Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Executive Order: Improving Critical Infrastructure Cybersecurity y It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 2
Based on the Executive Order, the Cybersecurity Framework Must... Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations 3
Developing the Cybersecurity Framework through Ongoing g Engagement g The framework was developed in an open, transparent manner with heavy input from stakeholders in industry, academia, and government both domestic and international ti Organizations across the economy large and small, in many sectors, and in industry, academia, and government were consulted and involved from the beginning NIST continues to welcome comments on the framework, especially by those gaining experience using it 4
The Cybersecurity y Framework Provides a structure organizations can use to create, guide, assess or improve comprehensive cybersecurity programs based on risks Offers a common language age to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses Allows organizations regardless regardless of size, degree of cyber risk or cybersecurity sophistication to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure Helps companies prove to themselves and their stakeholders that good cybersecurity is good business Builds on global and other standards, guidelines, and best practices Provides a means of expressing cybersecurity requirements to business partners and customers Assists organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program 5
The Cybersecurity y Framework Is for Organizations Of any size, in any sector of the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping members to keep up-to-date on managing risk and facing business or societal threats 6
Development of the Framework: Timeline Engage Stakeholders EO 13636 Issued February 12, 2013 Request For Information Issued February 26, 2013 1 st Framework Workshop April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 8, 2013 Analyze RFI Responses Common Practices/Themes Identified May 15, 2013 2 nd Framework Workshop, CMU May 29-31, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Identify Framework Elements Draft Outline of Preliminary Framework July 1, 2013 3 rd Framework Workshop, UCSD July 10-12, 2013 Prepare and Publish Preliminary Framework 4 th Framework Workshop, UT Dallas September 11-13, 2013 7
Development of the Framework: Timeline (Cont.) Prepare and Publish Preliminary Framework Preliminary Framework Published October 29, 2013 45-day Public Comment Period Began Additional Ongoing Public Engagement 5 th Framework Workshop, NCSU November 14-15, 2013 Public Comment Period Public Comment Period Closed December 13, 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process Cybersecurity Framework Version 1.0 Completed Comment Resolution January 2014 Published Cybersecurity Framework V 1.0 February 12, 2014 Framework s Future: Improvements and Governance Published Roadmap for the Future February 12, 2014 Workshops, Framework Updates and Improvements 2014 and Beyond 8
Framework Components Framework Core Cybersecurity activities and informative references common across critical infrastructure sectors and organized around particular outcomes Enables communication of cyber risk across an organization Framework Profile Aligns industry standards and best practices to the framework Core in a particular implementation scenario Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization Describes degree to which an organization s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive) 9
Framework Core 10
The Framework Core Framework Core - Sample 11
How to Use the Cybersecurity y Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity y program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised informative references Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program
What s Next: Using the Cybersecurity y Framework Organizations led by their senior executives should use the framework now, and provide feedback to NIST Industry groups, associations, and non-profits can play key roles in assisting their members to understand and use the framework by: Building or mapping their sector s specific standards, guidelines, and best practices to the framework Developing and sharing examples of how organizations are using the framework NIST is committed to helping organizations understand and use the framework NIST is expanding its outreach and will work with the Department of Homeland Security on its C 3 Voluntary Program (http://www.dhs.gov/about-critical-infrastructure-cybercommunity-c³-voluntary-program) 13
What s Next: Areas for Development, Alignment, and Collaboration The Executive Order calls for the framework to identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing d d organizations High-priority areas for development, alignment, and collaboration were identified based on stakeholder input: Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 14
What s Next: Roadmap for the Framework NIST will work with stakeholders to further understand these areas for development, alignment and collaboration and to develop or identify new or revised standards d For specifics, see the companion Roadmap to the framework that also was issued Feb. 12, 2014 : http://nist.gov/cyberframework/upload/roadmap-021214.pdf Areas for development, alignment, and collaboration are covered in greater detail Strengthening private sector involvement in long-term governance of the framework is also discussed 15
Get (or Stay) Involved Use the Cybersecurity Framework Begin using the framework and see how well it can work for different sizes and types of organizations Share your experiences to help others and make the Cybersecurity Framework better Tell NIST how using the framework worked or didn t work for your organization Feedback is essential to improving the framework Continue to engage and stay tuned The framework is a living document Your experience and knowledge will make it even more useful in protecting your organization and the nation s critical infrastructure 16
Where to Learn More and Stay Current The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework p// /cybe e o 17
Recapping Key Points about the Framework It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change 18
Key Points About the Framework (cont.) Organizations should adopt the framework now: Don t Wait! The framework is a flexible, highly adaptable document, and its adoption will be market-driven Its improvement will depend to a great degree on the experiences of those who have used it We need to improve cyber protections across the broadest set of stakeholders possible to achieve the collective benefit of security for all. The fastest way to do this is through voluntary adoption This is a strong public-private partnership Version 1.0 of the framework strongly reflects the efforts of a broad range of industries that see the value of, and need for, improving cybersecurity and lowering risk 19