Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Critical Infrastructure

Cybersecurity Framework Overview and Status

Executive Order 13636

“Improving Critical Infrastructure Cybersecurity”

Executive Order:

Improving Critical Infrastructure Cybersecurity p g y y

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber resilience of the Nation s critical infrastructure and to maintain a cyber

environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality,

privacy, and civil liberties”

p y

President Barack Obama

Executive Order 13636, Feb. 12, 2013

• The National Institute of Standards and Technology (NIST) was

directed to work with stakeholders to develop a voluntary framework p y for reducing cyber risks to critical infrastructure

• Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future workp

Based on the Executive Order, the Cybersecurity Framework Must...

• Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological

h t dd b i k

approaches to address cyber risks

• Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security

measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk

• Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations

Developing the Cybersecurity Framework through Ongoing Engagement g g g g

• The framework was developed in an open, transparent manner with heavy input from stakeholders in industry, academia, and

t b th d ti d i t ti l

government – both domestic and international

• Organizations across the economy—large and small, in many sectors, and in industry, academia, and government—were consulted and involved from the beginning

• NIST continues to welcome comments on the framework, especially by those gaining experience using it

The Cybersecurity Framework… y y

• Provides a structure organizations can use to create, guide, assess or improve comprehensive cybersecurity programs based on risks Offers a common lang age to address and manage c ber risk in a

• Offers a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing

additional regulatory requirements on businesses

• Allows organizations—regardless of size degree of cyber risk orAllows organizations regardless of size, degree of cyber risk or cybersecurity sophistication—to apply the principles and best

practices of risk management to improve the security and resilience of critical infrastructure

• Helps companies prove to themselves and their stakeholders that good cybersecurity is good business

• Builds on global and other standards, guidelines, and best practices f

• Provides a means of expressing cybersecurity requirements to business partners and customers

• Assists organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program

part of a comprehensive cybersecurity program

The Cybersecurity Framework Is for Organizations… y y g

• Of any size, in any sector of the critical infrastructure

• That already have a mature cyber risk management and cybersecurity program

• That don’t yet have a cyber risk management or cybersecurity program

• With a mission of helping members to keep up-to-date on managing risk and facing business or societal threats

Development of the Framework: Timeline p

Engage Stakeholders

EO 13636 Issued – February 12, 2013

Request For Information Issued – February 26, 2013

Collect, Categorize, and Post RFI

Responses

1^stFramework Workshop – April 03, 2013

Completed – April 8, 2013 Responses

Analyze RFI Responses

Common Practices/Themes Identified – May 15, 2013 2^ndFramework Workshop, CMU – May 29-31, 2013

Identify Framework

Elements

Draft Outline of Preliminary Framework – July 1, 2013 3^rd Framework Workshop, UCSD – July 10-12, 2013

Ongoing

Engagement: Prepare and

Publish Preliminary Framework

4^thFramework Workshop, UT Dallas – September 11-13, 2013

Engagement:

Open public comment and review

encouraged and encouraged and promoted throughout

the process

Development of the Framework: Timeline (Cont.) p ( )

Prepare and Publish Preliminary

Preliminary Framework Published – October 29, 2013 45-day Public Comment Period Began

Additional Ongoing

Public Engagement Preliminary

Framework

45 day Public Comment Period Began

5^thFramework Workshop, NCSU – November 14-15, 2013 Engagement

Public Comment

Period

Public Comment Period Closed – December 13, 2013

Cybersecurity Framework Version 1.0

Completed Comment Resolution – January 2014 Published Cybersecurity Framework V 1.0 – February 12, 2014

Ongoing Engagement:

Framework’s Future:

Improvements and Governance

Published Roadmap for the Future–

February 12, 2014

Workshops, Framework Updates and Improvements 2014 and Beyond

Engagement:

Open public comment and review

encouraged and Improvements – 2014 and Beyond

encouraged and

Framework Components p

Framework Core

•

Cybersecurity activities and informative references common across critical infrastructure sectors and organized around particular

critical infrastructure sectors and organized around particular outcomes

•

Enables communication of cyber risk across an organization

Framework Profile

• Aligns industry standards and best practices to the framework Core in a particular implementation scenario

• Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business needs— including cost-effectiveness and innovation

