Congratulations! CSAT (Cyber Security Architecture Tool) was selected to demonstrate in the IEEE UEMCON 2019 on October 12, 2019, at Columbia University, New York, USA. Its demonstration contributes to the Network Security and Risk Management Track for its software innovation and practicability.
Dr.Max Huang, a Research Scientist at Infobeyond, showcases the CSAT tool. CSAT is Risk Management Framework (RMF) tool for an organization to IDENTIFY and SELECT Security Controls (Step 2) by following the FedRAMP and NIST SP 800-53 specification as outline in the right graph.
Instead of human-based identification and selection, Dr. Max Huang demonstrates CSAT in such a way that a user can easily retrieve the specified controls, based on task-responsible roles/questionnaires, types of information system for different controls baseline, and potential impact levels. This not only saves time and resource, but also guarantees the satisfaction of FedRAMP and NIST SP 800-53 specification. As a result, the IMPLEMENT SECURITY CONTROLS at Step 3 (See right figure) are compliance with Federal and Enterprise cybersecurity requirements in inclusion of all mandatory security controls. These security controls cover a wide variety of controls, which includes access control, training, auditing, security assessment and authorization, contingency planning, maintenance, risk assessment, infrastructure/data protection, system/information integrity, etc.
For practical use, the selected CSAT’s controls are converted to a user-friendly format, such as Docs and PDF, demonstrated by Dr. Huang. CSAT can generate the security control in OSCAL (Open Security Controls Assessment Language) format that is machine-readable. Such a feature is critically important in support of NIST recent advance for RMF. This allows a 3rd party risk management tool (e.g., Microsoft’s Bigfix, Dynamic 360, and others from Capterra, LogicManager) to access, manage, and monitor the security controls automatically.
In additions, CSAT was demonstrated to generate heat-map-based SRA (Security Reference Architecture) Graphic Visualization, based on user’s controls result. Such a SRA can be presented in ASIS (Aggregated Security Index System) C/I/A (Confidentiality/Integrity/Availability) Scoring Specification. It can also presented in Cloud-Responsibility-Specified SRA. An ASIS can be obtained for each Security Component by summing the individual Security Indexes of the C/I/A security triad. Each index of the ASIS has an associated value that can be interpreted as a priority weight when it is applied to a Security Component. The ASIS can be further used to prioritize the implementation of the Security Components. A prioritization heat map can be created using the ASIS values. It can be used to prioritize the Security Component implementation. All these features enhances RMF cybersecurity of a system to comply FedRAMP and NIST SP 800-53 security controls.
The demonstration has attracted great attentions from many organizations. Dr. Michele Myauo, Director Cybersecurity & Secure Infrastructure Services Delivery at Microsoft raises her curiosity:
“How does the CSAT help users to architect and deploy a specified secure solution for the organization’s IT infrastructure without the help of security expert?”
Dr. Huang explained that CSAT is an automated user-interactive-based cybersecurity service to help clients to architect the security controls for the IT development in terms of security levels, financial availability, role-based analysis, NIST-compliance baseline, etc., from answering a series questionnaires. These interactive questionnaires are based on NIST CSF and developed in a plain and down-to-earth language with answering YES/NO style. Users also have the capability to build a customizable baseline for controls implementation as part of an organization-wide process that manages information security and privacy risk on their own specification.
Another interesting question is from Dr. Alaa AL Ghazo, Professor at Electrical and Computer Engineering at University of Hartford. He asked
“Is CSAT back-compatible to evaluate the security controls and monitor the cybersecurity life-cycle for the older IT platforms?”
Dr. Huang emphasized that CSAT Provides a cyber-secured solution that supports continuous monitoring and automated risk assessment by outputting the machine-readable output, and CSAT also provides a methodology of identifying the functional capabilities and their associated security controls required for a new or migrated system to both standard and cloud-based solution.
At the end of CSAT demonstration, Dr. Max Huang described that CSAT is a tool that aims to leverage the NIST-compliance RMF and Cybersecurity Framework (CSF) to identify security and privacy controls for both standard IT and Cloud-based information systems via two different baselines: NIST SP 800-53 and FedRAMP specifications, As illustrated in the left figure, it is capable of identifying the necessary functional capabilities the system needs to provide to support the organization's mission and the service the system is designed for. Indeed, CSAT advances in User-Interactive, Content Automation, and Controls Specification for providing a diverse gov.-compliance of IT security requirements in both standard and cloud architecture.
Get started with InfobeyondTech’s CSAT @ CSAT.INFOBEYONDTECH.COM https://csat.infobeyondtech.com/ product page for more information.