The new NIST 800-53 Rev 5 has over one thousand controls. Let that sink in - over one thousand individual controls. Of course, as the sophistication of cyber-attacks has increased over the years, so has the need for an increase in sophistication of the requirements and controls for federal information security. However, the control set has drastically expanded since its initial publication, resulting in many teams scrambling to absorb the new requirements of NIST SP 800-53. Many of these teams rely on the NIST 800 53 controls spreadsheet and too often manage their assessments out of spreadsheets as well; with the increasing complexity of the 800-53 control set, though, security leaders could be wasting valuable time and effort by not implementing a platform to help streamline the process.
Assessing SP 800-53 Using Spreadsheets is Wasting Your Time
1) Incongruencies and Version Control
During the assessment itself, we have seen teams working out of spreadsheets tackle the division of labor in two ways: breaking down the control set and distributing a separate spreadsheet to assessors and, on the other hand running out of the same spreadsheet, possibly out of a file sharing service.
Significant negative ripple effects result from both of these approaches that we will address in the post-assessment analysis phase and the reporting phase. However, as a whole, working out of spreadsheets results in the same static and potentially disjointed efforts that many users of GRC cybersecurity systems run into. From our conversations with customers who forewent purchasing a GRC and chose to run out of spreadsheets until they started using CyberStrong, many information security leaders simply didn’t see a process difference between using spreadsheets and legacy GRC tools. Especially in the assessment phase, whether the control set is broken up or not, the overlap between a spreadsheet and a GRC is eerily similar.
The silos and incongruencies result in wasted time and effort on the part of assessment teams. However, using an integrated solution like CyberStrong can enable teams to collaborate and conduct the cyber risk assessment in a single source of truth. Individuals across IT risk, compliance, vendor risk, and audit can add valuable assessment information to the platform without fragmenting the assessment.
2) Aggregation and Analyzing Results
Whether an organization that uses spreadsheets decides to tackle an 800-53 assessment, there are effects that appear in the aggregation and analysis of the results post-assessment.
In the case where an organization broke down the 1000+ controls into different spreadsheet documents for each team to work on, the challenge of aggregation is clear: compiling what can amount to tens of spreadsheets back into one document, aside from the need to chase down each document at the due date.
In the case of working off of one spreadsheet that has been passed around, we have seen and heard a few stories where this has worked as seamlessly as necessary. Rather, the version control nightmare scenario kicks into effect, and suddenly a chain of hundreds of emails has to be sifted to determine the most up-to-date version of the document. In cases where organizations have worked out of a file-sharing service like Box or Sharepoint, the risk exists that the most up-to-date version is not even in the shared location.
Rather than tasking managers with chasing down either multiple documents and sending the time aggregating or checking a single document for accuracy, CyberStrong streamlines the entire process by allowing teams to work across the organization from a single location and deliver automated reporting without the need for aggregation. This saves managers time on the backend and increases cyber risk analysis efficiency.
Conduct Free Cyber Risk Analysis with CyberStrong here.
3) Presenting and Reporting to Leadership
Finally, moving up the chain of command, reporting on the assessment and the more excellent program health to business-side leadership. The value of an assessment is inversely correlated with the time that has passed since the assessment was completed. The nature of assessments conducted in spreadsheets and legacy GRC systems is that the assessment is essentially outdated as soon as it is completed. Then layer on top of the amount of time it takes to process (as discussed in part two), and the assessment is almost useless.
The goal for many organizations for years has been to achieve continuous assessment. However, frankly, the technology did not exist to feasibly suppor the dedication it would take to implement continuous assessment at scale. Spreadsheets, as we have seen, are simply too sporadic, and modular GRC systems lack the technology to support the integrated approach necessary to achieve it as well.
Now, though, CyberStrong enables automated risk assessments using deep integrations that update control scores in real-time using existing tech stack data from solutions already in use within an information security program. Furthermore, CyberStrong’s fully customizable Executive Cybersecurity Dashboard illustrates information security program posture in real-time for enhanced cyber reporting to the Board.
To learn more about CyberStrong, which can save your cyber risk management plan, click here to schedule a conversation.