The information security landscape around the world is relatively diverse with different approaches and standards, but one country in particular stands out: Germany. While other countries rely on the American standards published by NIST (National Institute for Standards in Technology) for risk management, the “Risk Management Framework” (NIST RMF), and for securing critical infrastructures, the “Cybersecurity Framework” (NIST CSF), Germany comes up with its own standard. In this article, we explain what benefits NIST could offer in Germany in addition to BSI standards.
The background to the current international information security situation
The following standards are among the most widely used worldwide:
– NIST Cybersecurity Framework (CSF)
– NIST Risk Management Framework (RMF)
ISO 27001 is one of the guiding frameworks for information security and is required by many organizations as a prerequisite for collaboration and therefore certification is sought by many. Other standards such as TISAX from the VDI and the BSI Standards 200-x are based on the ISO standard, which further increases its popularity. On the other hand, there are the standards of NIST, the U.S. Institute for Standardization in Technology, as an alternative, whereby the two frameworks also complement each other very well. They are required for U.S. agencies by legislation and are constantly evolving. In 2014, the U.S. Department of Defense (DoD) replaced the Information Assurance Certification and Accreditation Process, which went into effect in 2006, with its successor, the NIST Risk Management Framework (RMF). Because the NIST RMF is mandatory and mandated U.S. government agencies, this standard is specifically tailored to the government agency environment and not private companies. To address this, NIST released the NIST Cybersecurity Framework (NIST CSF) in 2014. However, the CSF is fundamentally different in structure from the NIST RMF in that it alone is a framework and is fundamentally different from the risk management process. NIST CSF describes the basic structure of the process in which an ISMS is embedded. The security measures, which are then implemented, can be borrowed from another standard, such as ISO 27001 or supportively from the NIST SP 800-53 work, which also serves the RMF. For these reasons, NIST CSF should not be implemented on its own, but along with a set of measures for optimal integration. With this look at the international nature of the various frameworks, we now come to the situation in Germany.
The RMF and CSF each have a 5-step process for creating a secure infrastructure:
1. the sighting and description of the system
2. the elaboration of the security strategy
3. the implementation of the security strategy
4. the review of the implementation due to the risk
5. the communication and continuous development
The BSI has created a standard for securing critical infrastructure and thus publishes it to serve the same purpose as the NIST RMF. The approach alone differs significantly. The focus of the BSI standards is on mandatory measures and compliance rather than on adapting the strategy to the current risk landscape. On the other hand, the focus is also on value (assets) and provides little support or elaboration in the area of risk management when compared to the NIST RMF. However, the standard is increasingly leaning toward the ISO 27001 standard, as evidenced by the recent changes to the 200 series as opposed to the 100 series. (1)
Advantages of implementation according to BSI in Germany
These BSI standards, series 200-x as well as 100-4, are used as a basis for many German authorities, as a state of the art ISMS is to be implemented (3 ) for operators of critical infrastructures according to the IT Security Act of 2015 ( 2 ). This fills the gap for securing critical infrastructure in the public sector and moves NIST into the background as an alternative. In summary, we can assume that the following reasons are responsible for this displacement:
– Simplicity of implementation via a tool. There are several tools that can be used and are in constant development, such as ‘verinice’ or ‘HiScout’.
– Publication in German, with NIST standards available in English only. This point is particularly important for public authorities, where German is usually the official language.
– The alignment of BSI standards with ISO 27001, which greatly simplifies ISO 27001 certification, which is the goal for many companies.
Advantages of implementation according to NIST in Germany
Now, these advantages offer quite a bit for securing information, with other aspects falling into the background that we should not forget. NIST CSF and RMF provide support through a different perspective on enterprise risk:
Free availability and easy application:
All relevant documents published by NIST, especially the SP 800-x series, are government supported and available free of charge, albeit only in English (4). This makes it very easy to announce the relevant documents in the company. Compared to the ISO standard, where each reader incurs costs, which can create significant hurdles for larger companies. The BSI standards are also freely available, but since they are tool-based and it is hardly feasible for employees to work effectively with the IT-Grundschutz catalogs with 5082 pages, we have an additional hurdle here in readability (5).
Focus on trust and risk rather than compliance:
This offers the possibility of achieving a higher level of security more quickly, as it is easier or more likely to involve the corporate culture. Risk management is the main objective of the Risk Management Framework and identifying and addressing information security risks is the biggest focus point. Therefore, a NIST RMF ISMS takes a very pragmatic approach. In comparison, risk management according to ISO 31000 or BSI standards is very rudimentary and lies in the background or at the discretion of management. In the case of low security levels, such as basic security in accordance with BSI Standard 200-2, there is even no provision for risk management (6), which severely limits the possibilities for recommendations for action and continuous further development.
Focus on system development:
The system development life cycle (SDLC) is directly incorporated into risk management so that different measures and processes are implemented at each stage of system development to safeguard information. The system is guided by risk management, so to speak, in order to be able to provide comprehensive protection (7). SDLC is not automatically integrated in all other standards and is therefore rather an additional option that is often overlooked or not considered significant.
Focus on adaptability:
Aligning measures with existing infrastructure provides opportunities to add additional measures, remove redundant measures, and identify and centrally manage system-wide measures (8). These options are hard-wired into the process and must be co-authorized. This process is unique and focuses on trust in systems rather than rule conformance or compliance. Here, a bridge is created from the rulebook to pragmatic and effective implementation.
Optimal adaptation to the system landscape and governance structure:
Concepts are offered that can be either comprehensive and centrally managed, similar to the BSI standards, as well as the possibility of splitting into smaller umbrella concepts that are managed in a decentralized manner but are still self-contained. Compared to the ISO 27001 standard, which has a management structure in the form of a committee as its guiding principle and thus imposes a great deal of effort insofar as various systems need to be certified, NIST RMF forms a process in which the players can be different. In this way, it is easy to certify different systems at different times.
In summary, Germany is pursuing a security strategy that is oriented toward international standards, but is itself moving in a direction toward automation and standardization of the security landscape. This poses some hurdles, especially in terms of adaptability to the company in question. For companies in the private sector, it may be attractive to look in the direction of the U.S. and look at some aspects that we still see little focus on in Germany. Not only is NIST’s Risk Management Framework or Cyber Security Framework constantly evolving and tailored to the sector, they also offer the possibility of easy certification to ISO 27001, given the compliance. Other aspects of effectiveness, such as the focus on risk management, the incorporation of development processes and the focus on agility of the company, are also becoming more apparent.
1 cf. Current status of the modernization of IT-Grundschutz, 08.06.2017, Isabel Münch
2 cf. Act on Increasing the Security of Information Technology Systems (IT Security Act), of July 17, 2015.
3 cf. $8a, Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz), of July 17, 2015.
4 p. https://csrc.nist.gov/publications/sp800
5 cf. IT-Grundschutz catalogs, 15th supplementary edition – 2016
6 cf. BSI Standard 200-2
7 cf. NIST SP 800-37
8 cf. NIST SP 800-53