID.BE)
   3. Governance (ID.GV)
   4. Risk assessment (ID.RA)
   5. Risk management strategy (ID.RM)
   6. Supply chain risk management (ID.SC)
2. Protect: Ensure that critical infrastructure services remain available.
   1. Identity management, authentication, and access control (PR.AC)
   2. Awareness and training (PR.AT)
      Data security (PR.DS)
   3. Information protection processes and procedures: (PR.IP)
   4. Maintenance (PR.MA)
   5. Protective technology (PR.PT)
3. Detect: Develop and implement activities to identify cybersecurity events.
   1. Anomalies and events (DE.AE)
   2. Security continuous monitoring (DE.CM)
   3. Detection process (DE.DP)
4. Respond: Develop and implement responses to detected cybersecurity events.
   1. Response planning (RS.RP)
   2. Communications (RS.CO)
   3. Analysis: (RS.AN)
   4. Mitigation (RS.MI):
   5. Improvements (RS.IM)
5. Recover: Develop and implement the appropriate actions to take upon detecting a cybersecurity event.
   1. Recovery planning (RC.RP)
   2. Improvements (RC.IM)
   3. Communications (RC.CO)

Step 2: Prepare Materials

In this step, create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. TrustOps helps you automate much of this process and automatically maps your controls to the NIST CSF standard to assess your systems, policies, and procedures.

Step 3: Complete Internal Review and self-attest

Conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review analyzes your gaps against your level of NIST CSF (as well as other compliance standards such as HIPAA) and could be used as your self-assessment.

Learn more about continuous privacy adherence with privacy essentials in TrustOps!