Protecting Your Practice With a Common Security Framework
As the threat landscape for MSPs continues to get broader and wider, it is more important than ever that we shore up our internal security as much as possible. However, this should not be done in a "piecemeal" manner. It is easy to fall into the trap of assuming that we know which specific measures should be taken and simply implementing those. That may result in a more secure network, but it will most likely leave gaps and literally provide a false sense of security.
There are several Common Security Frameworks (CSF) available that provide a standard set of guidelines that can be followed by the MSP. By selecting one of the common security frameworks, an MSP will have a structured roadmap by which to assess their current state, identify the gaps, remediate the gaps, and certify the environment. By selecting and meeting common standards, MSPs also add to the protection they gain in the event of a lawsuit brought on by a breach. If the MSP has certified against a recognized standard, and their practices are compliant with that standard, any legal liabilities will be greatly mitigated. Cyber Insurance providers are more likely to pay the claim.
Although each CSF can be "certified" by an audit process, none of them require this as an outcome. However potential clients and industries may require certification as a prerequisite of doing business.
Three foundational CSFs are available for general (but deep) security regardless of industry: NIST CSF, ISO 27000 Series, and CIS CSF.
NIST CyberSecurity Framework:
The NIST CSF is a basic set of guidelines upon which other, industry specific NIST frameworks build. It is based on five primary functions: Identify, Protect, Detect, Respond, and Recover. Each Function has a set of categories and each category has a set of sub-categories. In total there are 5 Functions, 23 Categories, and 108 sub-categories.
Each sub-category articulates a specific outcome to gain compliance. For instance ID.AM-1 (Function: Identify, Category: Asset Management, Sub Category: 1) stipulates that "Physical Devices and Systems within the organization are inventoried". Likewise Sub-category PR.AT-1 stipulates "all users are informed and trained" (on cybersecurity).
The NIST CSF also provides Informative References that act as a cross-reference to sub-categories within other CSFs such as CIS, ISO 27000, NIST 800-53, and COBIT.
The NIST Framework provides definitions for organizations to assess their level of security preparedness against a four tier scale: partial, Risk informed, Repeatable, Adaptive.
Organizations identify their current tier (current profile) and their desired tier (target profile). Using the NIST Framework guidelines they identify the gaps between their current profile and their target profile.
NIST then provides a 7-step process to follow in order to achieve the desired state.
Once the MSP has achieved NIST CSF compliance they can layer on any industry specific requirements based on their typical client profile.
Center for Internet Security Cyber CSF
Like the NIST CSF, The CIS CSF is industry agnostic. In many other respects the frameworks are similar as well.
In CIS CSF v8 the aspects of cyber security are divided into 18 controls with 153 underlying safeguards.
As with NIST, CIS provides a tiered approach to compliance that allows organization to achieve compliance at a level that is appropriate to their risk profile and the available resources they have available to achieve and maintain compliance. CIS defines three Implementation Groups (IG1, IG2, IG3). Compliance with each Implementation Group is based on meeting the safeguards associated with that IG. For instance, IG1 which is considered basic cybersecurity hygiene requires that 56 foundational safeguards be met. IG2 requires IG1 safeguards plus an additional 74 safeguards. IG3 requires all 153 safeguards be met.
CIS provides a Controls Self-Assessment Tool (CSAT) as well as a Risk Assessment Methodology (RAM) to help organizations identify where they are in their current state and identify the gaps between that and their desired state.
One aspect of the CIS CSF that differs from the others is that it provides a set of benchmarks specific to industry leading hardware, software, and operating systems. The CIS Benchmarks identify specific configuration parameters that map to CIS safeguards for over 100 products. This is a huge benefit for organizations as they assess their environments. For MSPs this is a great resource for guidance in deploying systems securely within their clients environments.
ISO 27001
The ISO 27000 Series CSF is published by the International Organization for Standards. As with NIST and CIS, it is a series of categories and controls. In this case, 14 categories and a total of 114 controls.
