NIST Cybersecurity Framework. ARC World Industry Forum 2014

Transcription

1 NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL

2 Executive Order Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties NIST is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement. 2

3 The Cybersecurity Framework For the Cybersecurity Framework to meet the requirements of the Executive Order, it must: include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations able technical innovation and account for organizational differences include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. 3

4 The Cybersecurity Framework 3 main elements of the Framework that reinforces the connection between business drivers and cybersecurity activities: Framework Core Framework Implementation Tiers Framework Profile 4

5 The Framework Core 5

6 Framework Implementation Tiers Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk Tiers range from Partial to Adaptive, describing an increasing degree of rigor and sophistication in: cybersecurity risk management practices the extent to which cybersecurity risk management is informed by business needs and integrated into overall risk management practices 6

7 The Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that: Is aligned with organizational and sector goals considers legal/regulatory requirements considers industry best practices reflects risk management priorities 7

8 How to Use the Framework Basic Review of Cybersecurity Practices Establishing or Improving a Cybersecurity Program Communicating Cybersecurity Requirements with Stakeholders Identifying Opportunities for New or Revised Informative References Methodology to Protect Privacy and Civil Liberties 8

9 Cybersecurity Framework Adoption An organization adopts the framework when it uses the Cybersecurity Framework as a key part of its systematic process for identifying, assessing, prioritizing, and/or communicating: cybersecurity risks, current approaches and efforts to address those risks, and steps needed to reduce cybersecurity risks as part of its management of the organization s broader risks and priorities 9

10 Voluntary Program for Critical Infrastructure Cybersecurity Enhancement The Department of Homeland Security (DHS) is leading the development of a Voluntary Program for Critical Infrastructure Cybersecurity Enhancement. The Voluntary Program will: Be the coordination point within the federal government for critical infrastructure owners and operators interested in improving their cyber risk management processes. Coordinate additional CSF outreach activities through partnership with Sector Specific Agencies, Sector Coordinating Councils, and other industry partners Voluntary Program Goals: 1. Support industry in increasing cyber resilience 2. Increase awareness and use of the CSF in support of the first goal For more information about the DHS Voluntary Program, please contact: DHSVoluntaryProgram@hq.dhs.gov 10

11 Next Steps The Cybersecurity Framework will be announced in the Federal Register and posted on the NIST Cybersecurity Framework site on February 13, 2014 NIST will also release a DRAFT roadmap that identifies next steps and areas for further development and harmonization Additional workshop to be held in 2014 to review stakeholder experience with Version 1.0, progress with implementing the roadmap, and questions around longterm governance For additional questions and questions please contact us at: cyberframework@nist.gov 11