NIST SP 500-292: NIST Cloud Computing Reference Architecture Discusses dependency between consumer, auditor, provider, broker, and carrier.
NIST SP 500-299/800-200: NIST Cloud Security Reference Architecture Regulates Cloud functional capacities, cyber security and privacy controls
Cloud Security Alliance (CSA) Trusted Cloud Initiative Reference Architecture for Enterprise Formulates IT domains -based controls in Business Operation Support, IT operation & support, Presentation, Application, Information, Security & Risk Management.
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Develops a catalog of security and privacy controls, a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).
NIST SP 800-174: Security and Privacy Controls for Cloud-based Federal Information Systems Provides role-based questionnaires, domains, potential impact level, Function capabilities controls, information Protection controls, SIS, etc
CUBE is the only business and government compliance framework for the cybersecurity, governance, and management of IT, especially in Cloud infrastructure. It is the product of a multiple task force and development team from NIST, FedRAMP, independent associations.
CUBE incorporates the latest thinking in cybersecurity, governance,. and management techniques, and provides accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.
It builds and integrates on FISMA metrics, SP 800-53 controls, FedRAMP standard, and NIST CSF compliance.
CUBE builds on the major frameworks includes Federal Information Security Management Act - FISMA metrics, National Institute of Standards and Technology - NIST SP 800-53 security and privacy controls, Federal Risk and Authorization Management Program - FedRAMP compliance, and NIST Cybersecurity Framework - CSF standard.
As currently under development, CUBE continually integrates other major frameworks, standards and resources, including International Organization for Standardization - ISO-27001/2, Cloud Security Alliance – CAIQ standard, and COBIT 5.
New Cloud computing demands, governmental and industry-specific regulations, and risk scenarios emerge every day. Maximizing the value of intellectual property, managing risk and security and assuring compliance through effective IT cybersecurity, governance, and management has never been more important.
No other framework focused on cloud IT offers the extensiveness and benefits of CUBE.
CUBE is generic and useful for enterprises of all sizes, whether governmental contractors, commercial, not-for-profit, or in public sector.
CUBE is used globally by those who have the primary responsibility for business processes and technology, depend on technology for relevant and reliable information, and provide the compliance and standard in the quality, reliability, and control of information and related technology.
Key users include enterprise executives and consultants in the following areas: Audit and Assurance, Compliance, IT Operations, Governance, Security and Risk Management, Training
Provides a cyber secured solution like SSP that supports continuous monitoring and automated risk assessment. (incl. machine-readable output)
Provides a methodology of identifying the functional capabilities and their associated security controls required for a new or migrated system to both standard and cloud-based solution.
Provides a user-interactive based cybersecurity service to help clients to architect the security controls for the IT development in terms of security levels, financial availability, role-based analysis, NIST-compliance baseline, etc.
Provides a user-customizable controls baseline for implementation as part of an organization-wide process that manages information security and privacy risk.
Promotes a diverse gov.-compliance of IT security requirements to the public and private sectors. Such NIST-compliance controls have been implemented across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs.
From the basic access control, employee awareness/training, security audit, planning, risk assessment, to security privacy, CUBE provides a well-rounded compliance and standard framework for the cybersecurity, governance, and management of enterprise IT.
The management of organizational risk is a key element in any organization’s information security program. With this in mind, the National Institute of Standards and Technology (NIST) have developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles. Such RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk.
First, CUBE Categorizes the system and the information by impact analysis and CSF Questionnaire set.
Next, CUBE Selects an set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed. It includes selecting and identifying capabilities, best-fitting architecture, and further developing the user-customizable System Security Plan (SSP).
With the integration of OSCAL in SSP, CUBE allows the 3rd party tools to automatically assess the security controls to determine the extent to which they are meeting the security requirements for the system. It also closely support continues monitoring for risk control.