The Framework for Improving

Critical Infrastructure
Cybersecurity
April 2018

[email protected]
Objective and Agenda
Objective: Convey Cybersecurity Framework use,
while explaining features added in Version 1.1

• Charter
• Users
• Attributes, Components, &
Approaches
• Draft Roadmap Version 1.1
• Framework Focus Areas
• Web Site
• Update Process

2
National Institute of Standards and Technology
About NIST NIST Priority Research Areas
• Agency of U.S. Department of
Commerce Advanced Manufacturing
• NIST’s mission is to develop
IT and Cybersecurity
and promote measurement,
standards and technology to
enhance productivity, facilitate Healthcare
trade, and improve the quality
of life. Forensic Science
• Federal, non-regulatory agency Disaster Resilience
around since 1901
NIST Cybersecurity
Cyber-physical Systems
• Cybersecurity since the 1970s
• Computer Security Resource Advanced
Center – csrc.nist.gov Communications

3
Cybersecurity Framework Current Charter
Improving Critical Infrastructure Cybersecurity
February 12, 2013 December 18, 2014
“It
is the policy of the United States to Amends the National Institute of Standards and
Technology Act (15 U.S.C. 272(c)) to say:
enhance the security and resilience of
the Nation’s critical infrastructure and “…on an ongoing basis, facilitate and
to maintain a cyber environment that support the development of a
encourages efficiency, innovation, and voluntary, consensus-based,
economic prosperity while promoting industry-led set of standards,
safety, security, business guidelines, best practices,
confidentiality, privacy, and civil methodologies, procedures, and
liberties” processes to cost-effectively reduce
cyber risks to critical infrastructure”

Executive Order 13636

Cybersecurity Enhancement Act of
2014 (P.L. 113-274) 4
Cybersecurity Framework Users
Framework for Improving Critical Infrastructure Cybersecurity

5
Version 1.0 and 1.1 Are Fully Compatible
Framework for Improving Critical Infrastructure Cybersecurity

• Additions, including new categories and subcategories, do

not invalidate existing V1.0 uses or work products
Component Version 1.0 Version 1.1 Comments
Functions 5 5
Categories 22 23 • Added a new category in
ID.SC – Supply Chain
Subcategories 98 108 • Added 5 subcategories
in ID.SC
• Added 2 subcategories
in PR.AC
• Added 1 subcategory
each to PR.DS, PR.PT,
RS.AN
• Clarified language in 7
others
Informative 5 5
References 6
Key Framework Attributes
Principles of the Current and Future Versions of Framework
Common and accessible language
• Understandable by many professionals
It’s adaptable to many technologies1.1, lifecycle phases1.1, sectors and uses
• Meant to be customized
It’s risk-based
• A Catalog of cybersecurity outcomes
• Does not provide how or how much cybersecurity is appropriate
It’s meant to be paired
• Take advantage of great pre-existing things
It’s a living document
• Enable best practices to become standard practices for everyone
• Can be updated as technology and threats change
• Evolves faster than regulation and legislation
• Can be updated as stakeholders learn from implementation 7
Cybersecurity Framework Components
Describes how
Cybersecurity outcomes cybersecurity risk is
and informative managed by an
references organization and
degree the risk
Enables management
communication practices
of cyber risk across exhibit key
an organization characteristics

Aligns industry standards and best practices to the

Framework Core in an implementation scenario
Supports prioritization and measurement while factoring in
business needs 8
Implementation Tiers
1 2 3 4
Partial Risk Informed Repeatable Adaptive
Risk
The functionality and repeatability of cybersecurity risk
Management
management
Process
Integrated Risk
The extent to which cybersecurity is considered in
Management
broader risk management decisions
Program
External The degree to which the organization:
Participation • monitors and manages supply chain risk1.1
• benefits my sharing or receiving information from
outside parties

9
9
Core
A Catalog of Cybersecurity Outcomes
Function
What processes and
assets need Identify • Understandable by
protection?
everyone
What safeguards are • Applies to any type of
Protect
available? risk management
What techniques can
• Defines the entire
Detect
identify incidents? breadth of
What techniques can cybersecurity
contain impacts of Respond
incidents? • Spans both prevention
What techniques can and reaction
Recover
restore capabilities?
10
Core
A Catalog of Cybersecurity Outcomes
Function Category
Asset Management
What processes and Business Environment
assets need Governance
Identify Risk Assessment
protection?
Risk Management Strategy
Supply Chain Risk Management1.1
Identity Management, Authentication and
Access Control1.1
Awareness and Training
What safeguards are Data Security
Protect
available? Information Protection Processes & Procedures
Maintenance
Protective Technology
Anomalies and Events
What techniques can
Detect Security Continuous Monitoring
identify incidents? Detection Processes
Response Planning
What techniques can Communications
contain impacts of Respond Analysis
Mitigation
incidents?
Improvements
Recovery Planning
What techniques can
Recover Improvements
restore capabilities? Communications
11
Core – Example1.1
Cybersecurity Framework Component

