Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

Similar documents
2014 Communications Sector Year in Review Cybersecurity Risk Management Framework. Sector Year in Review

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Overview of the Cybersecurity Framework

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Legal and Regulatory Developments for Privacy and Security

HPH SCC CYBERSECURITY WORKING GROUP

Cyber and Supply Chain Policy Issues

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

The NIST Cybersecurity Framework

Updates to the NIST Cybersecurity Framework

The Impact of US Cybersecurity Policies on Submarine Cable Systems

National Strategy for CBRNE Standards

ISAO SO Product Outline

DHS Cybersecurity: Services for State and Local Officials. February 2017

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Implementing Executive Order and Presidential Policy Directive 21

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Framework for Improving Critical Infrastructure Cybersecurity

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Department of Homeland Security Updates

Cybersecurity Risk Management:

The Office of Infrastructure Protection

Mapping to the National Broadband Plan

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Using the NIST Framework for Metrics 5/14/2015

Critical Infrastructure Partnership

Views on the Framework for Improving Critical Infrastructure Cybersecurity

The Africa Utilities Telecom Council Johannesburg CC, South Africa 1 st December, 2015

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

1200 G Street, NW P: Suite 500 F: Washington, DC W:

The Policy Forum at AT&T

The President s Spectrum Policy Initiative

NERC Staff Organization Chart Budget 2019

BEFORE THE FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C ) ) ) ) ) ) )

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Before the DEPARTMENT OF COMMERCE NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION Washington, DC 20230

ISO Energy Management System Standard

FDA & Medical Device Cybersecurity

TRANSFORMING HEALTHCARE. & Facing Challenges Together in 2017

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Principles for a National Space Industry Policy

Cyber Security & Homeland Security:

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

The Center of Innovation: Creating an Innovation

ARRA State & Local Energy Assurance Planning & Implementation

New Partners Join Charter of Trust to Protect Critical Infrastructure

The Office of Infrastructure Protection

Cybersecurity & Privacy Enhancements

Regional Cyber security Forum for Africa and Arab States, Tunis, Tunisia 4 th -5 th June 2009

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Critical Infrastructure Protection Version 5

NERC Staff Organization Chart Budget 2019

JOINT MEDIA STATEMENT

Resolution adopted by the General Assembly. [on the report of the Second Committee (A/64/417)]

The J100 RAMCAP Method

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

Forum. Ningbo, China 25 February

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

RICK RAMPOLLA WHO WE ARE. ITDM Security Operations, Publix Super Markets Inc.

Caribbean Private Sector Network meeting 24 August 2017, Ministry of Trade, Port-of-Spain, Trinidad and Tobago

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Status Spring Irge Olga Aujouannet Director, Global Policy Affairs

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Department of Defense. Installation Energy Resilience

Jeff Marron, IT Specialist Security National Institute of Standards and Technology (NIST)

Effective Partnerships: Security and Privacy in Smart Cities

Cybersecurity and the Board of Directors

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Opportunities for collaboration in Big Data between US and EU

Pennsylvania s HIE Journey

Recommendations for Small and Medium Enterprises. Event Date Location

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

5G Security. Jason Boswell. Drew Morin. Chris White. Head of Security, IT, and Cloud Ericsson North America

Our Comments. February 12, VIA

National Policy and Guiding Principles

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Promoting accountability and transparency of multistakeholder partnerships for the implementation of the 2030 Agenda

Cyber Security Issues and Responses. Andrew Rogoyski Head of Cyber Security Services CGI UK

APEC Sectoral Ministerial Meetings 1997

The Role of Standards in Ensuring Toy Safety

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

ANSI Homeland Security Standards Panel (ANSI-HSSP) Open Forum for Standards Developers

Medical Device Cybersecurity: FDA Perspective

How UAE is Driving Smart Sustainable Cities: key Achievements and Future Considerations

CASE STUDY Institution Building in Malaysia Establishing the National SDG Council

Federal Information Sharing Resources for Small and Midsize Businesses

Critical Infrastructure Mission Implementation by State, Local, Tribal, and Territorial Agencies and Public-Private Partnerships.

