John Q. Todd

Sr. Business Consultant/Product Researcher

Total Resource Management (TRM), Inc.

What is the TRM High Security Cloud and how does it support the numerous cybersecurity standards that are either available or required depending upon the industry you are in? The quick answer is TRM has been providing high-security cloud solutions, across industries, for several years, starting with FedRAMP sponsored by IBM. The regulations and/or best practices of the industry your organization does business within may dictate the cybersecurity rules that need to be followed… or they may be optional.

Before we discuss what TRM has to offer, it is important to understand what some of the cybersecurity standards and requirements are and how they may impact your adoption of cloud environments for your software solutions.

What is NERC CIP?

NERC is the North American Electric Reliability Corporation, a not-for-profit international regulatory authority, subject to oversight by the Federal Energy Regulatory Commission (FERC) in the USA, and governmental authorities in Canada.

NERC develops reliability standards using an industry-driven and ANSI-accredited process. The standards focus on a results-based approach of which elements are performance, risk management, and the capabilities of the utility.

CIP, the Critical Infrastructure Protection family of NERC standards, is focused on the management of security of the Bulk Electric System (BES) in North America. This family of standards is required by law and compliance is mandatory.

CIP standards require adherence to a baseline set of cybersecurity controls that are used to protect not only the BES, but also its users and other stakeholders. Reducing the risks to the system from compromises due to cybersecurity breaches is the primary goal. Some of the CIP essentials are:

• Identifying critical assets and performing risk assessments
• Establishing and following cybersecurity policies and performing risk management
• Implementing electronic access controls
• Managing and reporting cybersecurity incidents, response, and recovery

For example, a critical asset is nearly anything that if destroyed, degraded, or made unavailable would affect the reliability or operability of the BES.

Given the acceleration of regulated organizations moving their IT systems and software to the Cloud, it is imperative that the cloud host be able to provide the same (or higher) levels and controls as required by NERC CIP, for example, as those with on-premises environments.

What is NIST CSF?

TRM has written about NIST CSF in the past via several articles in our Resources Library. One in particular is: Making sense of NIST and Cybersecurity requirements for Maximo.

NIST CSF has its own framework for organizing the approach to cybersecurity risk. Specifically:

• Identification
• Protection
• Detection
• Response
• Recovery

For example, a system component inventory (Identification) would include all components of the system to the level necessary for tracking and reporting.

NIST Special Publications 800-53 (revision 5) and 800-171 are of interest to not only federal government agencies, but also those commercial entities who wish to adopt these standards. NIST compliance is more than just an interest of government agencies and contractors, it is a requirement. However, it is a structured and cost-effective approach to cloud security for commercial entities who have elevated security needs. It is well suited for non-government entities, such as utilities, pharmaceutical companies, and other regulated industries.

Cloud hosts, such as TRM, have had NIST CSF controls in place for several years. This experience and process discipline is directly applicable to the ability to work with clients and their specific cybersecurity needs. Much time and effort can be saved by adopting proven measures that are already in place vs. having to develop your own.

Are NIST CSF and NERC CIP the Same?

Yes and no. Yes, in the sense that they have similar goals… reducing the potential and risks of cybersecurity breaches. No, in the sense that they take slightly different approaches in achieving those goals… and NERC CIP is required by law for those entities in the electricity industry while NIST is not.

For example, the NERC CIP-002 is focused on Asset Inventory (the list of assets that play a role in the BES that could be affected by a cyber-attack). Related NIST CSF elements are the AM 1-4, (Physical devices) BE-4 (Dependencies), and RA-4 (Risk assessment). The list goes on as the spreadsheet shows, but there is a clear mapping between these two approaches to cybersecurity. If you are following one, with a little focused work you will be able to follow the other and vice versa.

Here is a link to the publicly available mapping of NIST CSF and NERC CIP from NIST. It clearly shows how the two standards relate.

How Does the TRM High Security Cloud Solution Support These Standards?

Note that the NERC CIP and the NIST CSF approaches may use slightly different terminology, the framework and the desired results are nearly the same. Both are risk and results based. Both have been and continue to be developed with a high level of industry involvement.

As a side note, TRM was instrumental in the establishment and accreditation of the FedRAMP high-security cloud solution offered by IBM. Further, TRM continues to manage that environment on behalf of IBM. As such, TRM is uniquely qualified to host high-security cloud solutions for not only the federal government, but also for commercial concerns looking to maintain or increase their cybersecurity posture as they move into the cloud.

In case you were not aware, FedRAMP is a program designed to satisfy NIST CSF compliance enabling the rapid deployment of a secure solution in the cloud. FedRAMP solutions are already certified.  A list of FedRAMP approved solutions is available on the FedRAMP marketplace.

However, FedRAMP approved solutions may not satisfy your unique requirements for access, control, or 3^rd party addons – these may not be permitted.  In these situations, organizations need to deploy their own cloud solution that meets their security requirements, such as TRM’s High Security Cloud.

Wrap up

While considering a move to the cloud, be sure you have a clear understanding of the cyber security requirements you organization wishes to or is required to follow. Given that clear picture, you need to engage with an experienced cloud host to ensure that not only are the requirements met on paper but are also followed and auditable over time.

TRM is confident with our experience in this area and across industries. Make contact and let’s talk about how we can help you make decisions and have a clear view forward into the cloud.