12
Core – Example1.1
Cybersecurity Framework Component

13
Core – Example
Cybersecurity Framework Component

14
1.1
Profile
Customizing Cybersecurity Framework

Ways to think about a Profile: Identify

• A customization of the Core for a Protect
given sector, subsector, or Detect
organization Respond

• A fusion of business/mission logic Recover

and cybersecurity outcomes

• An alignment of cybersecurity requirements with
operational methodologies
• A basis for assessment and expressing target state
• A decision support tool for cybersecurity risk
management 15
Profile Foundational Information
A Profile Can be Created from Three Types of Information

Business
1 Objectives
Objective 1
Objective 2
Objective 3

Cybersecurity Technical
2 Requirements
Subcategory
Environment 3
1
Legislation 2 Threats
Regulation Vulnerabilities
…
Internal & External Policy 108

Operating
Methodologies
Controls Catalogs
16
Technical Guidance
Framework Seven Step Process
Gap Analysis Using Framework Profiles

• Step 1: Prioritize and Scope

• Implementation Tiers may be used to express varying risk
tolerances1.1
• Step 2: Orient
• Step 3: Create a Current Profile
• Step 4: Conduct a Risk Assessment
• Step 5: Create a Target Profile
• When used in conjunction with an Implementation Tier, characteristics
of the Tier level should be reflected in the desired cybersecurity
outcomes1.1
• Step 6: Determine, Analyze, and Prioritize Gaps
• Step 7: Implementation Action Plan
17
Resource and Budget Decisioning
Framework supports operating decisions and improvement

Year 1 Year 2
As-Is
To-Be To-Be

Sub- Year 1 Year 2

category Priority Gaps Budget Activities Activities
1 moderate small $$$ X
2 high large $$ X
3 moderate medium $ X
… … … …
108 moderate none $$ reassess

18
Resource and Budget Decisioning
Framework supports operating decisions and improvement

Year 1 Year 2
As-Is
To-Be To-Be

Sub- Year 1 Year 2

category Priority Gaps Budget Activities Activities
1 moderate small $$$ X
2 high large $$ X
3 moderate medium $ X
… … … …
108 moderate none $$ reassess
Step 5 Step 6 Step 7
Target Profile
19
Supporting Risk Management with Framework
Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

1.1

1.1
•Internal
•Supply
Chain

20
Operate
Use Cybersecurity Framework Profiles to distribute and organize labor

Subcats Reqs Priorities Who What When Where How

1 A, B High
2 C, D, E, F High
3 G, H, I, J Low
... ... ...
108 XX, YY, ZZ Mod

21
Cyber SCRM Taxonomy1.1
Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

• Simple Supplier-Buyer
model
• Technology minimally
includes IT, OT, CPS,
IoT
• Applicable for public
and private sector,
including not-for-
profits
• Aligns with Federal guidance
Supply Chain Risk
Management Practices for
Federal Information Systems
and Organizations (Special
Publication 800-161) 22
Self-Assessing Cybersecurity Risk1.1
Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

Emphasizes the role of measurements in self-assessment

Stresses critical linkage of business results:
- Cost
- Benefit
…to cybersecurity risk management
Continued discussion of this linkage will occur under
Roadmap area – Measuring Cybersecurity

23
Roadmap Concepts
Roadmap to Improving Critical Infrastructure Cybersecurity

The Roadmap:
• identifies key areas of development, alignment, and
collaboration
• provides a description of activities related to the Framework

Roadmap items are generally:

• Topics that are meaningful to critical infrastructure
cybersecurity risk management
• Focus areas of both private sector and the federal
government
• Related to Framework, but managed as separate efforts

