Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Booking open Available Pune Call Girls Shukrawar Peth 6297143586 Call Hot In...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage?
1. Homeland
Security
Office of Cybersecurity and Communications
1
CYBER RESILIENCE REVIEW:
CAPABILITY MATURITY EVALUATION METHOD FOR CRITICAL
INFRASTRUCTURE
Sean McCloskey October 2014
Program Manager, Cybersecurity Evaluation Program
Office of Cybersecurity and Communications (CS&C)
U.S. Department of Homeland Security (DHS)
2. Homeland
Security
Office of Cybersecurity and Communications
2
Overview
What is the Cyber Resilience Review (CRR)?
• A voluntary assessment
• A method that examines cybersecurity practices in critical infrastructure
organizations
• Evaluates the operational resilience of a specific critical service
• Measures the execution of key practices and the institutionalization of
processes
• Provides participants with a detailed report containing options for
consideration
• Utilizes the goals and practices found in the CERT Resilience
Management Model (CERT-RMM)
• Available in two versions:
- A self-assessment kit
- A facilitated workshop conducted in one day (typically 6–8 hours)
[data gathered on-site is protected under the DHS PCII] Program]
3. Cyber Resilience Value Proposition: What’s in It for Me?
Homeland
Security
Office of Cybersecurity and Communications
3
Resilience management provides support to simplify the management of
complex cybersecurity challenges.
Efficiency: not too much and not too little; resilience equilibrium
• balancing risk and cost
• getting the most bang for your buck
• achieving compliance as a by-product of resilience management
Roadmap: what to do to manage cybersecurity; flexibility and scalability
• using an overarching approach - which standard is best
• deciding what versus how to manage cybersecurity risk
Cybersecurity ecosystem: addressing the interconnectedness challenge
• managing dependencies
• addressing both internal and external organizational challenges and silos
4. Homeland
Security
Office of Cybersecurity and Communications
4
CRR Data Analysis: Selected Highlights
Summary Findings (115 organizations, 43 states, 12 sectors)
Asset Management: More than 70% of organizations identify critical services; however,
less than 50% of organizations assessed have identified the assets that support critical
services.
Vulnerability Management: More than 55% of organizations have not developed a
strategy to guide their vulnerability management efforts.
Incident Management: 65% of organizations lack a process to escalate and resolve
incidents.
External Dependencies Management: More than 80% of the organizations assessed
identify external dependencies that are vital to the delivery of critical services.
Risk Management: 70% of organizations do not have a documented risk management
plan.
Situational Awareness: 86% of organizations do not have a plan for performing situational
awareness activities.
5. Homeland
Security
Office of Cybersecurity and Communications
5
Cyber Resilience Review and the Framework
Relationship between DHS’ Cyber Resilience Review and the NIST Cybersecurity
Framework [CRR to NIST CSF crosswalk available]
Identify
Services
Create Asset
Inventory
Protect
& Sustain
Assets
Disruption
Management
Cyber
Exercise
Identify and
prioritize
services
Identify assets,
align assets to
services, and
inventory assets
Establish risk
management,
resilience
requirements,
control objectives,
and controls
Establish
continuity
requirements
for assets
and develop
service
continuity
plans
Define objectives
for cyber exercise,
perform
exercises, and
evaluate results
Process Management and Improvement
6. Homeland
Security
Office of Cybersecurity and Communications
6
What Is Cyber Resilience?
“… the ability to prepare for and adapt to changing
conditions and withstand and recover rapidly from
disruptions. Resilience includes the ability to
withstand and recover from deliberate attacks,
accidents, or naturally occurring threats or
incidents…”
- Presidential Policy Directive – PPD 21
February 12, 2013
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)
7. Homeland
Security
Office of Cybersecurity and Communications
7
Operational Resilience Defined
Resilience: The physical property of
a material when it can return to its
original shape or position after
deformation that does not exceed
its elastic limit [wordnet.princeton.edu]
Operational resilience: The emergent
property of an organization that can
continue to carry out its mission after
disruption that does not exceed its
operational limit [CERT-RMM]
Where does the disruption come from? Realized risk.
8. Homeland
Security
Organization
Mission
Office of Cybersecurity and Communications
8
Establishing a Critical Service Focus
Service
Mission
Service
Mission
people information technology facilities
Service
Mission
9. Homeland
Security
Office of Cybersecurity and Communications
9
Ten Domains of Cybersecurity Capability
CRR Domains
AM Asset Management
CCM
Configuration and Change
Management
RM Risk Management
CTRL Controls Management
VM Vulnerability Management
IM Incident Management
SCM Service Continuity Management
EXD
External Dependencies
Management
TA Training and Awareness
SA Situational Awareness
The ten domains in CRR v2
represent important areas
that contribute to the cyber
resilience of an
organization.
