Cybersecurity Questionnaires: When the Answer to a Yes or No Question is “It Depends.”

In your professional life, when you are asked a question you don’t know the answer to, do you:

(a) Make up an answer
(b) Always pick B
(c) Pretend you didn’t hear the question

It’s (d) None of the above, right? In real life, we make sure we understand the question and answer it to the best of our ability, providing context if needed. Or at least that’s our goal.
This blog is about cybersecurity questionnaires and how we answer them.

As cybersecurity compliance experts, we review a lot of security questionnaires and requests for information on behalf of our clients. We assist clients with preparing answers to questionnaires from the supply chain, insurance companies, customers, auditors, and others. In this blog, we are going to share some reasons why a questionnaire-based mechanism may not be the best way to assess your cybersecurity compliance.

Here is a real-world scenario. Assume you are a supplier in the defense sector. You receive a questionnaire from a customer that requires you to attest to the status of your implementation of the NIST 800-171 controls, “as applicable.”

The instructions are seemingly straightforward: Check the boxes if a control has been fully implemented by your company.

Not too bad, you think.

But a couple clicks into it and you start to question whether a certain control is “fully” implemented. Your real answer is really more like “Sort of” or “It’s complicated” or “It’s a work in progress.” You may start to wonder if what you’ve done is good enough.

As it turns out, in real life, answers about whether a NIST security control is implemented sufficiently, or is even applicable, can be murky. In fact, the answer may legitimately be “It

To illustrate, there are some questions about NIST controls, like multifactor authentication (3.5.3), that can be answered as Yes or No. You either have it or you don’t. This is a straightforward question requiring a straightforward answer.

Others require unpacking. For example, the NIST control on “least functionality” (3.4.6) provides that you should employ the principle of least functionality by configuring systems to provide only essential capabilities. To answer that question as “implemented”, an organization would first need to define the systems in scope, define least functionality as it pertains to the organization, and document what capabilities the organization considers essential. Only then could an assessment look at whether systems are configured correctly to implement the control.
NIST control 3.13.16 (Protect the confidentiality of CUI at rest) is another control that is challenging to apply. For example, one way to protect the confidentiality of CUI at rest is with encryption. However, there could be other methods or layered defenses used to protect the confidentiality of data at rest, including limits on access control and boundary defenses. Maybe you have applied encryption but not a FIPS-validated version. Or maybe your risk tolerance relies on other layered defenses. So, the answer to whether you have implemented 3.13.16 could be “It depends.”

A questionnaire that demands a Yes or No answer is missing the holistic analysis that goes into an independent, third-party assessment of compliance with NIST 800-171. It is often impossible to check the box without first analyzing and identifying the types of data at hand, without assessing risk, and before concluding how to apply the controls in an appropriate way. In fact, the NIST 800-171 Risk Assessment requirement (3.11.1) indicates that an organization should perform a people, process, and technology risk assessment as a basis for deciding how to implement the NIST controls. In short, before answering 1 or 100 questions on whether a particular NIST control has been implemented, consider having enough information on risk to make good decisions on how to implement the controls — and the right documentation in place to justify your decisions.

At Sera-Brynn we help define risk and interpret security controls. If a control calls for your company to do something periodically, we help you define “periodically” based on best practices that fit your risk profile. If you are unsure about whether a control is applicable, we figure it out. Modern day cybersecurity programs involve identifying risk tolerance, employing layered defenses, good strategy, and documenting decision-making. There is not always a box to check for that.

Author:    Colleen H. Johnson, Sera-Brynn Senior Cyber Legal Analyst