11
Proposed Roadmap Topics
Draft Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1

Original Roadmap 9 topics Proposed Roadmap 12 topics

Conformity Assessment Confidence Mechanisms
Automated Indicator Sharing Cyber-Attack Lifecycle
Includes Coordinated Vulnerability Disclosure
Data Analytics
Cybersecurity Workforce Cybersecurity Workforce
Supply Chain Risk Management Cyber Supply Chain Risk Management
Federal Agency Cybersecurity Alignment Federal Agency Cybersecurity Alignment Focus
Governance and Enterprise Risk
Management
Authentication Identity Management
International Aspects, Impacts, and International Aspects, Impacts, and
Focus
Alignment Alignment
Measuring Cybersecurity
Technical Privacy Standards Privacy Engineering
Referencing Techniques
Small Business Awareness and Resources Focus
Small Business Guidance and Initiatives
Framework for Improving Critical Infrastructure Cybersecurity
Small Business Information
Security: the Fundamentals
NIST Computer Security
Resource Center

Small Business Center

NIST Computer Security
Resource Center

CyberSecure My
Business
National Cyber Security
Alliance

Small Business
Starter Profiles
NIST Framework
26
Team
International Use
Framework for Improving Critical Infrastructure Cybersecurity

• Japanese translation by Information-technology

Promotion Agency
• Italian adaptation within Italy’s National
Framework for Cybersecurity
• Hebrew adaptation by Government of Israel
• Bermuda uses it within government and
recommends it to industry
• Uruguay government is currently on Version 3.1
of their adaptation
• Focus of International Organization for
Standardization & International Electrotechnical
Commission
27
Proposed U.S. Federal Usage
NIST IR 8170 The Cybersecurity Framework: Implementation Guidance for Federal Agencies

Strengthening the Cybersecurity of Federal

Networks and Critical Infrastructure
Executive Order 13800

1. Integrate enterprise and cybersecurity risk management

2. Manage cybersecurity requirements
3. Integrate and align cybersecurity and acquisition
processes
4. Evaluate organizational cybersecurity
5. Manage the cybersecurity program
6. Maintain a comprehensive understanding of cybersecurity
risk (supports RMF Authorize)
7. Report cybersecurity risks (supports RMF Monitor)
8. Inform the tailoring process (supports RMF Select)
28
FISMA Implementation Pub Schedule
As of 8 February 2018, Subject to Change

NIST Special Publication 800-37, Initial Public Draft: March 2019

Revision 2: Risk Management Final Public Draft: June 2019
Framework for Security and Final Publication: September 2019
Privacy
Initial Public Draft: May 2018 FIPS Publication 200, Revision 1:
Final Public Draft: July 2018 Minimum Security Requirements
Final Publication: October 2018 Initial Public Draft: October 2018
Final Public Draft: April 2019
NIST Special Publication 800-53, Final Publication: July 2019
Revision 5: Security and Privacy
Controls FIPS Publication 199, Revision 1:
Final Public Draft: October 2018 Security Categorization
Final Publication: December 2018 Initial Public Draft: December 2018
Final Public Draft: May 2019
NIST Special Publication 800-53A, Final Publication: August 2019
Revision 5: Assessment
Procedures for Security and Updates - https://csrc.nist.gov/Projects/Risk-
Privacy Controls Management/Schedule
Questions or comments - [email protected] 29
Supporting Healthy Regulatory Environments
Framework for Improving Critical Infrastructure Cybersecurity

Bulk Liquid
Transport Profile
U.S. Coast Guard

Financial Services Framework

Customization and Profile
Financial Services Sector
Coordinating Council

Connected Vehicle Profile

U.S. Department of Transportation
Smart City Pilot

Cybersecurity Risk Management and Best

Practices Working Group 4: Final Report
Communications Security, Reliability, and
30
Interoperability Council
Eras of Cybersecurity Framework

31
The Framework Web Site
www.nist.gov/cyberframework

32
Self-Help Web Materials
www.nist.gov/cyberframework

33
Self-Help Web Materials
www.nist.gov/cyberframework

34
Resources
https://www.nist.gov/cyberframework/framework-resources-0

General Resources
sorted by User Group:
• Critical Infrastructure
• Small and Medium
Business
• International
• Federal
• State Local Tribal
Territorial Governments
• Academia
• Assessments & Auditing
• General
Over 150 Unique
Resources for Your
Understanding and Use! 35
Resources - State & Local
https://www.nist.gov/cyberframework/state-local-tribal-and-territorial-resources

Texas, Department of Information Resources

• Aligned Agency Security Plans with Framework
• Aligned Product and Service Vendor Requirements with Framework

