Challenges for national CSIRTs in Europe in 2016 : study on CSIRT maturity

The NIS Directive aims at creating a CSIRT Network "to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation". The Directive states that each Member State shall designate one or more CSIRTs that shall comply with a set of defined high-level requirements. In order to provide input to the designated CSIRTs on this topic, ENISA contracted a study on the maturity aspects for this type of CSIRTs, narrowed down to the national teams expected to join the CSIRT network - the results of which are presented here. The study takes all relevant information sources into account, with a special emphasis on the NIS Directive, the various ENISA reports on CSIRT capabilities, maturity and metrics, and on the SIM3 maturity model for CSIRTs which is a best practice document widely used in Europe, but also outside. The first lesson learnt is that a sustainable and implementable approach towards assessing and improving maturity is best based on a measurable set of quantities, or parameters. The SIM3 model as is commonly used in Europe serves as an excellent basis for this, with some additions based on especially the NIS Directive requirements. The second lesson learnt is that the three-tier approach towards maturity levels that ENISA adopted in the 2013 report 'CERT community - Recognition mechanisms and schemes' can be used to define three levels when adopting the SIM3 maturity model to assess CSIRT maturity: basic, intermediate and certifiable. The report specifies a proposed definition of those three levels for the benefit of the CSIRT Network created by the NIS Directive, coupled with a validation process based on self-assessments and peer-assessments. No actual certification is prescribed, however the highest level certifiable has been defined at the level of the existing CSIRT Certification scheme in Europe, which means that certification is within reach once that maturity level has been reached. By adopting the proposed approach, the CSIRT Network will have immediate access to a clearly laid out CSIRT maturity improvement process, that is both implementable and sustainable. A growth path is suggested that reaches basic level within one year, intermediate two years later and certifiable another two years later: a total of five years maximum. Basic level already allows a minimum of successful co-operation between teams on incident handling, the higher levels are needed to allow the members of the CSIRT network to interact on all levels, including pro-actively, thus truly giving meaning to the word CSIRT Network.