Mapping software to NIST CSF - A Defense in Depth Exercise

When evaluating software, we reasonably assess whether the software meets the established business/ technical requirements. We identify the capabilities we need, identify a group of software solutions that address the problem and then apply a formal or informal vendor selection process. We evaluate which software provides the best functionality, given costs and other external factors (e.g., interoperability with other software)

 Deeper Solutions has developed and implemented a defense-in-depth methodology that identifies what additional capabilities of a software solution can address. Defense-in-depth becomes useful as an additional input to the vendor selection process

This defense-in-depth methodology maps the capabilities of the software solution to NIST controls) NIST mapping is a relatively simple approach. For each sub-category, " Does this solution/software address the capability (sub-category) in some meaningful way? Below is an example of Mapping the entire NIST framework. This mapping exercise does not replace vendor selection; it does not sufficiently evaluate the software.

The shape below illustrates if every capability in the NIST CSF was addressed in a meaningful way. Since each category is the sum of a different number of sub-categories, the complete stape is irregular. The category with the least number of sub-categories is "Recovery-planning," with one sub-category. The category with the most sub-categories is "Protect-Protection Information Protection Processes and Procedures," with 12 sub-categories.

NIST CSF defense-in -depth mapping - all sub-categories

Take, for example, two companies, one software -Company A, which focuses on compliance, and Company B, which provides a whole portfolio of orchestration capabilities. They both provide asset management capabilities, and company A provides governance (which company B does not). Company B provides capabilities in several additional sub-categories.

Company Comparison

If you compare both software companies to provide asset management, company B offers various other capabilities. This breadth of additional capabilities may outweigh costs as well as other factors.