North Dakota, Information Technology Department

• Allocated Roles & Responsibilities using Framework
• Adopted the Framework into their Security Operation Strategy

Houston, Greater Houston Partnership

• Integrated Framework into their Cybersecurity Guide
• Offer On-Line Framework Self-Assessment

National Association of State CIOs

• 2 out of 3 CIOs from the 2015 NASCIO Awards cited
Framework as a part of their award-winning strategy

New Jersey
• Developed a cybersecurity framework that aligns controls and
procedures with Framework 36
Recent NIST Work Products
https://www.nist.gov/cyberframework/framework-resources-0

Manufacturing Profile
NIST Discrete Manufacturing
Cybersecurity Framework Profile

Self-Assessment Criteria
Baldrige Cybersecurity
Excellence Builder

Maritime Profile
U.S. Coast Guard Bulk Liquid
Transport Profile

37
Resources
https://www.nist.gov/cyberframework/framework-resources-0

NIST Special
Publications
Computer Security
Resource Center
800 Series @ csrc.nist.gov
National Cybersecurity
Center of Excellence
1800 Series @ nccoe.nist.gov

Over 150 Unique

Resources for Your
Understanding and Use! 38
NIST Special Publications by Category
https://www.nist.gov/cyberframework/protect

39
Online Informative References
https://www.nist.gov/cyberframework/informative-references

40
Core – Example1.1
Cybersecurity Framework Component

41
Relationship Types
Online Informative References

Case 1 Case 2 Case 3 Case 4 Case 5

Subset of Intersects with Equivalent to Superset of Not related to

F
F R F R F&R F R

Key
Framework – blue
Reference Document - red

42
Continued Improvement of Critical
Infrastructure Cybersecurity
Update Activities Engagement
Request for Information – Views on the Framework for 105 Responses
Improving Critical Infrastructure Cybersecurity – Dec 2015
7th Workshop – Apr 2016 653 Physical Attendees, 140
Online Attendees
Draft 1 – Framework Version 1.1 – Released Jan 2017 Approx. 42,000+ downloads
As of 4/27/18
Request for Comment – Proposed update to the 129 Responses
Framework for Improving Critical Infrastructure
Cybersecurity – Jan 2017
8th Workshop – May 2017 517 Physical Attendees, 1528
Online Attendees
Draft 2 – Framework Version 1.1 – Released Dec 2017 Approx. 32,000+ downloads
As of 4/27/18
Request for Comment – Cybersecurity Framework Version 89 Responses
1.1 – Draft 2 – Dec 2017
Framework Version 1.1 – Release April 2018 Approx. 27,000+ downloads
thus far 43
 Continued Improvement
Living Document Process
https://www.nist.gov/cyberframework/online-learning/update-process

44
 Milestones
Three Year Minimum Update Cycle
https://www.nist.gov/cyberframework/online-learning/update-process

New Version?
3 years from last
Final Update

Features List Features List Features List Draft Framework Publish Framework
(Version A) (Version B) (Version C) Update Update
Major Major Major X
Minor Minor Minor
Administrative Administrative Administrative

Annual Annual Annual Annual

Conference Conference Conference Conference

45
Ways to Help
Stakeholder Recommended Actions

• Create and share your Resources with others in

coordination with NIST
• Customize Framework for your sector or community
• Publish a sector or community Profile or relevant Online Informative
Reference
• Publish Success Stories of your Framework
implementation in coordination with NIST
• Advocate for the Framework throughout your sector or
community, with related sectors and communities.
• Submit an idea for the NIST Call for Speakers

[email protected] for all NIST

coordination and communication
46
Upcoming
15-16 May Federal Computer Security Managers
2018 Forum
https://csrc.nist.gov/Events/2018/Federal-Computer-Security-Managers-Forum-2-day

Spring 2018 Publication of Roadmap for Improving

Critical Infrastructure Cybersecurity
Spring 2018 Publication of NIST Interagency Report
8170
Summer 2018 Spanish Language Framework Version 1.1
6-8 November NIST Cybersecurity Risk Management
2018 Conference - Call for Speakers
Winter 2018-19 Small Business Starter Profiles
47
Resources
• Framework for Improving Critical Infrastructure
Cybersecurity and related news and information:
• www.nist.gov/cyberframework

• Additional cybersecurity
resources:
• http://csrc.nist.gov/
• Questions, comments, ideas:
• [email protected]

48
Questions?

49