Cybersecurity Framework Development Overview

Cybersecurity FrameworkDevelopment OverviewNIST’s Role in Implementing Executive Order 13636“Improving Critical Infrastructure Cybersecurity”

Executive Order 13636: Improving Critical InfrastructureCybersecurity - February 12, 2013“The cyber threat to critical infrastructure continues to grow andrepresents one of the most serious national security challenges wemust confront.”“It is the policy of the United States to enhance the security andresilience of the Nation’s critical infrastructure and to maintain acyber environment that encourages efficiency, innovation, andeconomic prosperity while promoting safety, security, businessconfidentiality, privacy, and civil liberties”2

Executive Order 13636 Introduces efforts focused on:o Sharing of cybersecurity threat informationo Building a set of current, successful approaches—a framework—for reducing risks to critical infrastructure The National Institute of Standards and Technology (NIST) istasked with leading the development of a “CybersecurityFramework” – a set of standards, methodologies, procedures, andprocesses that align policy, business, and technologicalapproaches to address cyber risks.3

The FrameworkTo Structure the Framework to Meet The Requirements of the ExecutiveOrder, it must: include a set of standards, methodologies, procedures, and processesthat align policy, business, and technological approaches to addresscyber risks. provide a prioritized, flexible, repeatable, performance-based, andcost-effective approach, including information security measures andcontrols, to help owners and operators of critical infrastructure identify,assess, and manage cyber risk. identify areas for improvement that should be addressed throughfuture collaboration with particular sectors and standards-developingorganizations to enable technical innovation and account fororganizational differences, including guidance for measuring theperformance of an entity in implementing the CybersecurityFramework.

How Is the Framework being developed?Engage theFrameworkStakeholdersNIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013Collect,Categorize, andPost RFIResponsesCompleted – April 08, 2013Analyze RFIResponsesOngoing Engagement:Open public commentand review isencouraged andpromoted throughoutthe processIdentify Common Practices/Themes – May 15, 20132nd Framework Workshop at CMU – May 29-31, 2013IdentifyFrameworkElementsDraft Outline of Preliminary Framework – June 20133rd Framework Workshop at UCSD – July 10-12, 2013Prepare andPublishPreliminaryFramework4th Framework Workshop – September 2013Publish Preliminary Framework – October 20135

The NIST Framework ProcessAnalyze RFIResponsesGrouping of the RFI comments helped to: Identify repositories, content, and key points Identify gaps (e.g., lack of standards or input related to a topic)Risk ManagementChallengesPrivacy and CivilLibertiesRecommendedStandardsPotential Common Practices, Methods, and MeasuresIndustry BestPracticesSuggested MetricsInitial Gaps6

Cybersecurity Framework Principles, Common Themes,and Initial GapsFRAMEWORKPRINCIPLES Flexibility Impact on GlobalOperations Risk ManagementApproaches Leverage ExistingApproaches,Standards, and BestPracticesCOMMON THEMES Senior ManagementEngagement Understanding ThreatEnvironment Business Risk / RiskAssessment Separation of Businessand Operational Systems Models / Levels ofMaturity Incident Response Cybersecurity WorkforceINITIAL GAPS MetricsPrivacy / Civil LibertiesToolsDependenciesIndustry Best PracticesResiliencyCritical InfrastructureCybersecurityNomenclature7

The NIST Framework ProcessBased on the responses to the RFI, conclusions from the workshops,and NIST analysis, the Preliminary Framework outline is designed toincorporate: Effective existing practices to inform an organization’s risk managementdecisions A modular and flexible approach that supports business needs fororganizations of different sizes and levels of maturity Organizational risk management processes that Engage senior leadership in cybersecurity and Integrate threat and vulnerability information with an understanding ofpotential impact to business needs A means for organizations to express the maturity of their cybersecurityrisk management practices The expression of workforce awareness and training requirements The management of various types of dependencies8

Draft Outline of Preliminary FrameworkIdentifyFrameworkElementsThe draft outline of the Preliminary Framework includes thefollowing: Executive Overview and SummaryHow To Use The FrameworkFramework’s Risk Management Approach Functions, Categories, Subcategories, and Informative References Implementation Levels; Overarching Characteristics by both Role and Function,Categories, and Subcategories Compendium of Informative References (Standards, Guidelines, Practices)Glossary9

What do we expect to accomplish at this workshop?This workshop is focused on: Discussing and refining the draft Outline Generating content for the Preliminary Framework Specific topics that inform the Preliminary Framework10

The Draft Preliminary Framework Provides an Executive Overview for senior leadership Describes the Framework Development Process Discusses and describes how to use the Framework Describes the Framework’s Risk Management Approach Provides illustrative Framework examples Defines Terms and Acronyms

The Cybersecurity Framework Elements FunctionsCategoriesSubcategoriesCompendium of Informative ReferencesFramework Implementation LevelsRoles

