The new NIST 800-53 revision five has over one thousand controls. Let that sink in - over one thousand individual controls. Of course, as the sophistication of cyber-attacks has increased over the years, so has the need for an increase in sophistication of the requirements and controls for federal information security. However, the control set has drastically expanded since its initial publication which has resulted in many teams scrambling to absorb the new requirements of NIST SP 800-53. Many of these teams rely on the NIST 800 53 controls spreadsheet and too often manage their assessments out of spreadsheets as well, with the increasing complexity of the 800-53 control set though, security leaders could be wasting valuable time and effort by not implementing a platform to help streamline the process.
Why Assessing Against SP 800-53 Using Spreadsheets is Wasting Your Team’s Time
1) Incongruencies and Version Control
During the assessment itself, we have seen teams working out of spreadsheets tackle the division of labor in two ways: breaking down the control set and distributing a separate spreadsheet to assessors and on the other hand running out of the same spreadsheet possibly out of a file sharing service.
There are major negative ripple effects that result from both of these approaches that we will address in the post-assessment analysis phase as well as the reporting phase. However, as a whole, working out of spreadsheets results in the same static and potentially disjointed efforts that many users of legacy GRC systems run into. From our conversations with customers that forewent purchasing a GRC and choosing to run out of spreadsheets until they started using CyberStrong, many information security leaders simply didn’t see a process difference between using spreadsheets and legacy GRC tool. Especially in the assessment phase, whether the control set is broken up or not, the overlap between a spreadsheet and a GRC is eerily similar.
The silos and incongruencies result in wasted time and effort on the part of assessment teams. However, using an integrated solution like CyberStrong can enable teams to collaborate and conduct the assessment in a single source of truth. Individuals across IT risk, compliance, vendor risk, and audit can add valuable assessment information into the platform without having to fragment the assessment.
2) Aggregation and Analyzing Results
Whether an organization that uses spreadsheets decides to tackle an 800-53 assessment, there are effects that appear in the aggregation and analyzation of the results post-assessment.
In the case where an organization broke down the 1000+ controls into different spreadsheet documents for each team to work on, the challenge of aggregation is clear: compiling what can amount to tens of spreadsheets back into one document, aside from the need to chase down each document at the due date.
In the case of working off of one spreadsheet that has been pass around, we have seen and heard few stories where this has worked as seamlessly as necessary. Rather, the version control night mare scenario kicks into effect and suddenly a chain of hundreds of emails has to be sifted to determine the most up-to-date version of the document. As an aside, in cases where organizations have worked out of a file sharing service like Box of Sharepoint, the risk exists that the most up to date version is not even in the shared location.
Rather than tasking managers with chasing down either multiple documents and sending the time aggregating or checking a single document for accuracy, CyberStrong streamlines the entire process by allowing teams to work across the organization from a single location and deliver automated reporting without the need for aggregation. This saves managers time on the backend and increases efficiencies in the analysis process.
3) Presenting and Reporting to Leadership
Finally, moving up the chain of command, reporting on the assessment and the greater program health to business-side leadership. The value of an assessment is inversely correlated with the time that has passed since the assessment want completed. The nature of assessments conducted in spreadsheets as well as in legacy GRC systems is that the assessment is essentially outdated as soon as it is completed. Then layer on top the amount of time it takes to process (as we discussed in part two) and the assessment is almost useless.
The goal for many organizations for years has been to achieve continuous assessment. However, frankly, the technology did not exist to feasibly suppor the dedication it would take to implement continuous assessment at scale. Spreadsheets as we have seen are simply too sporadic and modular GRC systems lacked the technology to support the integrated approach necessary to achieve it as well.
Now, though, CyberStrong enables continuous assessment using deep integrations that update control scores in real time using existing tech stack data from solutions already in use within an information security program (Splunk, Tenable, etc.). Furthermore, for reporting to leadership, CyberStrong’s fully customizable Governance Dashboards illustrate information security program posture in real-time without the effort of processing and aggregating the data as we discuss previously.
To learn more about CyberStrong can save your information security teams time and money while also enhancing assessments against frameworks like NIST SP 800-53, give us a call at 1 800 NIST CSF, or click, here, to schedule a conversation.