The NIST Cybersecurity Framework

Similar documents
Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Risk Management:

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Overview of the Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

NCSF Foundation Certification

Updates to the NIST Cybersecurity Framework

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

National Cybersecurity Center of Excellence

Framework for Improving Critical Infrastructure Cybersecurity

Why you should adopt the NIST Cybersecurity Framework

Using the NIST Framework for Metrics 5/14/2015

Cybersecurity & Privacy Enhancements

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

HPH SCC CYBERSECURITY WORKING GROUP

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

NCSF Foundation Certification

National Policy and Guiding Principles

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Framework for Improving Critical Infrastructure Cybersecurity

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

Framework for Improving Critical Infrastructure Cybersecurity

ISAO SO Product Outline

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

Track 4A: NIST Workshop

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

National Cybersecurity Challenges and NIST. Matthew Scholl Chief Computer Security Division

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cybersecurity Risk and Options Considered by IMO

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

Implementing Executive Order and Presidential Policy Directive 21

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

John Snare Chair Standards Australia Committee IT/12/4

Security Management Models And Practices Feb 5, 2008

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

ACR 2 Solutions Compliance Tools

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

The Office of Infrastructure Protection

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

NIST Security Certification and Accreditation Project

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

Evolving Cybersecurity Strategies

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

SAC PA Security Frameworks - FISMA and NIST

The J100 RAMCAP Method

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

TEL2813/IS2820 Security Management

Risk-Based Cyber Security for the 21 st Century

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Legal and Regulatory Developments for Privacy and Security

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Cybersecurity for Health Care Providers

The NIS Directive and Cybersecurity in

HITRUST CSF: One Framework

Cybersecurity Risk Management

THE POWER OF TECH-SAVVY BOARDS:

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Principles for a National Space Industry Policy

FDA & Medical Device Cybersecurity

Energy Assurance State Examples and Regional Markets Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Information Security Continuous Monitoring (ISCM) Program Evaluation

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework Manufacturing Profile

The UNISDR Private Sector Alliance for Disaster Resilient Societies

Security and Privacy Governance Program Guidelines

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Ontario Energy Board Cyber Security Framework

Medical Device Cybersecurity: FDA Perspective

Healthcare Security Success Story

European Union Agency for Network and Information Security

MEJORES PRACTICAS EN CIBERSEGURIDAD

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Developing a Model for Cyber Security Maturity Assessment

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Smart Grid Standards and Certification

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Solutions Technology, Inc. (STI) Corporate Capability Brief

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Transcription:

The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov

National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce NIST s mission is to develop and promote measurement, standards and technology to enhance productivity, facilitate trade, and improve the quality of life. Federal, non-regulatory agency around since 1901 NIST Cybersecurity Cybersecurity since the 1970s Computer Security Resource Center csrc.nist.gov NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 2

NIST s Cybersecurity Portfolio Cultivate trust in U.S. information and systems through research, development, and application of cybersecurity and privacy standards, guidelines, tools, and reference resources. Biometrics Software Assurance Domain Name Security Identity Management FISMA Security Automation National Vulnerability Database Configuration Checklists Digital Signatures Risk Management Authentication IPv6 Security Profile Supply Chain NICE Health IT Security Key Management Secure Hash PKI Privacy Engineering Smart Grid Continuous Monitoring Small Business Outreach Mobile Devices Standards Cloud Computing Usability NSTIC Passwords Hardware Security Electronic Voting Wireless Security Awareness Vulnerability Measurement Security Metrics Public Safety Communications NCCoE

Cybersecurity Framework Current Charter Improving Critical Infrastructure Cybersecurity February 12, 2013 It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties December 18, 2014 Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure Executive Order 13636 Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 4

Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in an implementation scenario Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5

Core A Catalog of Cybersecurity Outcomes What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Identify Protect Detect Respond Recover Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications 6

Core Example Cybersecurity Framework Component Function Category Subcategory Informative Reference 7

Profile Customizing Cybersecurity Framework Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management 8

Profile Foundational Information A Profile Can be Created from Three Types of Information Cybersecurity Requirements Legislation Regulation Internal & External Policy 1 Business Objectives Objective 1 Objective 2 Objective 3 Subcategory 1 2 98 Technical Environment Threats 2 3 Vulnerabilities Operating Methodologies Controls Catalogs Technical Guidance 9

Key Framework Attributes Principles of the Current and Future Versions of Framework Common and accessible language Understandable by many professionals It s adaptable to many sectors and uses Meant to be customized It s risk-based A Catalog of cybersecurity outcomes Does provide how or how much cybersecurity is appropriate It s meant to be paired Take advantage of great pre-existing things It s a living document Enable best practices to become standard practices for everyone Can be updated as technology and threats change Evolves faster than regulation and legislation Can be updated as stakeholders learn from implementation 10

Cybersecurity Framework Use Framework for Improving Critical Infrastructure Cybersecurity 11

Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources Italy s National Framework for Cybersecurity American Water Works Association s Process Control System Security Guidance for the Water Sector The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Financial Services Sector Specific Cybersecurity Profile 12

Recent NIST Work Products www.nist.gov/cyberframework/industry-resources Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile Self-Assessment Criteria Baldrige Cybersecurity Excellence Builder Maritime Profile U.S. Coast Guard Bulk Liquid Transport Profile 13

Proposed U.S. Federal Usage NIST IR 8170 The Cybersecurity Framework: Implementation Guidance for Federal Agencies Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 1. Integrate enterprise and cybersecurity risk management 2. Manage cybersecurity requirements 3. Integrate and align cybersecurity and acquisition processes 4. Evaluate organizational cybersecurity 5. Manage the cybersecurity program 6. Maintain a comprehensive understanding of cybersecurity risk (supports RMF Authorize) 7. Report cybersecurity risks (supports RMF Monitor) 8. Inform the tailoring process (supports RMF Select) 14

Major Themes from Inputs: Draft #2 Draft 2 of Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 Additional major themes addressed by Draft #2: Provides guidance for self-assessment, including use of Framework-based measurement Enhances guidance applying the Framework to manage cybersecurity within supply chains and for acquisition decisions Better accounts for Authorization, Authentication, and Identity Proofing Accounts for emerging vulnerability information (a.k.a., Coordinated Vulnerability Disclosure) Refinement of Implementation Tier criteria Clarity on Implementation Tiers and their relationship to Profiles 15

Resources Where to Learn More and Stay Current Framework for Improving Critical Infrastructure Cybersecurity and related news and information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback