The purpose of this instruction is to continue facilitating the implementation of a security program. This instruction specifically identifies the action steps needed to complete Step 7: Implement Action Plan, which is designed to establish or improve a Cybersecurity Program as identified in the NIST Cybersecurity Framework.
This instruction will use segments from all previous steps to assist in implementing an action plan to bring an agency's environment into compliance with the NIST Cybersecurity Framework for a Cybersecurity Program.
The Implement Action Plan is the focal point for all activities associated with implementing a cybersecurity program. With the previous Implementation Steps completed (Current Profile, Target Profile, and Gap Analysis) and the results gathered and analyzed, your agency can begin the implementation process. There will be a Testing Phase as well as a Deployment Phase to complete the course of action. As previously stated in the Gap Analysis, controls tagged with a Priority Code 1 (P1) should be addressed first, according to NIST, however the agency may have decided to adjust that to use the TDC-I method in addition in order to account for the large quantity of P1 controls that need implementation. Attending to these critical issues first will be useful for your agency's planning costs, scope, and time.
NOTE: The all of the processes described here are applied continuously throughout the agency as different controls are implemented at different times throughout the agency.
Policies & Procedures
The single most important thing an agency can do is account for how they will implement security controls, but including them in their policies and procedures.
This step will involve periodic deployments into several environments and the assistance of various testing groups to ensure the functionality of new implementations into each environment. Testing should cover a wide range of areas including load testing, performance, user testing, as well as other areas, in order to cover all capacities where implementation issues may occur. If using a production environment, planning the following will be helpful when assigning roles to specific individuals in order to maximize improvement: how the system will be tested, which hardware and software will be used, and which dates and times, and specific devices will be tested. This process should also be communicated to the end users to avoid confusion and mishaps during daily operations.
After the testing has been completed, all parties involved should then coordinate with one another to propose any last minute changes to the implementation plan. Specific dates and times of the deployment will need to be set to ensure an efficient installation and configuration process. There should also be a time slot allocated after the deployment has been completed to address any issues that were not found during the testing phase. In the case that things are problematic, this post-deployment evaluation will assist in fixing the problem(s) found for your agency's earliest convenience.
The agency must review all installations, configurations, and any other changes to the environment that occurred during the deployment phase. Once this has been completed and you have verified that the environment is in a working and functional state, your agency should document the implementation process as "completed" and use its new configuration as a benchmark for any future changes or risk assessments that occur. Environments change, as do employees, so it is imperative to keep a record of all changes to ensure that all personnel that follows will be aware of previous changes made to the environment.