The NIST Cybersecurity Framework (CSF) has been endorsed by government and industry as a recommended baseline for use by any organization, regardless of sector or size, to implement risk management best practices and achieve desired security outcomes. In this chalk talk, we discuss how organizations can use AWS to align to the CSF by providing a detailed breakout of AWS services and associated customer responsibilities (security in the cloud) and AWS responsibilities (security of the cloud).

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aligning to the
NIST Cybersecurity Framework
in the AWS Cloud
Min Hyun
Global Lead, Growth Strategies
AWS Security Assurance
S E C 3 3 6 - R
Michael South
Americas Regional Leader, Security and Compliance
AWS Worldwide Public Sector

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
What is the NIST Cybersecurity Framework (CSF)?
Why use the NIST CSF?
AWS responsibilities: AWS alignment with the NIST CSF
Customer responsibilities: Use of AWS services to align to the NIST
CSF

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Breakout repeats
Wednesday, November 28
Aligning to the NIST Cybersecurity Framework in the AWS
Cloud
1:45 – 2:45 | MGM, Level 3, South Concourse 301

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the NIST Cybersecurity Framework?
6
Executive Order
Presidential
Executive Order
13636, “Improving
Critical
Infrastructure
Cybersecurity,”
charges NIST in
Feb 2013
Legislation
Cybersecurity
Enhancement Act
of 2014 reinforced
the legitimacy and
authority of the
CSF by codifying it
and its voluntary
adoption into law
In February 2014, the National
Institute of Standards and
Technology (NIST) published the
“Framework for Improving Critical
Infrastructure Cybersecurity” (or
CSF), a voluntary framework to
help organizations of any size and
sector improve the cybersecurity,
risk management, and resilience
of their systems
Originally intended for critical
infrastructure, but broader
applicability across all
organization types
Executive Order
Presidential EO
13800,
“Strengthening the
Cybersecurity of
Federal Networks
and Critical
Infrastructure”
mandates the use of
CSF for all Federal IT

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the NIST Cybersecurity Framework?
The CSF offers a simple-yet-effective risk-based, outcome-focused
framework consisting of three elements – Core, tiers, and profiles
• The Core represents a set of cybersecurity practices, outcomes, and technical,
operational, and managerial security controls (referred to as Informative References)
that support the five risk management functions
Core
• Tiers characterize an organization’s aptitude for managing cybersecurity risk
Tiers
• Profiles are intended to convey the organization’s “as is” and “desired” risk posture
Profiles
Identify Protect Detect Respond Recover
Tier 4-
Adaptive
Tier 3-
Repeatable
Tier 2- Risk
Informed
Tier 1-
Partial
Current Target
These three elements enable organizations to prioritize and address
cybersecurity risks consistent with their business and mission needs

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identify Protect Detect Respond Recover
Asset management
Business
environment
Governance
Risk Assessment
Risk Assessment
Strategy
Supply Chain Risk
Management
Access Control
Awareness and
Training
Data Security
Information
Protection
Processes and
Procedures
Maintenance
Protective
Technology
Anomalies and
Events
Security Continuous
Monitoring
Detection Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
Subcategories
(108 outcome-based security activities)
What is the NIST Cybersecurity Framework?

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use the NIST Cybersecurity Framework?
Common taxonomy
around risk
management
No cost
Risk-based,
outcome-focused
Leverages existing
accreditations,
standards, and
controls
Flexible and adaptive
Relevant to techies
and execs
Sector agnostic
Health care
Commercial sector
Federal agencies
States
Italy, Japan, Israel, Uruguay
Financial services

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why use the NIST Cybersecurity Framework?
• According to Gartner, the CSF is used by approximately 30 percent of
U.S. private sector organizations and projected to reach 50 percent by
2020
• As of the release of this report, all 16 U.S. critical infrastructure sectors
use the CSF and over 20 states have implemented it
• Since fiscal year 2016, U.S. federal agency Federal Information Security
Modernization Act (FISMA) metrics have been organized around the
CSF, and now reference it as a “standard for managing and reducing
cybersecurity risks”

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aligning to the NIST CSF in the AWS Cloud
AWS accomplishes two objectives in the
whitepaper
Security in the cloud- Maps the NIST CSF to AWS Cloud
offerings that customers can use to align to the NIST.
We provide a detailed breakout of AWS services and
associated customer and AWS responsibilities to
facilitate alignment to the NIST CSF.
Security of the cloud- Provides a third-party attestation
that AWS infrastructure and services conform to NIST
CSF risk-management practices, assuring customers that
their data is protected across AWS.

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aligning to the NIST CSF in the AWS Cloud
How to use the whitepaper
1. Executive level
• Summary of AWS and customer responsibilities to
align to each of the five functions in the CSF (identify,
protect, detect, respond, recover)
• Third-party attestation
2. Technical level
• Detailed mapping of AWS services and resources
(beyond FedRAMP and ISO 27001)
• Customer responsibility
• AWS responsibility

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services alignment with the CSF
• As validated by our third party assessor, AWS
solutions available today for our public and
commercial sector customers conform to the NIST
CSF. Each of these services maintains a current
accreditation under FedRAMP Moderate and/or ISO
27001.
• When deploying AWS solutions, organizations can
have the assurance that AWS services uphold risk
management best practices defined in the CSF and
can leverage these solutions for their own
alignment to the CSF.

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Asset Management
(ID.AM)
Business
Environment (ID.BE)
Governance (ID.GV) Risk Assessment
(ID.RA)
Risk Management
Strategy (ID.RM)
Supply Chain Risk
Management (ID.SC)
NIST CSF: Identify
Inventory
Lambda
Function
Event
(event-based)
Lambda
Function
Event
(event-based)
Enterprise
Agreement

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST CSF: Protect
Identity Management,
Authentication and
Access Control
(PR.AC)
Awareness and
Training (PR.AT)
Data Security
(PR.DS)
Information
Protection Processes
and Procedures
(PR.IP)
Maintenance
(PR.MA)
Protective
Technology (PR.PT)
AWS STS
MFA token
Role
Permissions

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling group
Public Subnet Public Subnet
Auto Scaling group
Protect in AWS architecture
AWS Cloud
AWS Region
VPC
Availability Zone A Availability Zone B
App Subnet App Subnet
DB Subnet DB Subnet
DB Primary DB Secondary
Web Servers Web Servers
App Servers App Servers

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST CSF: Detect
Anomalies and
Events (DE.AE)
Security Continuous
Monitoring (DE.CM)
Detection Processes
(DE.DP)
Flow logs
Lambda
Function
Event
(event-based)

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Response Planning
(RS.RP)
Communications
(RS.CO)
Analysis (RS.AN) Mitigation (RS.MI) Improvements
(RS.IM)
Organizational
response activities
are improved by
incorporating
lessons learned
from current and
previous
detection/response
activities
AWS service
configurations and
security
automation are
updated/improved
NIST CSF: Respond
Filtering
rule
ACL
Subnet
Rule

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event (event-
based)
Lambda
Function
Filtering rule
Other AWS &
Partner Services
Automate with integrated services

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST CSF: Recover
Recovery Planning
(RC.RP)
Improvements
(RC.IM)
Communications
(RC.CO)
Organizational
recover activities
are improved by
incorporating
lessons learned
from current and
previous
detection/response
activities
AWS service
configurations and
security
automation are
updated/improved

23. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Min Hyun
hyunmin@amazon.com
Michael South
mlsouth@amazon.com

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.