In April 2018, the most recent version of the Framework for Improving Critical Infrastructure Cybersecurity (Framework), was published by the National Institute of Standards and Technology (NIST). While the Framework was developed to improve cybersecurity risk management in critical infrastructure systems, it can be used by organizations in any industry. In fact, according to research from the Identity Defined Security Alliance, 42% of organizations leverage the Framework.
For those organizations utilizing the Framework and other publications from NIST and interested in further boosting their security posture through Identity Defined Security, we’ve provided a mapping of Identity Defined Security Outcomes to NIST Cybersecurity Framework v1.1, SP 800-207 Zero Trust Architecture, SP 800-63 Digital Identity Guidelines. You can find the references to these documents in each of the applicable Identity Defined Security Outcomes. In addition, the below table maps the NIST Cybersecurity Framework v1.1 to Identity Defined Security Outcomes.
| NIST Cybersecurity Framework v 1.1 | IDSA Security Outcomes |
|---|---|
| DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed | IDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discovered |
| DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events | IDSO-007: Expected user behavior is used for authentication |
| DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed | IDSO-006: Device characteristics are used for authentication |
| PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes | IDSO-001: User accounts and entitlements are granted through governance-driven provisioningIDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioningIDSO-009: Access is revoked upon detection of high-risk events associated with an identityIDSO-010: Re-attestation is triggered based on a high risk eventIDSO-011: All privileged access is periodically attestedIDSO-012: Access to sensitive data is periodically attestedIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discoveredIDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| PR.AC-3: Remote access is managed | IDSO-001: User accounts and entitlements are granted through governance-driven provisioningIDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioningIDSO-009: Access is revoked upon detection of high-risk events associated with an identityIDSO-010: Re-attestation is triggered based on a high risk eventIDSO-011: All privileged access is periodically attestedIDSO-012: Access to sensitive data is periodically attestedIDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discoveredIDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | IDSO-015: User access rights are granted according to the principle of least privilegeIDSO-016: Privileged access rights are granted according to the principle of least privilege |
| PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions | IDSO-010: Re-attestation is triggered based on a high risk eventIDSO-011: All privileged access is periodically attestedIDSO-012: Access to sensitive data is periodically attestedIDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| PPR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction | IDSO-006: Device characteristics are used for authenticationIDSO-007: Expected user behavior is used for authenticationIDSO-008: All privileged access requires multi-factor authentication |
| RS.MI-2: Incidents are mitigated | IDSO-009: Access is revoked upon detection of high-risk events associated with an identity |
| RS.RP-1: Response plan is executed during or after an incident | IDSO-009: Access is revoked upon detection of high-risk events associated with an identity |
| NIST SP 800-207; Zero Trust Reference Architecture | IDSA Security Outcomes |
| 2: Does the device used for the request have the proper security posture? | IDSO-006: Device characteristics are used for authentication |
| 2: Overall, enterprises need to develop and maintain dynamic risk-based policies for resource access and set up a system to ensure that these policies are enforced correctly and consistently for individual resource access requests, | IDSO-008: All privileged access requires multi-factor authentication |
| 2.1.3: Access to individual enterprise resources is granted on a per-session basis | IDSO-015: User access rights are granted according to the principle of least privilegeIDSO-016: Privileged access rights are granted according to the principle of least privilegeIDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| 2.1.4: Access to resources is determined by dynamic policy—including the observable state of client identity, application/ser | IDSO-007: Expected user behavior is used for authenticationIDSO-015: User access rights are granted according to the principle of least privilegeIDSO-016: Privileged access rights are granted according to the principle of least privilegeIDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| 2.1.4: Behavioral attributes include, but not limited to, automated subject analytics, device analytics, and measured deviations from observed usage patterns. | IDSO-007: Expected user behavior is used for authentication |
| 2.1.4: Requesting asset state can include device characteristics such as software versions installed, network location, time/date of request, previously observed behavior, and installed credentials. | IDSO-006: Device characteristics are used for authentication |
| 2.1.6: This includes the use of multifactor authentication (MFA) for access to some or all enterprise resources. | IDSO-008: All privileged access requires multi-factor authentication |
| 3: Continuous diagnostics and mitigation (CDM) system | IDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discovered |
| 3: Data access policies | IDSO-013: All privileged access rights are continuously discoveredIDSO-014: All user access rights are continuously discovered |
| 3: The PE uses enterprise policy as well as input from external sources (e.g., CDM systems, threat intelligence services described below) as input to a trust algorithm (see Section 3.3 for more details) to grant, deny, or revoke access to the resource | IDSO-009: Access is revoked upon detection of high-risk events associated with an identity |
| 3: CDM systems are also responsible for identifying and potentially enforcing a subset of policies on non-enterprise devices active on enterprise infrastructure. | IDSO-006: Device characteristics are used for authentication |
| 3.1: The approaches include enhanced identity governance–driven, logical microsegmentation, and network-based segmentation. | IDSO-001: User accounts and entitlements are granted through governance-driven provisioning |
| 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation. | IDSO-001: User accounts and entitlements are granted through governance-driven provisioningIDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioning |
| 6.3: Subject provisioning is a key component of ZTA. | IDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioningIDSO-003: Privileged user accounts and entitlements are removed through governance-driven provisioningIDSO-004: User accounts and entitlements are removed through governance-driven provisioning |
| NIST SP 800-63; Digital Identity Guidelines | IDSA Security Outcomes |
| A4.2: General requirements that apply to identity proofing for assurance levels IAL2 and IAL3. | IDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| A4.4: IAL2 specific requirements for presence, resolution, evidence, validation, verification, confirmation and security controls. | IDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| A4.5: IAL3 specific requirements for presence, resolution, evidence, validation, verification, confirmation and security controls. | IDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| A5: lists requirements to resolve, validate, and verify an identity and any supplied evidence. The requirements are intended to ensure claimed identity is actual identity of subject. | IDSO-017: User’s identity is systematically proven throughout the identity lifetime |
| B4.3: Authenticator Assurance Level 3 (AAL3). Privileged access is to the most sensitive data which requires MFA based on proof of possession of a key through a cryptographic protocol. | IDSO-008: All privileged access requires multi-factor authentication |
| B4.5: Table 4-1 shows permitted authenticator types for MFA to achieve AAL3. | IDSO-008: All privileged access requires multi-factor authentication |
| B5.1: documents permitted authenticator types for MFA. | IDSO-008: All privileged access requires multi-factor authentication |
