Open sdog-mitre opened 8 years ago
We will do this as we use the countermeasures in projects at NCCoE.
Posted on behalf of Jeffrey Chichonski, NIST.
Another thought I keep having is to how tie this back to existing NIST work. You have created another classification system here (i.e. AUT-1) andI think that it would be valuable if AUT-1 is somehow related/mapped to some sub category in the CSF which then by design gives you mapping to many different cyber security controls.
Within the ‘counter measures’ you could add a reference to the CSF subcategory that addresses that issue, in my opinion a counter measure and a security control are very similar but sometimes a specific security control might be more actionable to an organization who has implemented some type of security control might be more actionable to an organization who has implemented some type of security compliance framework (i.e 800-53).
– Take AUT-1 counter measures: – ‘install security updates in a timely manner’ maps to CSF sub category PR.IP-12 and then that maps to many security compliance frameworks specific controls (COBIT, ISO, ISA, eat) – 'secondary authentication for sensitive data’ maps to CSF sub category PR.AC1 and again that provides you the mapping to many security compliance frameworks specific controls
General Comment
Threat ID: None
Type of Comment:
Proposed Change: Indications of what, if any, proposed countermeasures align with existing standards, such as 800-53 controls or the Cyber Security Framework.
Justification: