Design of Cybersecurity Maturity Assessment Framework Using NIST CSF v1.1 and CIS Controls v8

Abstract

Cybersecurity threats are constantly evolving, making it crucial for organizations to maintain a robust and maturing cybersecurity posture. According to the 2022 Annual Report of the Honeynet Project of the National Cyber and Crypto Agency (BSSN), there were 370,022,283 cyber attacks against Indonesia.  One of the strategies that can be implemented is to conduct a cybersecurity maturity assessment to determine the organization's current level of cybersecurity implementation. This paper proposes a design for a cybersecurity maturity assessment framework leveraging two established standards: the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v1.1 and the Center for Internet Security (CIS) Controls v8. The proposed framework utilizes a mapping between the NIST CSF v.1.1 subcategories and the CIS Controls v8 subcontrols, enabling a comprehensive assessment of an organization's cybersecurity maturity. The assessment methodology focuses on evaluating the implementation and effectiveness of controls aligned with each NIST CSF function. This approach allows organizations to identify strengths and weaknesses in their cybersecurity posture and prioritize areas for improvement. This research developed a mapping between the NIST CSF framework and CIS Controls v8. The mapping aligns 23 integrated cybersecurity categories from NIST CSF (including 64 subcategories out of a possible 108) with 124 subcontrols from CIS Controls v8 (out of a total 153). This combined framework serves as a tool to help organizations improve their cybersecurity maturity and capabilities.