Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist gov Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency innovation and economic prosperity while promoting safety security business confidentiality privacy and civil liberties” President Barack Obama Executive Order 13636 12 February 2013 Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references organized around particular outcomes Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 4 Implementation Tiers Cybersecurity Framework Component Risk Informed Par al None Repeatable Adap ve • Allow for flexibility in implementation and bring in concepts of maturity models • Reflect how an organization implements the Framework Core functions and manages its risk • Progressive ranging from Partial Tier 1 to Adaptive Tier 4 with each Tier building on the previous Tier • Characteristics are defined at the organizational level and are applied to the Framework Core to determine how a category is implemented 5 Core Cybersecurity Framework Component Func%on Iden%fy Protect Detect Respond Recover Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Informa on Protec on Processes Procedures Maintenance Protec ve Technology Anomalies and Events Security Con nuous Monitoring Detec on Processes Response Planning Communica ons Analysis Mi ga on Improvements Recovery Planning Improvements Communica ons ID ID AM ID BE ID GV ID RA ID RM PR AC PR AT PR DS PR IP PR MA PR PT DE AE DE CM DE DP RS RP RS CO RS AN RS MI RS IM RC RP RC IM RC CO Subcategory Informative References ID BE-1 The organiza on’s role in the supply chain is iden fied and communicated COBIT 5 APO01 02 DSS06 03 ISA 62443-2-1 2009 4 3 2 3 3 ISO IEC 27001 2013 A 6 1 1 NIST SP 800-53 Rev 4 CP-2 PS-7 PM-11 COBIT 5 APO08 04 APO08 05 ID BE-2 The organiza on’s place in APO10 03 APO10 04 APO10 05 cri cal infrastructure and ISO IEC 27001 2013 A 15 1 3 A 15 2 1 A 15 2 2 its industry sector is NIST SP 800-53 Rev 4 CP-2 SA-12 iden fied and communicated ID BE-3 Priori es for organiza onal mission objec ves and ac vi es are established and communicated ID BE-4 Dependencies and cri cal func ons for delivery of cri cal services are established ID BE-5 Resilience requirements to support delivery of cri cal services are established COBIT 5 APO02 06 APO03 01 NIST SP 800-53 Rev 4 PM-8 COBIT 5 APO02 01 APO02 06 APO03 01 ISA 62443-2-1 2009 4 2 2 1 4 2 3 6 NIST SP 800-53 Rev 4 PM-11 SA-14 ISO IEC 27001 2013 A 11 2 2 A 11 2 3 A 12 1 3 NIST SP 800-53 Rev 4 CP-8 PE-9 PE-11 PM-8 SA-14 6 Profile Cybersecurity Framework Component Ways to think about a Profile • A customiza on of the Core for a given sector subsector or organiza on • A fusion of business mission logic and cybersecurity outcomes Iden fy Protect Detect Respond Recover • An alignment of cybersecurity requirements with opera onal methodologies • A basis for assessment and expressing target state • A decision support tool for cybersecurity risk management 7 Using Profiles to Communicate Priorities Akita Focus Organizational Risk Actions Risk Decision and Priorities Changes in 3 22 53 E Mission Priority Current and Level I and Risk Appetite Future RISK Focus Critical Infrastructure Risk and Budget Management Actions Selects Pro le Allocates Budget Implementation Progress Changes in Assets Framework Pro le Vulnerability and Implementation Threat Operations Level Focus Securing Critical Infrastructure Actions Implements Pro le Building a Profile A Profile Can be Created in Three Steps 1 2 Cybersecurity Requirements Legisla on Regula on Internal External Policy Best Prac ce Mission Priority Objective 1 A 2 B 3 C Subcategory 1 2 3 … 98 Opera%ng Methodologies 3 Guidance and methodology on implemen ng managing and monitoring 9 Resource and Budget Decisioning What Can You Do with a CSF Profile As-Is Subcategory 1 2 3 … 98 Year 1 To-Be Year 2 To-Be Year 1 Year 2 Priority Gaps Activities Activities moderate small X high large X moderate medium X … moderate … none reassess …and supports on-going opera onal decisions too 10 Examples of Industry Resources The Cybersecurity Framework in Action An Intel Use Case Cybersecurity Guidance for Small Firms Energy Sector Cybersecurity Framework Implementation Guidance Cybersecurity Risk Management and Best Prac ces Working Group 4 Final Report 11 Examples of State Local Use Texas Department of Information Resources • Aligned Agency Security Plans with Framework • Aligned Product and Service Vendor Requirements with Framework North Dakota Information Technology Department • Allocated Roles Responsibilities using Framework • Adopted the Framework into their Security Operation Strategy Houston Greater Houston Partnership • Integrated Framework into their Cybersecurity Guide • Offer On-Line Framework Self-Assessment National Association of State CIOs • 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey • Developed a cybersecurity framework that aligns controls and procedures with Framework 12 Framework Roadmap Items Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects Impacts and Alignment Supply Chain Risk Management Technical Privacy Standards 13 Ways CSF Can Support RMF Draft Use Cases • Use case 1 Supporting SP 800-39 Frame activities with CSF Categories • Use case 2 Supporting the RMF Categorize step with CSF Business Environment Materials • Use case 3 Supporting the RMF Select step with a CSF Profile • Use case 4 Supporting RMF Assess and SP 800-30 Assess with a CSF Profile • Use case 5 Assessing the State of FISMA-Based Risk Management Practices 14 Supporting the RMF Categorize Step Use Case #2 for FISMA-Cybersecurity Framework Combined Use FIPS 199 SP 800-60 SP 800-137 SP 800-53A FIPS 200 SP 800-53 SP 800-37 Many SPs SP 800-53A Supporting the RMF Categorize Step Use Case for FISMA-Cybersecurity Framework Combined Use Profile A sector subsector or organization’s customization of the Core for their purposes Aligns identifies conflicts in organizational inputs and prioritizes cyber objectives commensurate with mission objectives FIPS 199 SP 800-60 SP 800-137 SP 800-53A FIPS 200 SP 800-53 SP 800-37 Many SPs SP 800-53A Supporting the RMF Categorize Step Use Case #2 for FISMA-Cybersecurity Framework Combined Use Category Business Environment ID BE The organization’s mission objectives stakeholders and activities are understood and prioritized this information is used to inform cybersecurity roles responsibilities and risk management decisions FIPS 199 SP 800-60 SP 800-137 SP 800-53A FIPS 200 SP 800-53 SP 800-37 Many SPs SP 800-53A Tailoring SP 800-53 Security Controls Use Case #3 for Risk Management Framework Cybersecurity Framework CSF Core customize CSF Profile 18 Industry Dialog Will it soon be time for a Framework update What governance models do you believe will work for future Framework maintenance and evolution If you have an opinion on these questions and more consider responding to our Request for Information https www federalregister gov articles 2015 12 11 2015-31217 views-on-the-framework-for-improving-critical-infrastructurecybersecurity Responses due by 9 February at 5PM ET Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at http www nist gov NIST Computer Security Division Computer Security Resource Center is available at http csrc nist gov The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www nist gov cyberframework For additional Framework info and help cyberframework@nist gov
OCR of the Document
View the Document >>