Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov
Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies Align and de-conflict cybersecurity requirements Prioritize cybersecurity outcomes Organize, authorize, task, and track work Express risk disposition Understand gaps between current and target 2
The Cybersecurity Framework... Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. Is consistent with voluntary international standards. 3
The Framework Is for Organizations Of any size, in any sector in (and outside of) the critical infrastructure. That already have a mature cyber risk management and cybersecurity program. That don t yet have a cyber risk management or cybersecurity program. Needing to keep up-to-date managing risks, facing business or societal threats. In the federal government, too since it is compatible with FISMA requirements and goals. 4
Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5
Implementation Tiers Risk Management Process Integrated Risk Management Program External Participation 1 2 3 4 Partial Risk Informed Repeatable Adaptive The functionality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organization benefits my sharing or receiving information from outside parties 6 6
Core Cybersecurity Framework Component Senior Executives Broad enterprise considerations Abstracted risk vocabulary Specialists in Other Fields Specific focus outside of cybersecurity Specialized or no risk vocabulary Implementation/ Operations Deep technical considerations Highly specialized vocabulary 7
Core Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Protect Detect Respond Recover Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO 8
Core Example Cybersecurity Framework Component Function Category Subcategory Informative Reference 9
Profile Cybersecurity Framework Component Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization. A fusion of business/mission logic and cybersecurity outcomes. Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies. A basis for assessment and expressing target state. A decision support tool for cybersecurity risk management. 10
Building a Profile A Profile Can be Created in Three Steps 1 Mission Objective A B C Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practice Subcategory 1 2 3 98 Operating Methodologies 2 3 Guidance and methodology on implementing, managing, and monitoring 11
Framework 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 12
Supporting Risk Management with Framework 13
Conceptual Profile Value Proposition 2 Cybersecurity 1 3 Operating Requirements Subcategory Priority Methodologies A 1 moderate I II B C 2 high III D IV 3 moderate E V F VI VII G 98 moderate VIII When you organize yourself in this way: Compliance reporting becomes a byproduct of running your security operation Adding new security requirements is straightforward Adding or changing operational methodology is nonintrusive to on-going operation 14
Resource and Budget Decision Making What Can You Do with a CSF Profile? As-Is Year 1 To-Be Year 2 To-Be Sub- Year 1 Year 2 category Priority Gaps Budget Activities Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X 98 moderate none $$ reassess and supports on-going operational decisions, too 15
Profile Ecosystem TAXONOMY 1 2 3... 98 NIST REQUIREMENTS 1 Req A 2 Req B 3 Req C...... 98 Req ZZ Community PRIORITIES 1 Req A High 2 Req B Mod 3 Req C Low......... 98 Req ZZ High Organization or Community Cybersecurity Framework Core Crosswalks Mappings Cybersecurity Framework Profile 16
Key Attributes It s voluntary Is meant to be customized. It s a framework, not a prescriptive standard Provides a common language and systematic methodology Does not tell an organization how much cyber risk is tolerable, nor provide the one and only formula for cybersecurity. Enable best practices to become standard practices for everyone It s a living document Can be updated as stakeholders learn from implementation Can be updated as technology and threats changes. It s broadly applicable All size organizations; all maturities of risk practices; both inside and outside of critical infrastructure; industries, governments, and academia 17
Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources Italy s National Framework for Cybersecurity American Water Works Association s Process Control System Security Guidance for the Water Sector The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Energy Sector Cybersecurity Framework Implementation Guidance 18
Examples of State & Local Use Texas, Department of Information Resources Aligned Agency Security Plans with Framework Aligned Product and Service Vendor Requirements with Framework North Dakota, Information Technology Department Allocated Roles & Responsibilities using Framework Adopted the Framework into their Security Operation Strategy National Association of State CIOs 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy Houston, Greater Houston Partnership Integrated Framework into their Cybersecurity Guide Offer On-Line Framework Self-Assessment New Jersey Developed a cybersecurity framework that aligns controls and procedures with Framework 19
NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile Utilizing CSF Informative References to create tailored language for the manufacturing sector NIST SP 800-53 NIST SP 800-82 ISA / IEC 62443 www.tiger-global.co.uk 20
U.S. Coast Guard Maritime Bulk Liquids Transfer Framework Profile NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework Aligns the USCG s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. The profile is available at: https://www.uscg.mil/hq/cg5/cg544/docs/maritime_blt_csf.pdf 21
NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) Self-assessment criteria with basis in Cybersecurity Framework Complements NIST Baldrige Program s performance excellence successes. April 2-5, 2017-29 th Annual Quest for Excellence Conference Pre-conference workshop that focuses on cybersecurity will be held on April 2 nd - visit: https://www.nist.gov/baldrige/qe 22
Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 23
Basics about the Proposed Revision to Framework Draft Cybersecurity Framework Version 1.1 Draft Version 1.1 of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework The Framework remains flexible, voluntary, and cost-effective The update is fully compatible with V1.0 Updates were derived from feedback NIST received since publication of Cybersecurity Framework Version 1.0 A 90 day public comment period for the version 1.1 draft ended April 10 th, 2017 There will be a Workshop May 16-17, 2017 to continue discussion 24
Input to the Framework Update Draft Cybersecurity Framework Version 1.1 The Update was based on feedback from the cybersecurity community including: December 2015 request for information Lessons learned from Framework use Shared resources from industry partners April 2016 Cybersecurity Framework workshop Advances made in areas identified in the Roadmap issued with the Framework in February 2014 25
Major Themes from Inputs Draft Cybersecurity Framework Version 1.1 Several major themes were identified and considered during the update which included: Strengthening authentication & identity management in the Framework Core Guidance for acquisition and supply chain risk management (SCRM) Methodology for measurement and generating metrics Clarity on Implementation tiers and their relationship to profiles 26
Cyber Supply Chain Risk Management (SCRM) Overview Draft Cybersecurity Framework Version 1.1 The most notable changes in the draft update related to SCRM Section 3.3 now explains role of SCRM in cybersecurity Multiple provisions were added, including a new category in the Framework Core 27
Implementation Tiers and Profiles Draft Cybersecurity Framework Version 1.1 Additional language added on use of Framework Tiers to include prioritization within target Profile and to inform progress in addressing Profile gaps Language added to reflect integration of Framework considerations within organizational risk management programs Tiers have been expanded to include cyber SCRM considerations Figure 2.0 updated to include actions from the Framework Tiers 28
Identity Management Draft Cybersecurity Framework Version 1.1 Language of the Access Control category refined to better account for authorization Subcategory on identity proofing (PR.AC-6) added to the Access Control category Access Control category renamed to Identity Management, Authentication and Access Control (PR.AC) to better represent Category and Subcategories scope 29
Cybersecurity Measurement Draft Cybersecurity Framework Version 1.1 Sections 4.0 and 4.1 Correlation between business results and cybersecurity risk management outcomes Metrics versus measures Leading versus lagging Section 4.2 Types of Cybersecurity Measurement Framework measurement provides a basis for strong, trusted relationships, both inside and outside of an organization Higher-Level Lower-Level Behaviors Implementation Tiers Process Behaviors Outcomes Core Informative References Outcomes Metrics Practices Management Measures Process Technical 30
Resources Where to Learn More and Stay Current Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov