Crosswalking can be a handy tool to view control performance for a single asset/system against multiple frameworks. One can complete an assessment using one framework by indicating which controls align between frameworks and then carry that data to several other evaluations leveraging different frameworks. For example, if you completed an assessment using the NIST CSF, you could crosswalk the assessment into DFARS, CMMC, PCI, etc., without reconducting the assessment.
Unfortunately, with some frameworks containing hundreds or thousands of requirements, mapping controls between frameworks can be pretty time-consuming and overwhelming. These crosswalking projects can take months to complete and cost a lot of money. The task can be taxing if you outsource or complete the crosswalk alone.
CyberStrong’s automated crosswalking function empowers security professionals to conduct crosswalking projects in a one-to-one and one-to-many fashion in just a few seconds. Building on the ability to perform rapid gap analyses between any framework or standard, CyberStrong now includes Crosswalking Templates.
With today’s evolving threat landscape giving rise to new technologies and regulations, a heavy burden has been placed upon risk professionals to speak the language of several standards and be able to report against each to various audiences. Whether a change in the framework is prompted by the installment of new leadership, the publication of a new standard, or simply the mindset that no one framework covers all gaps, achieving this goal can be a time-consuming and overwhelming undertaking, especially when dealing with frameworks that have hundreds or thousands of controls each comprised of their unique alphabet soup.
Cue crosswalking.
Crosswalking can be a handy tool to evaluate your organization’s risk exposure against many frameworks and industry standards. By establishing mappings between controls of different standards, CyberStrong’s patented NLP allows you to complete an assessment in your chosen framework and then translate the data (e.g., control scores, annotations, evidence links, control status, personnel assignments) into the language of another framework.
With the latest feature release, risk professionals can now leverage CyberStrongs Crosswalking Templates to:
Crosswalking Templates enable users to deconstruct the workload into more manageable pieces by continuously saving control mapping progress and allowing users to pick up where they left off later.
Crosswalking Templates allow users to collaborate remotely without having to be in the same room or screen-sharing; users with the appropriate permission levels can work on templates.
In the same way that different control families or categories are often assigned to different users to assess control performance, you may have professionals contributing to a crosswalk who are more versed in one framework aspect than another. Templates allow you to give access to multiple individuals so that each person can go in and complete relevant parts of the control mapping.
Most frameworks and standards leave much up to interpretation - meaning it’s unlikely that two users conducting crosswalks between the same frameworks will identify the same control mappings. Published templates help resolve this issue by allowing multiple teams and departments to translate their assessments using the same key.
Templates help reinforce consistency; they do not force adherence. You can use the templates as guidelines and modify the selected mappings after applying the template during crosswalking.
Crosswalking Templates exemplify the idea of “do once, apply many.” Rather than determining control alignment/mapping every time a crosswalk is conducted, Crosswalking Templates allow you to determine the mappings upfront and then reapply them via a button click to countless subsequent crosswalks.
To learn more about how CyberStrong’s Crosswalking Templates help alleviate this burden, continue reading below:
Reduce duplicate efforts and project your compliance posture across industry standards or custom frameworks with CyberStrong’s advanced crosswalking functions. The latest addition of Crosswalking Templates has several time-saving benefits discussed below.
The control language for many of these frameworks and standards can be ambiguous. It can be riddled with technical jargon and difficult to interpret for someone unfamiliar with this language or process. Often, security professionals need to collaborate with others to make sense of the framework. You might need a second opinion to determine which control aligns the best with the one you’ve selected, or you may want to divide the work of the crosswalking project. Security professionals can now collaborate with others using the Crosswalking Templates.
Since the platform adheres to industry best practices for session timeouts, crosswalking had to be performed as a continuous, uninterrupted activity with no breaks longer than 10-15 minutes. Depending on the number of controls within a given framework, users would have to block out an entire day to complete a crosswalk - which is unrealistic in today's meeting-happy culture. This resulted in crosswalking efforts being delayed or completed but at the detriment of other competing priorities.
Especially for some of the larger frameworks, the crosswalk takes longer. You can now collaborate with your team based on your user role, picking up where one team member left off. The crosswalking templates now allow you to pause and save your progress.
So far, we’ve discussed how the crosswalking template can save you, the individual, time in conducting crosswalks, but the entire organization can also enjoy time-saving benefits with crosswalking templates.
For larger organizations and enterprises, you often have to conduct several crosswalks for various departments. Considering the ambiguous language used in the specifics of control language, different people will have different interpretations. For example, someone from one department may think that control one maps to A, B, and C, while others map only C and D to control one. This creates a lack of consistency that will grow the larger the organization becomes.
If the risk team creates a template for a crosswalk between the NIST CSF to CMMC, this template can now be used as a benchmark to ensure consistency across multiple departments. Time is money, and crosswalk templates are both cost-effective and efficient. Every department that needs to crosswalk the NIST CSF to CMMC can now use that template to ensure that everyone has the same mappings.
Let's take a look at the screenshot below. We've designed an easy-to-follow format that allows for simplicity
This is also beneficial for every subsequent crosswalk conducted. You may spend more time creating the initial template for the first crosswalk, but now you can complete each successive crosswalk in no time with the template.
For MSPs, if they have several clients that work with various frameworks and want to convert the selected framework to a different one, they can use the template to speed up the process by applying the mapping from the template. This will automatically convert from the initial template to the new one, which is especially helpful if you have to conduct the crosswalk multiple times a year for different frameworks and clients.
Templates are also useful for enterprises with diversified services or who manage a wide variety of data types.
Using crosswalking templates can help organizations implement a multi-step approval process for crosswalking projects. For companies with high turnover and junior talent, you can have the more junior staff - who are still learning the frameworks - take an initial pass at the crosswalk and then have a more senior member review the template and make revisions accordingly before publishing.
The junior staff now have everything they need to complete future crosswalks independently, reducing the need for senior staff to review every crosswalk.
You can build various additional templates without altering the original template. Suppose someone disagrees with the selected mapping, wants to use the template differently, or adds to the template. In that case, you can start with the original template as a baseline, save it as a separate template, and continue your modification without starting from scratch.
For professionals using public industry-standard mappings, templates are especially useful. NIST 800-53, DFARS, CIS, and the NIST CSF all have publicly available mappings that you can use to create a template. You can then take the available mapping and create separate templates based on it with modifications that best suit your needs while maintaining the original version.
Crosswalking and templates aren't limited to publicly available frameworks - they can also be leveraged for custom frameworks. When companies build custom frameworks, they often use and modify an industry-standard framework as a starting point. Some pull controls from multiple standards, and when they do this, they often crosswalk with the industry standards they base their framework on to ensure they don't miss anything.
Following each successive CyberStrong product release, our product continues to serve customers immense time-saving and cost-saving benefits by leveraging automation to reduce manual effort. With Crosswalking Templates, you can reduce the time it takes to crosswalk between frameworks, enhance consistency across the organization, and collaborate with team members.
Contact us to learn more about CyberStrong’s enhanced crosswalking functions.