Updates to the NIST Cybersecurity Framework

Similar documents
Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Using Metrics to Gain Management Support for Cyber Security Initiatives

Overview of the Cybersecurity Framework

Cyber Security & Homeland Security:

The Office of Infrastructure Protection

NCSF Foundation Certification

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Why you should adopt the NIST Cybersecurity Framework

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Framework for Improving Critical Infrastructure Cybersecurity

Improving Cybersecurity through the use of the Cybersecurity Framework

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

NCSF Foundation Certification

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

ACR 2 Solutions Compliance Tools

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Cybersecurity Risk Management:

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Framework for Improving Critical Infrastructure Cybersecurity

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

PIPELINE SECURITY An Overview of TSA Programs

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Framework for Improving Critical Infrastructure Cybersecurity

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity & Privacy Enhancements

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Critical Infrastructure Sectors and DHS ICS CERT Overview

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Kent Landfield, Director Standards and Technology Policy

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Bradford J. Willke. 19 September 2007

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

FDA & Medical Device Cybersecurity

The Office of Infrastructure Protection

Designing and Building a Cybersecurity Program

HPH SCC CYBERSECURITY WORKING GROUP

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Developing a Model for Cyber Security Maturity Assessment

DHS Supply Chain Activity: Cross-Sector Supply Chain Working Group and Strategy on Global Supply Chain Security

Medical Device Cybersecurity: FDA Perspective

Implementing Executive Order and Presidential Policy Directive 21

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

HITRUST CSF: One Framework

TEL2813/IS2820 Security Management

Security Management Models And Practices Feb 5, 2008

DHS Cybersecurity: Services for State and Local Officials. February 2017

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Using the NIST Framework for Metrics 5/14/2015

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Industry role moving forward

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Federal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Integrated Cyber Defense Working Group (ICD WG) Introduction

Dams Sector Cybersecurity Program Guidance

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

ISAO SO Product Outline

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

DHS Emergency Services Sector Presents Tools and Resources for First Responders. June 1, pm ET

Data Recovery Policy

National Cybersecurity Center of Excellence

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Information Security Risk Strategies. By

The NIS Directive and Cybersecurity in

United States Government Cloud Standards Perspectives

Cybersecurity and Data Protection Developments

Information Security Continuous Monitoring (ISCM) Program Evaluation

Business continuity management and cyber resiliency

Apr. 10, Vulnerability disclosure and handling processes strengthen security programs

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

The Office of Infrastructure Protection

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Regional Workshop on Frameworks for Cybersecurity and CIIP Feb 2008 Doha, Qatar

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Transcription:

Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016

Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity Framework DHS Critical Infrastructure Cyber Community (C3) Voluntary Program 1. ESS Roadmap to Secure Voice and Data Systems (2014) 2. ESS Cybersecurity Framework Implementation Guidance (2015) Additional Cybersecurity Guidance and Resources

NIST Cybersecurity Framework Released in February 2014, the NIST Cybersecurity Framework (CSF) is a flexible, voluntary risk-based approach to improving the security of critical infrastructure Collaboratively developed between government and the private sector, based on industry standards and best practices Designed to complement existing cybersecurity risk management process or to develop a credible program if one does not exist Repeatable process to identify and prioritize cybersecurity improvements and maximize investment in mitigations Can be used by any organization regardless of size or industry sector based on their unique risks and business needs For more information on the CSF: https://www.nist.gov/cyberframework 3

Using the NIST Cybersecurity Framework Core Organizes cybersecurity activities into five functions Each function has objectives arranged in categories and subcategories, which each map to a list of industry best practices and standards that should be used to achieve those objectives. 4

Using the NIST Cybersecurity Framework Example Function Category Subcategory Informative References IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 What to Do Information that can help to achieve it 5

Using the NIST Cybersecurity Framework Tiers Provide context for how an organization views cybersecurity risk and the processes in place to handle the risks Source: ESS Framework Implementation Guide, 2015 6

Using the NIST Cybersecurity Framework Process The CSF suggests a seven-step process to help organizations create a new cybersecurity program or improve an existing program Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implement Action Plan Source: ESS Framework Implementation Guide, 2015 7

NIST CSF Timeline Feb 2013 Executive Order 13636 released Improving Critical Infrastructure Cybersecurity Aug 2015 GAO Assesses the Framework performance Early 2017 Anticipated Minor CSF Update Series of CSF Workshops Mar 2016 Analysis of RFI Responses Feb 2014 Framework for Improving Critical Infrastructure Cybersecurity Feb 2014 NIST Roadmap for Improving Critical Infrastructure Cybersecurity April 2016 CSF Workshop Dec 2015 NIST RFI Views of the Framework for Improving Critical Infrastructure Cybersecurity 8

Updates to the NIST Cybersecurity Framework 105 Responses Wide variety of respondents Local government State government Federal government Educational institutions Critical infrastructure and other industry partners Chemical Financial Communications Food/Agriculture Critical Manufacturing Government Facilities Defense Healthcare Emergency Information Technology Energy Water Industry associations and trade groups International perspectives 9

