The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the tasks and subtasks from the NIST CSF. The result are tasks, standards and conditions that can be used to assess a cyber defense team at any agency or business. The standards are derived from measuring performance of defense teams against real-world threat actor tactics. The conditions are built from adversary actions to test teams in their ability to detect covert channels, lateral movement, privilege escalation, exfiltration of data, etc.
To assess an agency (lets imagine OPM), DOT&E first creates a Virtual Clone Network (VCN) of OPM that realistically represents not only the enterprise in a virtualized environment with firewalls, routers and OPM defenses but also includes a synthetic internet, fake users (who open documents, click on links and go about their job), network traffic generation, assessment tools to score the teams and adversary tools (to include a zero day exploit emulator). The OPM security team would first perform reconnaissance (familarization) on the VCN and employ their technology and processes. The team would be tested against the metrics of the NIST CSF to evaluate their ability to identify - protect - detect - respond - recover against real world adversaries. The assessment includes "conditions" against a low, medium or high threat adversary. The metrics informed by NIST CSF are detailed enough to create actionable recommendations on where a defense team is lacking in terms of technology, people or their processes. This process provides a score card on how to get better.
Right now, at best, we require self assessments of the government agencies we rely on. The technology and policy are finally mature enough to mandate actual cyber defense team testing and assessments. Lets find out where we are weak and be proactive about reducing that risk.