As we near the end of 2020, the security of the election process has again come under scrutiny. A MITRE Voting Systems Paper released in 2019 reminds us that, even at the state and local level, non-governmental third party organizations perform many essential activities related to voter registration, infrastructure, and communications. The National Counterintelligence and Security Center continues to highlight the ongoing threat of election interference and the risks of data theft, vote manipulation, and undermined confidence that could result. In their paper, MITRE developed a set of recommendations and guidance for securing voting systems. Since MITRE often works closely with the US National Institute of Standards and Technology (NIST), they mapped many of the recommendations into the NIST Cybersecurity Framework (CSF) for traceability.
Like standards, frameworks tend to be diverse in how they name and group concepts, even if they otherwise don’t share much in common. As CyberGRX has built its exchange, the need has arisen to be able to map our assessment controls to other frameworks, whether publicly available or specific to a given customer, in order to measure the coverage of our controls in relation to others. The Framework Mapper enables customers to view their third-party assessments in the context of either a customer-specific or industry standard framework such as NIST 800-53, NIST-CSF, etc. This allows them to clearly and easily interpret the recommendations from papers like those released by MITRE.
Figure 1 - NIST CSF Third party mapping
ID = Identify, PR = Protect, DE = Detect, RS = Respond, RC = Recover
With so many questions forming the basis of a modern assessment, the ability to group and map high level concepts and controls across cybersecurity frameworks is an emerging need that cannot be ignored. To do this, however, you need to have a standardized data set that can be mapped to various frameworks. The table above highlights a selection of real third-party organizations on the CyberGRX Exchange based on how they score in relation to the NIST CSF top level categories. Had these been third parties that provide election supply chain services a governmental organization, it would more easily reveal vulnerabilities that tie directly to recommendations by MITRE or other organizations referencing alternate frameworks.
This is where collaboration comes in. As many states and organizations share the same third parties, working together, in collaboration with your third parties, will help reduce the collective risk spread across our shared ecosystems. In this case, the vulnerabilities highlighted in red and orange could be prioritized with the third parties to mitigate the greatest vulnerabilities and reduce risk. Regardless of whether a private corporation or state government requested those mitigation efforts, the corrective actions taken by the third party will positively impact their security posture and ultimately result in safer engagements with all of their customers.
Let us show you how Framework Mapper can save you time and resources