As an international standard, it is recognized globally and certification may be required to do business with many international enterprises. Although certification is not required to complete compliance, most organizations implementing ISO 27001 are doing so with certification in mind.
ISO 27001 is more focused on the implementation and maintenance of a functioning Information Security Management System (ISMS) than the actual controls themselves. In fact, the latest revision of the standards does not require the organization to implement the controls as defined but rather demonstrate that they have adequately mitigated the risk in some way. As an on-going process the organization must demonstrate the ISMS is continuing to function and must recertify every three years.
The ISO 27000 Series contains several supplementary standards that build on ISO 27001. Perhaps the most common one is ISO 27002. This provides far more detail on the controls defined in ISO 27001. There is no certification for ISO27002 as it is not specific to the ISMS.
Whereas NIST and CIS frameworks are free and self-assessment is possible, ISO 27001 certification can be costly. Typically, organizations implementing ISO 27001 have already achieved a higher level of operational maturity.
Other Standards:
Beyond the common frameworks above there are many other standards that can be layered on top. These are useful and often required to do business within certain industries:
Control Objectives for Information Technology (COBIT)
COBIT was create by ISACA and is often used in conjunction with other frameworks as it is more focused on governance than the technical aspects. It offers cross-references to NIST Controls in the same way NIST offers Informational References to COBIT.
HITRUST CSF:
Originally specific to the healthcare industry, HITRUST was developed to offer guidance to healthcare organizations of all sizes to comply HIPAA requirements regarding the safeguarding of PHI. HITRUST is based on the ISO 27001. Where the ISO standard tends to be liberal in enforcing the specific controls to mitigate risk, HITRUST is designed to be more prescriptive, yet flexible enough to address the threats and needs of organizations of any size. HITRUST offers three levels of implementation of controls to allow for "scaling" to the size and resources of the organization. By using the HITRUST framework, organizations can achieve compliance appropriate to the risks they face.
SOC 2:
The SOC 2 framework is one of three reporting options developed by the American Institute of Certified Public Accountants (AICPA) in 2011. It is based on five Trust Services Criteria (TSP): Security, Availability, Processing Integrity, Confidentiality, and Privacy. As SOC 2 has a formal audit inherent to the process it is a good choice for those looking for a certification as the outcome. Organizations are free to make the scope of the audit as narrow or as broad as they would like depending on the needs of the organization. This can include one or all TSPs. The SOC 2 reporting process can be used to audit controls of other security frameworks as well.
NIST 800-171 and CMMC
NIST 800-171 is a publication that builds on the NIST CSF, however it includes specific guidance for the handling of Controlled Unclassified Information(CUI). This is important for any organization doing business directly with the Department of Defense or contractors working with the DoD. The publication was originally distributed as a specific set of controls with a worksheet that allowed organizations to self-assess. There has been no requirement for a formal audit or certification. However in December 2020, the US government established the Cybersecurity Maturity Model Certification (CMMC) process. CMMC is a certification related to NIST 800-171. It provides five levels of certification based on the number of NIST 800-171 controls implemented and verified. CMMC Level 3 certifies all controls in 800-171. Levels 4 & 5 certify controls from other frameworks beyond 800-171. In 2026, all organizations wishing to do business with DoD related companies will be required to be certified under CMMC.
Decisions, Decisions…
So which framework should you choose? For the most part it doesn't matter. However, if your typical client profile fits into certain business types such as healthcare, finance, retail/hospitality, or defense contractors, that may guide your decision. As we've seen, most of the Common Security Frameworks overlap heavily.
It is up to each MSP to determine which framework is best for them. Smaller MSPs would be best served looking at either the NIST CSF or the CIS CSF. Both provide a standardized process to follow to implement the framework and can be done at no cost. One big advantage of the CIS framework is the companion set of CIS Benchmarks which offer guidance on specific configuration parameters on over 100 products. This can help MSP implement their services to their clients in a compliant way as well.
Simply adopting and implementing any standard framework is a huge step forward in protecting your business as the threat landscape continues to expand.