This guide helps organizations using Hyperproof implement the NIST Cybersecurity Framework (CSF) 2.0 based on prioritized, optional guidance from the Cybersecurity and Infrastructure Security Agency (CISA). The NIST CSF helps organizations understand their cybersecurity risks—including threats, vulnerabilities, and impacts—while facilitating response, incident recovery, and root cause analysis.

To simplify this, CISA identified a prioritized subset of Cybersecurity Performance Goals (CPG) that are are a prioritized subset of IT and operational technology (OT)

cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will

reduce risks to critical infrastructure operations.

Sources:

Follow the suggested workflow below to help you implement NIST CSF 2.0.

The first step to working with NIST CSF 2.0 and CISA’s CPGs in Hyperproof is to create your program. If you have already completed a SOC 2 or ISO 27001 program within the platform, you can jumpstart your NIST CSF 2.0 program directly from those existing frameworks.

Using the CISA CPG checklist, locate evidence, such as policies, procedures, standards, and guidelines, that support each practice in the CPG.

Where adequate evidence is available, mark controls as Completed. For example, item 2.g, Detection of Unsuccessful (Automated) Login Attempts, in the CPG checklist maps to NIST CSF control PR.AC-7. If your organization has a process or supporting technology for detecting unsuccessful failed login attempts, mark PR.AC-7 as Completed for now.

When no adequate evidence is available, mark controls as Unknown in Hyperproof. Continue until all items on the CISA CPG checklist have been evaluated and the controls in Hyperproof have been updated to reflect the appropriate implementation status.

While the CPG covers approximately one-third of the available NIST CSF controls, CISA identifies these as the highest impact controls that organizations should strengthen or implement first.

To mark controls:

Focus on deploying people, processes, and technologies for controls aligned with the CPG checklist whose implementation status is marked as Unknown. For example, if identity management (PR.AC-1) is unknown, CISA recommends a system-enforced policy requiring a minimum password length of 15 or more characters for all password-protected IT assets.

The CPG provides a “recommended action” to take for controls with an implementation status of Unknown. In the example above, PR.AC-1, the recommendation is as follows:

Organizations have a system-enforced policy that requires a minimum password length of 15* or more characters for all password-protected IT assets, and all OT assets where technically possible.**

Organizations should consider leveraging passphrases and password managers to make it easier for users to maintain sufficiently long passwords. In instances where minimum password lengths are not technically feasible, compensating controls are applied and recorded, and all login attempts to those assets are logged. Assets that cannot support passwords of sufficient strength length are prioritized for upgrade or replacement.

Use Hyperproof’s task feature to assign owners to those NIST CSF controls that meet your organization’s tolerance for expenses and effort. Track control gap mitigation activities via the task.

Remember to mark each control status as Implemented in Hyperproof after there is adequate evidence of practice.

For information on tasks, see:

For items that either had evidence prior to the prioritized gap analysis or have had new controls (people, process, technology) applied, use a combination of Hyperproof’s Hypersync and LiveSync features to regularly inspect each control.

Live documents (i.e., documents edited in real time), such as policies and procedures, are strong candidates for LiveSync. For example, a LiveSync could regularly collect new versions of your organization’s cybersecurity policy document(s) relevant to ID.GV-1, Organizational cybersecurity policy is established and communicated.

The technical implementations of controls are potential candidates for Hypersyncs. For example, PR.AC-1 (mentioned above) requires a minimum password strength. If your organization uses AWS for Identity and Access Management, you could use the Hypersync for AWS proof type - IAM: Account Password Policy to collect the password policy as configured on a periodic basis. This demonstrates that the implementation aligns with the policy, as defined under ID.GV-1.

Note that creating a connection (Hypersync) between Hyperproof and a service app requires you to have specific permissions in that app. Each service app is different, and some are more complex than others. Before setting up a Hypersync, consult your service app’s Administrator to ensure you have sufficient privileges. For more information on supported service apps, including permissions, see Supported apps and proof types for Hypersyncs.

Controls with linked Hypersyncs can use Automated Control Testing (ACT) to reduce manual validation efforts.

For example, if the organizational policy (ID.GV-1) requires a minimum password policy of 15 characters (per CPG 2.B), the organization uses AWS’ IAM services, and there is a configured Hypersync for the Account Password Policy, an ACT could be constructed to validate that the minimum password length is 15 characters. This automates the testing process and eliminates the arduous task of manually testing the control.

Another example is if the organizational policy requires vulnerability scans to be performed regularly. Let’s say the organization uses Qualys, and they’ve configured a Hypersync for the List of PC Scans proof type. An automated control test could be constructed to verify that scans are occurring at the required cadence.

To configure automated control tests, see:

The goal of this phase is to continue implementing and validating controls until the initial set of NIST CSF controls prioritized by the CISA CPG has a status of Completed in Hyperproof. Reaching this milestone is a significant step in reducing the likelihood and impact of known adversary techniques.

Once the prioritized CPG controls are addressed, you must evaluate each remaining NIST CSF control based on available supporting evidence. Controls where there is no evidence of practice should be marked as Unknown, while those with sufficient evidence are marked as Completed.

Link your NIST CSF controls to your organization’s risks. Based on the unique risks your organization faces and the organizational tolerance for budget and complexity, prioritize implementation or maturity improvements for the NIST CSF controls that yield the greatest reduction in risk.

Mark new controls as Completed and automate the evidence collection process by setting up Hypersyncs, automated control tests, or LiveSync on the controls.

If your organization uses Hyperproof’s Risk Register, you can update the risk health and track mitigation percentages based on the strength of your newly implemented controls.

Hyperproof recommends conducting a risk assessment at least annually to prioritize future control-maturity efforts based on the unique risks your organization faces. The linkage between NIST CSF controls and risks allows your organization to decide which controls effectively reduce risk to an acceptable level.

To conduct a risk assessment, see:

​