Beyond_Basics_Gov_7_Leveraging_NIST_for_Differentiation.pptx

We are influencing NIST thinking and validating our products in government labs! NIST is influencing security requirements around the globe Understanding NIST enables client conversations in their language Beyond Basics Government Series Differentiating with Cisco Leveraging NIST for Strategic Differentiation

Why talk about NIST? The National Institute of Standards and Technology NIST NCCoE Project participation validates Cisco capabilities and compliancy with security directives Called out in Congressional / EO / NSM / NDAA / OMB Mandates and DHS-CISA Guidance Develops cybersecurity standards, frameworks, guidelines and best practices used around the globe All 16 Critical Infrastructure Sectors (U.S.) use the NIST Cybersecurity Framework (CSF) NIST CSF used by >20 States & dozens of countries for Cyber Mission Best Practices    Embracing NIST helps position Cisco as a trusted and strategic advisor to our clients

Use NIST to differentiate Cisco’s Solutions Broaden our discussions - - rise above point product conversations Focus on the NIST guidance clients are being directed to implement Enables end-to-end architectural discussions Embracing NIST helps position Cisco as both trusted & strategic advisors Better enables CXO and business/mission outcome conversations with clients Credentialize Cisco solutions and validate our product capabilities

Risk Management Framework (RMF) (NIST SP 800-37) “An enterprise cannot determine what new processes or systems need to be in place if there is no knowledge of the current state of operations.” Map Your Data Flows! How do you document them? How do they change when optimizing mission/business processes and outcomes? Want Zero Trust? (NIST SP 800-207) “A ZTA deployment involves developing access polices around acceptable risk to the designated mission or business process .” “ Before undertaking an effort to bring ZTA to an enterprise, there should be a survey of assets , subjects , data flows , and workflows .”

ZTA Using Micro-Segmentation . . . the enterprise places infrastructure devices such as intelligent switches (or routers) or next generation firewalls (NGFWs) or special purpose gateway devices to act as PEPs protecting each resource or small group of related resources. NIST ZTA SP 800-207 NIST Zero Trust Architecture – Approach Variations

DISA Zero Trust Model View User (Identity) Authentication Authorization Privilege Access Management (PAM) Infrastructure and Network Software Defined Data Center Macro Segmentation Device Authentication Authorization Compliance Data Data Tagging Data Loss Prevention (DLP) Data Rights Management (DRM) Application & Workload Application Development Supply Chain Micro Segmentation Application Delivery Visibility & Analytics Accounting and Analysis Discovery and Baselining Security Information and Event Management (SIEM) Machine Learning Automation & Orchestration API Standards Incident Response Security Orchestration, Automation and Response (SOAR) Artificial Intelligence Zero Trust Pillars and Capabilities Feeds and Supports Visibility & Analytics Feeds and Supports Automation & Orchestration Cisco Secure WorkLoad (Tetration) Identity Services Engine Secure Network Analytics (Stealthwatch) These Cisco solutions are supporting the NIST NCCoE ZTA / OT / 5G Projects Defense Information Systems Agency Department of Defense Cyber Vision

Managed Services Intelligent Switches & Routers Secure Network Analytics (Stealthwatch - ETA) Secure Access by Duo Secure Workload (Tetration) Identity Services Engine (ISE) - Trustsec ID Asset Management Business Environment Governance Risk Assessment Risk Mgmt Strategy Supply Chain RM PR ID Mgmt, Auth & AC Awareness & Training Data Security Info Protection , P & P Maintenance Protective Tech DE Anomalies & Events Continuous Monitoring Detection Processes RS Response Planning Communications Analysis Mitigation Improvements RC Recovery Planning Improvements Communications SD-WAN ACI / ACI-A Cyber Vision - IoT Advisory Services Integration Services Cisco Secure Development LifeCycle (SDLC) and Trustworthy Systems Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls Non-Technical Controls CSF AnyConnect Secure Mobility Client - CESA Secure Malware Analytics (ThreatGRID) Secure Email (ESA) Secure Endpoint (AMP-EP) Secure Firewall (FMC/NFGW/IPS/ASA) Secure Web Appliance Umbrella / Cloudlock Other Vendor Tools (via pxGrid – XML-XMPP) SDAccess / DNA-C

NIST NCCoE Special Publications - With Cisco Content SP Title Cisco Solutions Included 1800-1 Securing Electronic Health Records on Mobile Devices Identity Services Engine (ISE), Adaptive Security Virtual Appliance ( ASAv ), and RV220W Access Points 1800-2 Identity and Access Management for Electric Utilities Identity Services Engine (ISE) 1800-3 Attribute Based Access Control Identity Services Engine (ISE), CAT 2960-X 1800-8 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations Aironet 1600 Series Access Point, Wireless LAN Controller, Identity Services Engine (ISE), Adaptive Security Appliance (ASA), Catalyst 3650 Switch 1800-14 Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation  7206 VXR Router v15.2 ISR 4331 Router v16.3 2921 Router v15.2 IOS XRv 9000 Router v6.4.1 1800-15 Securing Small-Business and Home Internet of Things (IoT) Devices Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD) Cisco Catalyst 3850-S MUD manager 1800-24 Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector Cisco Firepower Version 6.3.0 Cisco Stealthwatch Version 7.0.0 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other  Destructive Events Cisco ISE v2.4, Cisco Web Security Appliance v10.1 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events Cisco Identity Services Engine v2.4, Cisco Advanced Malware Protection v5.4, Cisco Stealthwatch v7.0.0 1800-30 Securing Telehealth Remote Patient Monitoring Ecosystem Cisco Firepower Version 6.3.0 Cisco Umbrella Cisco Stealthwatch Version 7.0.0 1800-32 Securing Distributed Energy Resources  Cisco ISE, Cyber Vision, Firepower Threat Defense, Catalyst switches Projects in process:  Zero Trust    /   5G Security / Water and Waste Water    

NIST SP1800-32 Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity Demonstrates a combined IT/OT environment Focused on protecting smaller energy sources but fundamentals apply to most combined IT/OT environments Cisco products include: Cisco Identity Services Engine Cisco Cyber Vision Cisco Firepower Threat Defense Cisco Catalyst Switches

NIST Zero Trust Lab Schematic Special Publication 1800-35 Included Cisco Solutions ISE  Switches Duo Secure Endpoint (AMP) Endpoint Security Analytics (CESA) Secure Network Analytics ( Stealthwatch ) Secure Workload ( Tetration ) SecureX Encrypted Traffic Analytics

NIST Collateral Documentation Series Leverage NIST Guidance to Deliver Better Cybersecurity Outcomes and Mission Success https://frameworktool.cisco.com/framework

We are influencing NIST thinking and validating our products in government labs! NIST is influencing security requirements around the globe Understanding NIST enables client conversations in their language Beyond Basics Government Series Differentiating with Cisco Leveraging NIST for Strategic Differentiation