Updates to the NIST Cybersecurity Framework Theme Framework Update Timeline Update to Framework Content Update Process Framework Governance Optimal Industry Leadership Industry Resources Challenges in Sharing Best Practices Regulation International Alignment Awareness Description There were diverse comments on whether an update is necessary or desirable. Many respondents had specific suggestions of ways to update and expand the Framework. The Framework should be updated through a collaborative process and with minimal disruption to current industry use. Respondents are comfortable with NIST s continued leadership in the Framework process, though transition should be considered at a later date. Any possible future steward of the Framework should be a respected, internationallyrecognized, neutral, 3rd party organization. Industry resources are useful but additional guidance is needed, especially for small and medium-sized businesses. There is a need for additional sharing of best practices surrounding use of the Framework. Many users of the Framework say that regulation is a necessary consideration in the development of their cybersecurity programs and caution about the potential negative impact of additional regulatory requirements. The Framework is gaining traction internationally, but still needs continued outreach. Much progress has been made in spreading Framework awareness, but more is still needed. Source: Analysis of Cybersecurity Framework RFI Responses, NIST, March 24, 2016 10

Updates to the NIST Cybersecurity Framework Minimal disruption Clarifying and refining of current Framework attributes Update Informative References Clarify guidance for Implementation Tiers Review placement of cyber threat intelligence in the Core Provide guidance for applying the Framework to supply chain risk management Potential draft for comments early calendar year 2017 Other products may be modified as well: NIST Roadmap for Improving Critical Infrastructure Cybersecurity Frequently asked questions (FAQs) Publications, such as those hosted at the Computer Resource Center (CSRC) 11

Updates to the NIST Cybersecurity Framework Related efforts Framework governance methodology Describe stakeholder roles in the Framework ecosystem Establish approximate timelines for future Framework updates Define the difference between a major and minor update Self-assessment criteria Support organizational understanding of cybersecurity risk management business practices Based on Framework and key concepts from the Baldrige Performance Excellence Program 9/15/2016 NIST Releases Baldrige-Based Tool for Cybersecurity Excellence; Comments Sought on Draft Guide to Enhance Cybersecurity Framework https://www.nist.gov/news-events/news/2016/09/nist-releases-baldrige-based-tool-cybersecurity-excellence Continued outreach efforts International Small and medium-sized businesses Regulators 12

Critical Infrastructure Cyber Community (C 3 ) Voluntary Program DHS CS&C is the coordination point for promoting implementation of the Framework Three main activities Use: Promote understanding and support development of guidance to use the Framework Outreach and Communications: Connect stakeholders and guide organizations to resources Feedback: Solicit feedback on how Framework is used and recommendations for improvements Implementation guidance General guidance on how the Framework applies to critical infrastructure sectors and organizations Tailored guidance specific to sectors, including the Emergency Support Services (ESS) sector 2014 ESS Roadmap to Secure Voice and Data Systems https://www.dhs.gov/sites/default/files/publications/emergency-services-sector-roadmap-to-secure-voice-and-data%20systems-508.pdf 2015 ESS Cybersecurity Framework Implementation Guidance https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/ess-framework-implementation-guide-2015-508.pdf 13

ESS Roadmap to Secure Voice and Data Systems (2014) In 2012 the ESS Cyber Risk Assessment (ESS-CRA) identified operational and strategic risks to ESS infrastructure The Roadmap identifies and discusses several proposed risk mitigation measures and includes: justification for the response, sector context, barriers to implementation, and suggestions for implementation Designed to help ESS personnel understand how to organize and conquer risk mitigation measures, it uses language from the NIMS/Incident Command System to help delineate responsibilities Guidance provided in the Roadmap may apply to any public safety cyber resource 14

ESS Cybersecurity Framework Implementation Guidance (2015) In response to the NIST CSF, DHS, as the Sector-Specific Agency (SSA), worked with the ESS Coordinating Council (SCC) and Government Coordinating Council (GCC) to develop this Implementation Guidance specifically for ESS organizations The Implementation Guidance provides ESS organizations with: Background on the Framework terminology, concepts, and benefits of its use; A mapping of existing cybersecurity tools and resources used in the ESS that can support Framework implementation; and Detailed Framework implementation steps tailored for ESS organizations A notional use-case study 15

Implementation Guidance Mapping Additional pre-existing cybersecurity guidance, tools and resources of the ESS community are mapped as part of the Implementation Guidance: Energy Sector Cybersecurity Capability Maturity Model (C2M2) Program Cyber Resilience Review (CRR) Cybersecurity Evaluation Tool (CSET) Emergency Services Sector Cyber Risk Assessment (ESS-CRA) ESS Roadmap to Secure Voice and Data Systems (Roadmap) Emergency Services Sector-Specific Tabletop Exercise Program (ES SSTEP) Health Insurance Portability and Accountability Act (HIPAA) Function Category Subcategory CRR CSET ESS- CRA ES SSTEP Roadmap Energy HIPAA C2M2 IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried X X X X X X 16

Additional Cybersecurity Guidance and Resources OEC Fiscal Year 2016 SAFECOM Guidance on Emergency Communications Grants https://www.dhs.gov/sites/default/files/publications/fy%202016%20safecom%20guidance%20final%20508c.pdf Appendix B Technology and Equipment Standards Cybersecurity for Emergency Communications Review of Cyber Risks Cybersecurity Best Practices Standards for Cybersecurity Cybersecurity Resources Resources Additional Guidance 17

Contact Information Robert Dusty Rhoads U.S. Department of, Office of Emergency Communications Branch Chief Robert.Rhoads@HQ.DHS.GOV (703) 235-4014 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback