When you hear standards mapping what do you think about? For the Secure Software Central (SSC) project this means comparing our process to the National Institute of Standards and Technology’s (NIST) security control catalog. So how is it done?
The project completed this summer can be broken down into three simple phases. Phase one consists of mapping the SSC process to the NIST’s security control catalog. While phase two entails mapping mitigations from a threat profile to NIST. Lastly phase three requires the creation of a knowledge base allowing for the reuse of controls across numerous projects
This project presented a few different challenges: locating the correct control within the NIST catalog while correctly matching the proposed mitigations from the SSC team, accurately leveling the mitigation to the security level of the system, creating a toolbox to showcase a dataset of mitigations and standards to be used in current and future projects. each challenge allowed for opportunities in growth and understanding of how security controls can map to a governing set of standards.
These standards maps are a crucial element to support the insights provided by the SSC team and allow the client to have confidence in the work being completed.
My internship has allowed me to set and achieve many goals such as coming to understand that the field of cybersecurity truly is the right place for me. I have also learned that it’s ok to be wrong if you learn something from it. For significant accomplishments I have helped integrate standards mapping into the fabric of SSC. The field experience that I have gained such as interacting with the SSC team along with other senior staff and building a good rapport are crucial skills to. This time at PNNL has been an irreplaceable experience.