NIST Cybersecurity Framework: Vulnerability Management – Not One Size Fits All

Tami Gallegos
July 20th, 2017

NIST Cyber Security Framework: Vulnerability Management

The recent Presidential Executive Order on Cybersecurity takes clear aim at vulnerability management, “Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”

Ok, so maybe you are thinking, “The White House is mandating a black and white solution to a gray problem” Or, “Patching those vulnerabilities can take my system off line and that is riskier than the threat of vulnerability exploitation”. Fortunately, the EO also establishes the NIST Framework for Improving Critical Infrastructure (The Cybersecurity Framework) as the roadmap for government IT risk mitigation.

Check out this on-demand webinar from cybersecurity expert, Don Maclean, ‘Addressing Executive Order on Cybersecurity Requirements to Mitigate Risk’.
View now

The NIST Model for Vulnerability Management

The NIST model defines controls and best practices that allow agencies to thoughtfully view the subject of vulnerability management holistically. No one size fits all mandates here. NIST Cybersecurity Framework guidance recommends the following actions as part of an overall vulnerability management and risk mitigation strategy:

  • Asset vulnerabilities are identified and documented

  • Threat and vulnerability information is received from information sharing forums and sources

  • Threats both internal and external are identified and documented

  • Threats, vulnerabilities, likelihoods and impacts are used to determine risk

  • Risk responses are identified and prioritized

  • Vulnerability management plan is developed and implemented

  • Event Data are aggregated and correlated from multiple sources and sensors

  • Vulnerability scans are performed

  • Newly identified vulnerabilities are mitigated or documented as accepted risks

I think we can all agree, this is simply good vulnerability management hygiene. And the impact it has on mitigating risk is undeniable.

The BeyondTrust vulnerability management solution, Retina, in concert with our IT Risk Management Platform can address these requirements and more. Check out the white paper Implementing NIST Cybersecurity Framework Standards with BeyondTrust solutions to explore how our solutions can help you not only address vulnerability management needs, but also the privilege access management controls prescribed by the framework.

We explored the long-term impacts of the Presidential Executive Order on Cybersecurity and considerations for implementing the NIST framework to achieve compliance with EO directives with Cybersecurity expert Don Maclean in our recent webinar: ‘Addressing Executive Order on Cybersecurity Requirements to Mitigate Risk’.

Tami Gallegos

Tami Gallegos is the Federal Marketing Manager for BeyondTrust. She brings more than 13 years of experience educating the US Federal IT community about how to modernize, manage and secure their information systems through technology. She’s worked with leaders in technology like Veritas, Symantec, EMC and Brocade. As a member of a family focused on military and government service, Tami brings a personal passion to the topic of secure, efficient, modern federal information resources.