Framework Implementation Tiers

• Describes how cybersecurity risk is managed by an organization

• Describes degree to which an organization’s cybersecurity risk

• Describes degree to which an organization s cybersecurity risk

management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive)

Framework Core

The Framework Core

Framework Core - Sample p

11

How to Use the Cybersecurity Framework y y

The Framework is designed to complement existing business and cybersecurity operations, and can be used to:

• Understand security status

• Establish / Improve a cybersecurity programp y y p g

• Communicate cybersecurity requirements with stakeholders, including partners and suppliers

• Identify opportunities for new or revised informative referencesIdentify opportunities for new or revised informative references

• Identify tools and technologies to help organizations use the Framework

• Integrate privacy and civil liberties considerations into a

• Integrate privacy and civil liberties considerations into a cybersecurity program

What’s Next: Using the Cybersecurity Framework g y y

• Organizations—led by their senior executives—should use the framework now, and provide feedback to NIST

• Industry groups, associations, and non-profits can play key roles in assisting their members to understand and use the framework by:

• Building or mapping their sector’s specific standards, guidelines, and best practices to the framework

• Developing and sharing examples of how organizations are using the framework

• NIST is committed to helping organizations understand and use the framework

• NIST is expanding its outreach and will work with the p g

Department of Homeland Security on its “C³” Voluntary Program (http://www.dhs.gov/about-critical-infrastructure-cyber-

community-c³-voluntary-program)

What’s Next: Areas for Development, Alignment, and Collaboration

• The Executive Order calls for the framework to “identify areas for improvement that should be addressed through future collaboration

ith ti l t d t d d d l i i ti ”

with particular sectors and standards-developing organizations”

• High-priority areas for development, alignment, and collaboration were identified based on stakeholder input:

• Authentication

• Automated Indicator Sharing

• Conformity Assessment y

• Cybersecurity Workforce

• Data Analytics

• Federal Agency Cybersecurity Alignment

• Federal Agency Cybersecurity Alignment

• International Aspects, Impacts, and Alignment

• Supply Chain Risk Management

• Technical Privacy Standards

What’s Next: Roadmap for the Framework p

• NIST will work with stakeholders to further understand these areas for development, alignment and collaboration and to develop or

id tif i d t d d

identify new or revised standards

• For specifics, see the companion Roadmap to the framework that also was issued Feb. 12, 2014 :

http://nist.gov/cyberframework/upload/roadmap-021214.pdf

• Areas for development, alignment, and collaboration are covered in greater detail

• Strengthening private sector involvement in long-term governance ofStrengthening private sector involvement in long term governance of the framework is also discussed

Get (or Stay) Involved ( y)

• Use the Cybersecurity Framework

• Begin using the framework and see how well it can work for different sizes and types of organizations

• Share your experiences to help others and make the Cybersecurity Framework better

• Tell NIST how using the framework worked—or didn’t work—for your organization

• Feedback is essential to improving the frameworkp g

• Continue to engage and stay tuned

• The framework is a living document

• Your experience and knowledge will make it even more useful in

• Your experience and knowledge will make it even more useful in protecting your organization and the nation’s critical

infrastructure

Where to Learn More and Stay Current y

The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at:

information are available at:

http://www.nist.gov/cyberframework p // s go /cybe a e o

Recapping Key Points about the Framework pp g y

• It’s a framework, not a prescription

• It provides a common language and systematic methodology for managing cyber risk

• It does not tell a company how much cyber risk is tolerable, nor does it claim to provide “the one and only” formula for

cybersecurity

• Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite

companies to become standard practices for everyone

• The framework is a living document

• It is intended to be updated over time as stakeholders learn from p implementation, and as technology and risks change

Key Points About the Framework (cont.) y ( )

• Organizations should adopt the framework now: Don’t Wait!

• The framework is a flexible, highly adaptable document, and its adoption will be market-driven

• Its improvement will depend to a great degree on the experiences of those who have used it

• We need to improve cyber protections across the broadest set of stakeholders possible to achieve the collective benefit of security for all. The fastest way to do this is through voluntary adoption

• This is a strong public-private partnership

• Version 1.0 of the framework strongly reflects the efforts of a broad range of industries that see the value of, and need for, g , , improving cybersecurity and lowering risk

19