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

Resolution adopted by the General Assembly on 14 December [without reference to a Main Committee (A/61/L.44 and Add.1)]

Apr. 10, Vulnerability disclosure and handling processes strengthen security programs

Transcription:

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework Joint Meeting Committee on Critical Infrastructure and Telecommunications July 13, 2015 New York City Robert H. Mayer VP Industry and State Affairs United States Telecommunications Association 1

National Policy Guidance It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards. White House Executive Order 13636 February 2013 We cannot hope to keep up if we adopt a prescriptive regulatory approach. We must harness the dynamism and innovation of competitive markets to fulfill our policy and develop solutions. We are therefore challenging private sector stakeholders to create a new regulatory paradigm of business-driven cybersecurity risk management. FCC Chairman Tom Wheeler American Enterprise Institute June 12, 2014 2

Risk Management Roadmap Executive Order 13636 February 2013 CSRIC Cybersecurity Best Practices - March 2015 Enterprise-Level Cybersecurity Risk Management NIST Cybersecurity Framework 1.0 February 2014 Critical Infrastructure Cyber Community C³ Voluntary Program 3

Project Leadership WG4 Leadership Team Co-Chairs: Robert Mayer, USTelecom and Brian Allen, Time Warner Cable Segment Leads Broadcast, Kelly Williams, NAB Cable, Matt Tooley, NCTA Wireless, John Marinho, CTIA Wireline, Chris Boyer, AT&T Satellite, Donna Bethea Murphy, Iridium Feeder Group Initiatives Requirements and Barriers to Implementation, Co-Leads, Harold Salters T-Mobile, Larry Clinton, Internet Security Alliance Mids/Smalls Co-Leads, Susan Joseph, Cable Labs, Jesse Ward, NTCA Top Cyber Threats and Vectors - Russell Eubanks, Cox, Joe Viens, TWCable Ecosystem Shared Responsibilities, Co- Leads, Tom Soroka, USTelecom, Brian Scarpelli, TIA Measurement, Co-Leads, Chris Boyer, AT&T, Chris Rosenraad, TimeWarnerCable Advisors Donna Dodson, WG4 Senior Technical Advisor, NIST, Deputy Chief Cybersecurity Advisor & Division Chief for Computer Security Division Lisa Carnahan, NIST, Computer Scientist Emily Talaga, WG4 Senior Economic Advisor, FCC Tony Sager, Center for Internet Security Engineering and Operational Review Co-Leads - Tom Soroka, USTelecom and John Marinho, CTIA Segment Leads Support Drafting Team Co-Leads Stacy Hartman and Paul Diamond, CenturyLink, Robert Thornberry, Alcatel/Lucent 4

Project Structure 5

Project Structure and Analytics 6

Project Structure and Analytics (Continued) Measurement Input Form: Problem to be Solved With Defined Requester Need for Metric Solution Identified Iterate with Board of Review Feedback Cyber Governance Group Standing Review Group (e.g. Communications Sector Coordinating Council (CSCC), Cyber Committee Iterate with Board of Review Feedback Measurement of Success Managed Process Major ISPs) Voluntary Metric Industry Standard for Framework Voluntary Metric Document (Non-Recurring (Recurring Agreement) Document) What Makes a Purpose of Good Metric? requested Metric? Well Established? Metric Int l as Well as Application? Domestic Aggregate data? Application? ISP s already Defined by Outside Collecting? Experts? How reported? Help Requester ISP Comparative Where and How to Data Envisioned? get Quality Data. Etc. Etc. Assigned to Appropriate Industry Standards Advisory Group(s) Body or ATIS Industry CSRIC Standards Body Working Group Group M3AAWG Returns Formal Standards Etc. Position, with Body or metric Industry definition, to the Group Metrics Board of Review Pilot Program Example Definition Case Study Data Filed with Industry Group under NDA Anomomized Standards Body Technology Agnostic Provides Structure for Case Study or Metric Option Pilot Program 1) 2) 3) 4) 7

Three Macro-Level Assurances As evidence of the Communication s Sector s commitment to enhance cybersecurity risk management capabilities across the sector and the broader ecosystem, and to promote the use of the NIST CSF, WG4 recommended the following three new voluntary mechanisms to provide the appropriate macro-level assurances. I. FCC initiated confidential company-specific meetings, or similar communication formats to convey their risk management practices. The meetings would be covered by protections afforded under the Protected Critical Infrastructure Information (PCII) administered by the Department of Homeland Security (DHS) or a legally sustainable equivalent ; II. III. A new component of the Communications Sector Annual Report that focuses on segment-specific cybersecurity risk management, highlighting efforts to manage cybersecurity risks to the core critical infrastructure; and Active and dedicated participation in DHS Critical Infrastructure Cyber Community C 3 Voluntary Program, to help industry increase cybersecurity risk management awareness and use of the Framework. 8

Next Steps Execute voluntary mechanisms designed to give the FCC and the public assurance that communications providers are taking the necessary steps to manage cybersecurity risk. Participate in framework outreach and education efforts through DHS C-Cubed Program and trade association initiatives. CSCC organizing sector Framework Implementation Initiative to provide practical guidance and tools on use of the Framework or alternative risk management construct and to share best practices and lessons learned. Continue dialogue with federal and state government partners and regulators to promote risk management initiatives that foster collaboration and avoid duplication of efforts. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback