Wave #10 - Community Profiles

Part of the update of the NIST CSF to version 2.0 included a raft of resources for organizations to use in their cybersecurity risk management (CRM) journeys. One resource is NIST Cybersecurity Framework 2.0: A Guide to Creating Community Profiles (Guide). We think this document has the opportunity to spur innovation and create valuable work products for end users.

Since the NIST Cybersecurity Framework (CSF) was first released in 2014, the CSF has been used by communities that share interests, goals, and outcomes for cybersecurity risk management within a specific context, such as a sector, technology, or challenge. The term “Community Profiles” describes the ways various organizations use the common taxonomy of the CSF to develop cybersecurity risk management guidance that applies to multiple organizations in a community.

A notable example of a community profile is the Cyber Risk Institute (CRI) Profile for the financial sector*. The CRI Profile serves as a great use case of taking the CSF and creating a sector specific work product that takes into consideration the unique context of a given community. This Profile is the gold standard for creating community profiles.

Overall, the Guide is well constructed and serves as a great starting point for community leaders on how to create effective cybersecurity guidance for their constituents using the CSF. The Guide could be used by trade associations, sector coordinating councils, sector risk management agencies, or even regulators.

One note we have for both the authors and the users of this document is to consider the user’s perspective when creating these profiles. Typically an organization will pick up a community profile and be looking to take actions quickly. Give them the information they need in order to act. Let’s create an example for one of the new Subcategories in the Govern Function: GV.RM-05. It states:

“Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties”

As a community profile creator, you might select GV.RM-05 as part of your profile, but what do you tell your users in addition to “this Subcategory is a priority”? Users may have the following questions:

• What does “lines of communication” mean?

• How do I “establish” these lines?

Answer the mail in your community profile by including language similar to the following: “Create a Cybersecurity Risk Management Committee. Convene the Committee every month to discuss cybersecurity risks, to include risks from suppliers and other third parties.”

Organizations, especially small businesses, are asking for more guidance that is actionable. Give it to them by using the Guide to Creating Community Profiles.

At STLLC, we have been creating CRM plans and conducting these meetings with our clients. We have found it to be an effective and efficient way to implement GV.RM-05. If your organization is looking to implement the CSF v2.0 or create a profile, drop us a line info@yourcyberwork.com

*Full disclosure, we helped CRI create and validate mappings between the CRI Profile and CSF v2.0.