The Framework e(s)Function Category FIL1FIL2FIL3FIL 1 CharsFIL 2 CharsFIL 3 CharsSenior ExecutiveFIL 1 CharsFIL 2 CharsFIL 3 CharsBusiness ProcessManagerOperationsManagerSubcat 1Ref 1Ref FIL 1 CharsFIL 2 CharsFIL 3 CharsSubcat 2Ref 1Ref FIL 1 CharsFIL 2CharsFIL 3 CharsSubcat Ref 1Ref FIL 1 CharsFIL 2 CharsFIL 3 CharsRole13

FunctionsKnow – Gaining the institutional understanding to identify what systems needto be protected, assess priority in light of organizational mission, andmanage processes to achieve cost effective risk management goalsPrevent – Categories of management, technical, and operational activities thatenable the organization to decide on the appropriate outcome-basedactions to ensure adequate protection against threats to business systemsthat support critical infrastructure components.Detect – Activities that identify (through ongoing monitoring or other means ofobservation) the presence of undesirable cyber risk events, and theprocesses to assess the potential impact of those events.Respond – Specific risk management decisions and activities enacted basedupon previously implemented planning (from the Prevent function) relativeto estimated impact.Recover – Categories of management, technical, and operational activities thatrestore services that have previously been impaired through an undesirablecybersecurity risk event.

Categories, Subcategories, and Informative References Categories Logical subdivision of a function; one or more categories comprise afunction. Examples may include “Know the enterprise assets and systems”,“Implement access control”, “Implement risk monitoring &detection”, “Perform incident response”, and “Perform systemrecovery”. Subcategories Logical subdivision of a category; one or more subcategoriescomprise a category. Examples may include “Inventory hardware assets”, “Restrict andprotect remote access”, and “Perform incident handling activities asdescribed in the incident handling plan”. Informative References Existing cybersecurity-related standards, guidelines, and practices.

The Compendium of Informative References A listing of submitted Informative References (e.g., standards,guidelines, and best practices) Issuing fic or GeneralSector(s) Referenced in RFIs / Cross Sector ApplicationRFI Sources Informative and illustrative resource Not an endorsement of any included

Roles and Framework Implementation Levels (FIL)FunctionFunction CategorySubCategoryInformativeReference(s)Category FIL1FIL2FIL3FIL 1 CharsFIL 2 CharsFIL 3 CharsSenior ExecutiveFIL 1 CharsFIL 2 CharsFIL 3 CharsBusiness ProcessManagerOperationsManagerSubcat 1Ref 1Ref FIL 1 CharsFIL 2 CharsFIL 3 CharsSubcat 2Ref 1Ref FIL 1 CharsFIL 2CharsFIL 3 CharsSubcat Ref 1Ref FIL 1 CharsFIL 2 CharsFIL 3 CharsRole17

Framework Implementation Levels (FILs) Express, by role, the characteristics of the level of maturity of anorganization for each function, category, and subcategory Reflect the organizational cybersecurity maturity by implementingthe Framework Allow the organization to assess their cybersecurity risk andreadiness Provide an indicator and measure of an organization’s performancethat can be assessed in terms of managing risk Guidance for measuring the performance of an entity inimplementing the Cybersecurity Framework18

Framework Implementation Level – Senior ExecutiveFunctionKNOWFIL1FIL2FIL3I understand theorganizationalcomponents that needto be protected. I haveprovided resources tosupport corporateknowledge of riskmanagementcomponents such asvulnerabilities, threats,and risk assessment.I understand theorganizationalcomponents thatneed to be protected,their value, theirthreats, the impact ofcyber risk events, andthe likelihood ofthose events.I understand theorganizationalcomponents that needto be protected andthe true impact ofcybersecurity eventson them. I haveintegratedcybersecurity riskmanagement into theenterprise riskmanagement model.RoleSenior Executive19

Framework Implementation Level – Business entI understand theimportance ofasset managementand assumeresponsibility cies andprocedures are inplace.FIL3I understand howdifferent groups of assetsimpact the variousbusiness objectives.I ensure that resourcesare available for allaspects of the assetmanagement lifecycle.RoleBusinessProcessManager20

Framework Implementation Level – Operations ManagerFunctionKNOWCategoryAsset ardware/SoftwareInventoryISO/IEC27001An ad hocassettrackingprocess isin placeA formalassettrackingprocess isin placewithdefinedperiodicrevalidation of assetsAutomatedassettrackingexists pingISO/IEC27002FIL 1 CharsFIL 2 CharsFIL 3 CharsRoleOperationsManager21

Q&A

1st Framework Workshop – April 03, 2013 Completed – April 08, 2013 . Identify Common Practices/Themes – May 15, 2013 . 2nd Framework Workshop at CMU – May 29-31, 2013 . Draft Outline of Preliminary Framework – June 2013 3. rd. Framework Workshop at UCSD – July 10-12, 2013 4. th. Framework Workshop – September 2013