Overview of the Cybersecurity Framework

Similar documents
Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Risk Management:

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Updates to the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Implementing Executive Order and Presidential Policy Directive 21

NCSF Foundation Certification

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework

ACHIEVING SECURITY with the NIST CYBERSECURITY FRAMEWORK INDUSTRY PERSPECTIVE

NCSF Foundation Certification

Improving Cybersecurity through the use of the Cybersecurity Framework

ISAO SO Product Outline

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Using the NIST Framework for Metrics 5/14/2015

FDA & Medical Device Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Track 4A: NIST Workshop

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cybersecurity for Health Care Providers

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

ACR 2 Solutions Compliance Tools

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Cyber Security Strategy

Designing and Building a Cybersecurity Program

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

Cybersecurity & Privacy Enhancements

The Impact of US Cybersecurity Policies on Submarine Cable Systems

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

National Initiative for Cybersecurity Education

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

National Policy and Guiding Principles

Cybersecurity, safety and resilience - Airline perspective

THE POWER OF TECH-SAVVY BOARDS:

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Medical Device Cybersecurity: FDA Perspective

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

ENISA EU Threat Landscape

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Physical Security Reliability Standard Implementation

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS. National Association of State Energy Of ficials

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Mr. Games, Thank you. Kent Landfield McAfee, LLC. [Attachment Copied Below]

Cyber Security & Homeland Security:

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

HPH SCC CYBERSECURITY WORKING GROUP

The Office of Infrastructure Protection

Developing a Model for Cyber Security Maturity Assessment

Building a BC/DR Control Library and Regulatory Response Program

Liberia ICT Policy

Cyber Security Issues and Responses. Andrew Rogoyski Head of Cyber Security Services CGI UK

Smart grid provides consumers with unprecedented access and control of their

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Resilience. Think18. Felicity March IBM Corporation

Houston Urban Area Security Initiative (UASI) Cybersecurity Mini-Assessment Workshop

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

ISA99 - Industrial Automation and Controls Systems Security

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Kent Landfield, Director Standards and Technology Policy

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

Acalvio Deception and the NIST Cybersecurity Framework 1.1

Cyber Security in Europe and CEER s new PEER initiative

Using Metrics to Gain Management Support for Cyber Security Initiatives

AFRICA AND MIDDLE EAST AVIATION SECURITY ROADMAP

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Information Technology Branch Organization of Cyber Security Technical Standard

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Proposed Regional ehealth Strategy ( )

Transcription:

Overview of the Cybersecurity Framework Implementation of Executive Order 13636 Matt Barrett Program Manager matthew.barrett@nist.gov cyberframework@nist.gov 15 January 2015

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 2

Based on the Executive Order, the Cybersecurity Framework Must... Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provide a prioritized, flexible, repeatable, performance-based, and costeffective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations Be consistent with voluntary international standards 3

Development of the Framework Engage the Framework Stakeholders EO 13636 Issued February 12, 2013 NIST Issues RFI February 26, 2013 1 st Framework Workshop April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 08, 2013 Identify Common Practices/Themes May 15, 2013 Analyze RFI Responses 2 nd Framework Workshop at CMU May 2013 Draft Outline of Preliminary Framework June 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process cyberframework@nist.gov Identify Framework Elements 3 rd Workshop at UCSD July 2013 4 th Workshop at UT Dallas September 2013 Prepare and Publish Framework 5 th Workshop at NC State November 2013 Published Framework February 2014 4

Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5

Framework Core What assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 6

Framework Core - Sample 7

Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities 8

Framework Implementation Tiers Feedback indicated the need for the Framework to allow for flexibility in implementation and bring in concepts of maturity models. Responding to feedback, Framework Implementation Tiers were proposed to reflect how an organization implements the Framework Core functions and manages its risk. The Tiers are progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier. The Tier characteristics are defined at the organizational The Tier characteristics are defined at the organizational level and are applied to the Framework Core to determine how a category is implemented. 9

Why You Should Consider Adopting the Framework Benefits Reduces time and expense of starting an information security program Reduces risk within current information securityprogramsby identifying areas for improvement Increases efficiencies and reduce the possibility of miscommunication within your information security program and with other organizations such as partners, suppliers, regulators, and auditors Features Organizes reconciliation and de confliction of legislation, l regulation, policy, and industry best practice (Core) Guides organization and management of andinformation securityprogram (Core) Measures current state and expresses desired state (Profile) Enables investment decisions to address gaps in current state (Profile) Communicates cybersecurity requirements with stakeholders, including partners and suppliers (Profile) Enables informed trade off analysis of expenditure versus risk (Tiers) 10

Near Term Framework Activities Continue education efforts, including creation of self-help and re-use materials for those who are new to the Framework Continue awareness and outreach with an eye toward industry communities who are still working toward basal Framework knowledge and implementation Educate on the relationship between Framework and the larger risk management process, including how organizations can use Tiers To allow for adoption, Framework version 2.0 is not planned for the near term 11

Key Points about the Framework It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change That s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time principals will not 12

Where to Learn More and Stay Current The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework t / Email: cyberframework@nist.gov 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback