Framework for Improving Critical

Infrastructure Cybersecurity
June 2016

[email protected]
National Institute of Standards and Technology (NIST)
About NIST NIST Priority Research Areas
• NIST’s mission is to develop
and promote measurement, Advanced Manufacturing
standards, and technology to
enhance productivity, facilitate IT and Cybersecurity
trade, and improve the quality
of life. Healthcare
• 3,000 employees
Forensic Science
• 2,700 guest researchers
• 1,300 field staff in partner Disaster Resilience
organizations
• Two main locations: Cyber-physical Systems
Gaithersburg, MD and Advanced
Boulder, CO Communications
Improving Critical Infrastructure Cybersecurity

“It is the policy of the United States to enhance

the security and resilience of the Nation’s
critical infrastructure and to maintain a cyber
environment that encourages efficiency,
innovation, and economic prosperity while
promoting safety, security, business
confidentiality, privacy, and civil liberties”

President Barack Obama

Executive Order 13636, 12 February 2013
3
Based on the Executive Order, the Cybersecurity
Framework Must...

• Include a set of standards, methodologies, procedures,

and processes that align policy, business, and
technological approaches to address cyber risks
• Provide a prioritized, flexible, repeatable, performance-
based, and cost-effective approach, including information
security measures and controls, to help owners and
operators of critical infrastructure identify, assess, and
manage cyber risk
• Identify areas for improvement to be addressed through
future collaboration with particular sectors and
standards-developing organizations
• Be consistent with voluntary international standards
4
Development of the Framework
Engage the EO 13636 Issued – February 12, 2013
Framework NIST Issues RFI – February 26, 2013
Stakeholders
1st Framework Workshop – April 03, 2013

Collect,
Categorize, and Completed – April 08, 2013
Post RFI Identify Common Practices/Themes – May 15, 2013
Responses

Analyze RFI 2nd Framework Workshop at CMU – May 2013

Responses Draft Outline of Preliminary Framework – June 2013

Ongoing Engagement:
Identify 3rd Workshop at UCSD – July 2013
Framework
Elements 4th Workshop at UT Dallas – Sept 2013
Open public comment
and review encouraged
and promoted Prepare and 5th Workshop at NC State – Nov 2013
throughout the Publish
Published Framework – Feb 2014
process… Framework
and to this day
5
The Cybersecurity Framework Is for Organizations…

• Of any size, in any sector in (and outside of) the critical infrastructure
• That already have a mature cyber risk management and cybersecurity program
• That don’t yet have a cyber risk management or cybersecurity program
• With a mission of helping keep up-to-date on managing risk and facing
business or societal threats

6
Cybersecurity Framework Components
Aligns industry standards and
Cybersecurity activities and
best practices to the Framework
informative references,
Core in a particular
organized around particular
implementation scenario
outcomes
Supports prioritization and Framework
Framework Enables communication
measurement while Core
Profile of cyber risk across an
factoring in business
organization
needs

Framework
Implementation
Tiers

Describes how cybersecurity

risk is managed by an organization
and degree the risk management
practices exhibit key characteristics

7
Key Properties of Cyber Risk Management

Integrated  Risk  Management  Program  

 
 
 
Risk  Management  
Process   External  
Par6cipa6on  

8
Implementation Tiers
1   2   3   4  
Par6al   Risk   Repeatable   Adap6ve  
Informed  
Risk  
The  func)onality  and  repeatability  of  cybersecurity  risk  
Management   management  
Process  
Integrated  Risk  
The  extent  to  which  cybersecurity  is  considered  in  broader  
Management   risk  management  decisions  
Program  
External   The  degree  to  which  the  organiza)on  benefits  my  sharing  or  
Par6cipa6on   receiving  informa)on  from  outside  par)es  

9
9
Intel Adaptation of Implementation Tiers
1   2   3   4  
Par6al   Risk   Repeatable   Adap6ve  
Informed  
People   Whether  people  have  assigned  roles,  regular  training,  take  
ini)a)ve  by  becoming  champions,  etc.  
Process   NIST  Risk  Management  Process  +  
NIST  Integrated  Risk  Management  Program  
Technology   Whether  tools  are  implemented,  maintained,  evolved,  
provide  effec)veness  metrics,  etc.  
Ecosystem   NIST  External  Par9cipa9on  +  
Whether  the  organiza)on  understands  its  role  in  the  
ecosystem,  including  external  dependencies  with  partners  

10
10
 Taxonomy  Value  Proposi)on  
Plant classification is the placing of known plants into groups or categories
to show some relationship. Scientific classification follows a system of
rules that standardizes the results, and groups successive categories into
a hierarchy.

For example, the family to which lilies belong is classified as:

• Kingdom: Plantae
• Phylum: Magnoliophyta
• Class: Liliopsida
• Order: Liliales
• Family: Liliaceae
• Genus: ......
• Species: ......

Value Proposition
• Accurate communication
• Quickly categorize known
• Logically name unknown
• Inherent properties understood based on name
Core
Cybersecurity Framework Component
Func6on   Category   ID  
Asset  Management   ID.AM  
What  processes  and   Business  Environment   ID.BE  
Governance   ID.GV  
assets  need   Iden6fy   Risk  Assessment   ID.RA  
protec6on?  
Risk  Management  Strategy   ID.RM  
Access  Control   PR.AC  
Awareness  and  Training   PR.AT  
Data  Security   PR.DS  
What  safeguards  are  
Protect  
available?   Informa)on  Protec)on  Processes  &  Procedures   PR.IP  
Maintenance   PR.MA  
Protec)ve  Technology   PR.PT  
Anomalies  and  Events   DE.AE  
What  techniques  can  
Detect   Security  Con)nuous  Monitoring   DE.CM  
iden6fy  incidents?  
Detec)on  Processes   DE.DP  
Response  Planning   RS.RP  
What  techniques  can   Communica)ons   RS.CO  
contain  impacts  of   Respond   Analysis   RS.AN  
incidents?   Mi)ga)on   RS.MI  
Improvements   RS.IM  
Recovery  Planning   RC.RP  
What  techniques  can  
Recover   Improvements   RC.IM   12
restore  capabili6es?   Communica)ons   RC.CO  
 Core Subcategory Informative References
Cybersecurity Framework Component ID.BE-­‐1:  The   COBIT  5  APO08.04,  APO08.05,  
organiza)on’s  role  in   APO10.03,  APO10.04,  APO10.05  
Func6on   Category   ID  
the  supply  chain  is   ISO/IEC  27001:2013  A.15.1.3,  A.
Asset  Management   ID.AM  
iden)fied  and   15.2.1,  A.15.2.2  
Business  Environment   ID.BE  
communicated   NIST  SP  800-­‐53  Rev.  4  CP-­‐2,  SA-­‐12  
Governance   ID.GV  
Iden6fy   ID.BE-­‐2:  The   COBIT  5  APO02.06,  APO03.01  
Risk  Assessment   ID.RA  
organiza)on’s  place  in   NIST  SP  800-­‐53  Rev.  4  PM-­‐8  
Risk  Management  
ID.RM   cri)cal  infrastructure  
Strategy  
and  its  industry  sector  
Access  Control   PR.AC  
is  iden)fied  and  
Awareness  and  Training   PR.AT  
communicated  
Data  Security   PR.DS   ID.BE-­‐3:  Priori)es  for   COBIT  5  APO02.01,  APO02.06,  
Protect   Informa)on  Protec)on   organiza)onal   APO03.01  
PR.IP  
Processes  &  Procedures   mission,  objec)ves,   ISA  62443-­‐2-­‐1:2009  4.2.2.1,  
Maintenance   PR.MA   and  ac)vi)es  are   4.2.3.6  
Protec)ve  Technology   PR.PT   established  and   NIST  SP  800-­‐53  Rev.  4  PM-­‐11,  
Anomalies  and  Events   DE.AE   communicated   SA-­‐14  
Security  Con)nuous   ID.BE-­‐4:   ISO/IEC  27001:2013  A.11.2.2,  A.
Detect   Monitoring  
DE.CM  
Dependencies  and   11.2.3,  A.12.1.3  
Detec)on  Processes   DE.DP   cri)cal  func)ons  for   NIST  SP  800-­‐53  Rev.  4  CP-­‐8,  PE-­‐9,  
Response  Planning   RS.RP   delivery  of  cri)cal   PE-­‐11,  PM-­‐8,  SA-­‐14  
Communica)ons   RS.CO   services  are  
Respond   Analysis   RS.AN   established  
Mi)ga)on   RS.MI   ID.BE-­‐5:  Resilience   COBIT  5  DSS04.02  
Improvements   RS.IM   requirements  to   ISO/IEC  27001:2013  A.11.1.4,  A.
Recovery  Planning   RC.RP   support  delivery  of   17.1.1,  A.17.1.2,  A.17.2.1  
Recover   Improvements   RC.IM   cri)cal  services  are   NIST  SP  800-­‐53  Rev.  4  CP-­‐2,  
13
Communica)ons   RC.CO   established   CP-­‐11,  SA-­‐14   13
Profile
Cybersecurity Framework Component

Ways  to  think  about  a  Profile:   Iden)fy  

• A  customiza)on  of  the  Core  for  a   Protect  
given  sector,  subsector,  or   Detect  
organiza)on   Respond  

• A  fusion  of  business/mission  logic   Recover  

and  cybersecurity  outcomes  

• An  alignment  of  cybersecurity  requirements  with  
opera)onal  methodologies  
• A  basis  for  assessment  and  expressing  target  state  
• A  decision  support  tool  for  cybersecurity  risk  
management   14
Supporting Risk Management with Framework

15  
Building a Profile
A Profile Can be Created in Three Steps

Mission
1   Objective
A  
B  
C  

Subcategory
1   Opera6ng  
Cybersecurity  
2   Requirements  
2   Methodologies   3  
3   Guidance  and  methodology  
Legisla)on  
…   on  implemen)ng,  
Regula)on  
98   managing,  and  
Internal  &  External  Policy  
Best  Prac)ce   monitoring  

16
Set Priorities
Use Cybersecurity Framework Profiles to determine Priorities

Subcats   Requirements  
1   High   High   High  
2   Mod   High   Mod   Mod  
3   Low   Low   Low  
...   ...   ...   ...   ...  
98   Mod   Mod  
Business  
Law   Regula)on   Threat  Profile  
Objec)ves  
Sta9c   Dynamic  

17
Resource and Budget Decisioning
What Can You Do with a CSF Profile

Year  1   Year  2  
As-­‐Is  
To-­‐Be   To-­‐Be  

Sub- Year 1 Year 2

category Priority Gaps Budget Activities Activities
1   moderate   small   $$$   X  
2   high   large   $$   X  
3   moderate  medium   $   X  
…   …   …   …  
98   moderate   none   $$   reassess  

…and  supports  on-­‐going  opera)onal  decisions  too   18

Operate
Use Cybersecurity Framework Profiles to distribute and organize labor

Subcats   Reqs   Priori6es   Who   What   When   Where   How  

1   A,  B   High  
2   C,  D,  E,  F   High  
3   G,  H,  I,  J   Low  
...   ...   ...  
98   XX,  YY,  ZZ   Mod  
Reqs   Priori)es  

19
Profile Ecosystem
TAXONOMY   REQUIREMENTS   PRIORITIES  

1   1   Req  A   1   Req  A   High  

2   2   Req  B   2   Req  B   Mod  
3   3   Req  C   3   Req  C   Low  
...   ...   ...   ...   ...   ...  
98   98   Req  ZZ   98   Req  ZZ   High  

Na)onal  Ins)tute  of   Community  or   Organiza9on  or  

Standards  and   Organiza)on   Community  
Technology  

Cybersecurity   Crosswalks   Cybersecurity  

Framework  Core   Mappings   Framework  Profile  
20
Using Profiles to Drive Incident Resourcing
Func6on   Category   ID   Respond   Recover  
Asset  Management   ID.AM   X  
Business  Environment   ID.BE  
Iden6fy   Governance   ID.GV  
Risk  Assessment   ID.RA  
Risk  Management  Strategy   ID.RM   X  
Access  Control   PR.AC   X  
Awareness  and  Training   PR.AT   X  
Data  Security   PR.DS   X  
Protect   Informa)on  Protec)on  Processes  &  
PR.IP   X  
Procedures  
Maintenance   PR.MA  
Protec)ve  Technology   PR.PT   X   X  
Anomalies  and  Events   DE.AE   X  
Detect   Security  Con)nuous  Monitoring   DE.CM   X  
Detec)on  Processes   DE.DP   X  
Response  Planning   RS.RP   X  
Communica)ons   RS.CO   X  
Respond   Analysis   RS.AN   X  
Mi)ga)on   RS.MI   X  
Improvements   RS.IM   X  
Recovery  Planning   RC.RP   X  
Recover   Improvements   RC.IM   X  
Communica)ons   RC.CO   X   21
Key Attributes
• It’s a framework, not a prescription
• It provides a common language and systematic methodology for
managing cyber risk
• It is meant to be adapted
• It does not tell a company how much cyber risk is tolerable, nor
does it claim to provide “the one and only” formula for cybersecurity
• Having a common lexicon to enable action across a very diverse set
of stakeholders will enable the best practices of elite companies to
become standard practices for everyone

• The framework is a living document

• It is intended to be updated over time as stakeholders learn from
implementation, and as technology and risks change
• That’s one reason why the framework focuses on questions an
organization needs to ask itself to manage its risk. While practices,
technology, and standards will change over time—principals will not
22
 Where Should I Start?
(2a) Governance (ID.GV): The policies,
procedures, and processes to manage and
monitor the organization’s regulatory, legal,
risk, environmental, and operational
(1) Business Environment (ID.BE): The requirements are understood and inform the
organization’s mission, objectives, management of cybersecurity risk  
stakeholders, and activities are understood
and prioritized; this information is used to
inform cybersecurity roles, responsibilities,
and risk management decisions.   (2b) Risk Management Strategy
(ID.RM): The organization’s priorities,
constraints, risk tolerances, and
assumptions are established and used to
Framework Version 1.0, Section 3.2, Step 1: support operational risk decisions.  
Prioritize and Scope. The organization identifies its
business/mission objectives and high-level
organizational priorities. With this information, the
organization makes strategic decisions regarding Operate  &  Maintain  
cybersecurity implementations and determines the
scope of systems and assets that support the selected
business line or process. The Framework can be
adapted to support the different business lines or
processes within an organization, which may have
different business needs and associated risk tolerance. 23
Common Patterns of Use
• Integrate the Functions into Your Leadership
Vocabulary and Management Tool Sets
• Determine Optimal Risk Management Using
Implementation Tiers
• Measure Current Risk Management Using
Implementation Tiers
• Reflect on Business Environment, Governance,
and Risk Management Strategy Categories
• Develop a Profile of Cybersecurity Priorities,
Leveraging (Sub)Sector Profiles When Available
24
Examples of Framework Industry Resources
Italy’s National Framework for
Cybersecurity

Cybersecurity Guidance
for Small Firms

The Cybersecurity Framework

in Action: An Intel Use Case

Cybersecurity  Risk  Management  and  Best  Prac)ces  

Working  Group  4:  Final  Report

Energy Sector Cybersecurity Framework

Implementation Guidance
25
Examples of U.S. State & Local Use
Texas, Department of Information Resources
• Aligned Agency Security Plans with Framework
• Aligned Product and Service Vendor Requirements with Framework

North Dakota, Information Technology Department

• Allocated Roles & Responsibilities using Framework
• Adopted the Framework into their Security Operation Strategy

Houston, Greater Houston Partnership

• Integrated Framework into their Cybersecurity Guide
• Offer On-Line Framework Self-Assessment

National Association of State CIOs

• 2 out of 3 CIOs from the 2015 NASCIO Awards cited
Framework as a part of their award-winning strategy

New Jersey
• Developed a cybersecurity framework that aligns controls and
procedures with Framework 26
Roadmap Items

Technical Privacy
Standards Authenication

Supply Chain Risk Automated

Managment Indicator Sharing

Cybersecurity  
International
Aspects, Impacts,
Framework   Conformity
Assessment
and Alignment

Federal Agency Cybersecurity

Cybersecurity Workforce
Alignment

Data Analytics
27
Framework Roadmap Items
Authentication
Automated Indicator Sharing
Conformity Assessment
Cybersecurity Workforce
Data Analytics
Federal Agency Cybersecurity Alignment
International Aspects, Impacts, and Alignment
Supply Chain Risk Management
Technical Privacy Standards 28
Recent Framework Related Policy and Legislation

Maritime Transportation Security Act of 2002

• Originally authored with physical security in mind
• Recently clarified to apply to cybersecurity
• Coast Guard publishing Framework Profile to help industry adapt

Cybersecurity Enhancement Act of 2014

• Codified NIST’s on-going role facilitating Framework evolution
• Asked NIST to facilitate less redundancies in regulation

OMB Memorandum M-16-03 & 04

• M-16-03: FY 2015-16 Guidance on Federal Information Security and
Privacy Management Requirements
• M-16-04: Cybersecurity Strategy and Implementation Plan

Circular A-130 Update

• Provides generalized guidance for use of pre-existing FISMA-based
guidance like Risk Management Framework with Cybersecurity Framework
• NIST publishing guidance on using Risk Management Framework and
Cybersecurity Framework together
29
Framework Roadmap Items
Authentication
Automated Indicator Sharing
Conformity Assessment
Cybersecurity Workforce
Data Analytics
Federal Agency Cybersecurity Alignment
International Aspects, Impacts, and Alignment
Supply Chain Risk Management
Technical Privacy Standards 30
National Initiative for Cybersecurity Education
• Early stages of collaboration
to show the connection
points between
Cybersecurity Framework
and National Initiative for
Cybersecurity Education
• Anticipate use cases for
• Organizing academic
curriculum
• Workforce roles and
responsibilities
• Professional certifications

31
Recent and Near-Term Framework Events
RFI: Views on the Framework for Improving

Dec
Critical Infrastructure Cybersecurity

11, 2
Questions focused on: experiences, update,
governance, and best practice sharing

15 0
RFI Analysis

Marc
Summary posted that includes analysis of topic

h 201
trends in RFI responses and continued discussion
topics for Workshop break-out sessions

NIST
April ithersbu
Cybersecurity Framework Workshop 2016

Ga
Goal: Highlight examples of Framework use, gather

6-7, 2
feedback on timing and content of an update,

016
governance, and best practice sharing

rg
Workshop Summary

May
Publication on the topics that evoked the most

20
consensus and dissonance at Cybersecurity

16
Framework Workshop 2016
32
RFI Questions and Workshop Discussion Threads
Request  for  Informa6on  
11  December  2015  –  23  February  2016  
hlps://www.federalregister.gov/ar)cles/2015/12/11/2015-­‐31217/views-­‐on-­‐the-­‐framework-­‐for-­‐
improving-­‐cri)cal-­‐infrastructure-­‐cybersecurity  
RFI  Responses:    hlp://csrc.nist.gov/cyberframework/rfi_comments_02_09_16.html  

• ways in which the Framework is being used to improve

cybersecurity risk management,
• how best practices for using the Framework are being
shared,
• the relative value of different parts of the Framework,
• the possible need for an update of the Framework, and
• options for long-term governance of the Framework.
Cybersecurity  Framework  Workshop  2016  
6  &  7  April  2016  
Registra)on:    hlps://appam.certain.com/profile/form/index.cfm?PKformID=0x29774a453  
More  Info:    hlp://www.nist.gov/cyberframework   33
Program Eras
Feb  2013   Feb  2014   Feb  2016  
Develop   Support   Update  
Five  Workshops   Request  for  Informa)on   Request  for  Informa)on  
Request  for   Workshop   Workshop  
Key   Informa)on  
Speaking  Events   Request  for  Comment  
Milestones   Request  for  Comment  
Publica6on  
Publica)on  
Adjudica)ng   Educa)ng   Adjudica)ng  
Stakeholder  Input   Stakeholder  Input  
NIST  is:   Building  a  Knowledge  
Craqing  Version  1.0   Base  and  Resource   Craqing  Version  Next  
Catalog  
Par)cipa)ng  in  the   Understanding  and   Expanding  Framework  
Stakeholders   development  process   Pilo)ng  Framework   Implementa)ons  
are:   Sharing  Work  Products   Par)cipa)ng  in  the  
Update  Process   34
Resources
Where to Learn More and Stay Current

The National Institute of Standards and Technology Web

site is available at http://www.nist.gov

NIST Computer Security Division Computer Security

Resource Center is available at http://csrc.nist.gov/

The Framework for Improving Critical Infrastructure

Cybersecurity and related news and information are
available at www.nist.gov/cyberframework

For additional Framework info and help

[email protected]