The domains focus on
practices an organization
should have in place to
assure the protection and
sustainment of its critical
service.
10. Homeland
Security
Office of Cybersecurity and Communications
10
Cyber Resilience Review by the Numbers
11. Homeland
Security
MIL Goals
Questions
Office of Cybersecurity and Communications
11
CRR Domain Architecture
Focused Activity
Required
What to do to achieve
the capability
Expected
How to accomplish
the goal
Domain
Domain
Goals
Domain
Questions
MIL
Institutionalization
Elements
12. Process Institutionalization in the CRR
Maturity indictor levels (MIL) are used in CRR v2 to measure process institutionalization
Processes are
acculturated,
defined,
measured,
and
governed
Homeland
Security
Office of Cybersecurity and Communications
12
Practices are
performed
Practices are
incomplete
Higher degrees of
institutionalization
translate to more
stable processes
that
• produce
consistent results
over time
• are retained
during times of
stress
Level 5-Defined
Level 4-Measured
Level 3-Managed
Level 2-Planned
Level 1-Performed
Level 0-Incomplete
13. Homeland
Security
Office of Cybersecurity and Communications
13
CRR Self-Assessment Kit
Released in February 2014 to complement the
launch of the NIST CSF
The CRR Self-Assessment Kit allows organizations to
conduct a review without outside facilitation.
Contains the same questions, scoring, and reporting
as the facilitated assessment.
The kit contains the following resources:
Method Description and User Guide
Complete CRR Question Set with Guidance
Self-Assessment Package (automated toolset)
CRR to NIST CSF Crosswalk
CRR Self-Assessment Kit website:
http://www.us-cert.gov/ccubedvp/self-service-crr
14. Homeland
Security
Office of Cybersecurity and Communications
14
Cyber Resilience Review – Self Assessment
Getting Started
• Review the CRR Method Description and User Guide
• Identify the scope of the CRR Self-Assessment
Identify critical services to the organization and identify which
parts of the organization deliver those services
Choose a critical service that will be the focus of the self-assessment
Determine which assets (people, information, technology, and
facilities) are required for the delivery of the service
• Identify key participants in the self-assessment
Managers and senior staff-members responsible for the areas of
operations and service being assessed (i.e., CIO, CISO, Director of IT,
Director of Ops., etc)
Other stakeholders that can provide answers that best represent
the organization’s capabilities in a given CRR domain (i.e., office
managers, senior owners and operators, subject matter experts,
policy writers, etc.)
typically 7-10 participants
1
15. Homeland
Security
Office of Cybersecurity and Communications
15
Cyber Resilience Review: Self Assessment
Conduct CRR Self-Assessment
• Download and open the CRR Self-Assessment
Package
• Introduction from sponsor/ executive
management, hand-off to facilitator
• Facilitator guides participants through the
CRR
Reviews CRR domains, methodology,
agenda and the agreed upon
assessment scope with the participants
Directs questions to pre-identified
participants and confirms with others
Encourages and maintains dialogue
throughout the CRR
Manages time, breaks and the overall
flow of the CRR
1
16. Homeland
Security
Office of Cybersecurity and Communications
16
Generate and Review Report
• Complete the CRR self-assessment
and generate a CRR
report
Click the “Generate
Report” button at the
bottom of page 37
Optionally, can print and
save as PDF
• Distribute the CRR report to
key personnel and interpret the
results
• Identify gaps, prioritize and
implement plans for
improvement
1
Cyber Resilience Review: Self Assessment
17. Homeland
Security
Office of Cybersecurity and Communications
17
DHS PCII Program
• The information provided by the organization during the CRR is afforded protections
under the DHS Protected Critical Infrastructure Information (PCII) Program
• What does this mean for you?
• DHS cannot publicly disclose PCII, it is protected from:
• The Freedom of Information Act (FOIA)
• State and local disclosure laws
• Use in civil litigation
• DHS employees (and its contractors) who access PCII must be certified as PCII
Authorized Users
• DHS employees (and its contractors) may only access PCII in accordance with strict
safeguarding and handling requirements
• PCII cannot be used for regulatory purposes
• More information: http://www.dhs.gov/pcii
19. P R O G R A M O V E R V I E W
Welcome to the community.
20. “Repeated cyber intrusions into critical
infrastructure demonstrate the need for
improved cybersecurity.”
- The White House, Executive Order 13636
21. SOLUTION PROPOSED BY EO 13636
o NIST to develop a Cybersecurity Framework
o A voluntary program for critical infrastructure
cybersecurity to promote use of the Framework
o A whole of community approach to risk management,
security and resilience.
o Joint action by all levels of government and the owners
and operators of critical infrastructure
22. The C3 Voluntary Program is the
coordination point within the Federal
Government for members of the
critical infrastructure community
interested in improving their cyber
resilience.
R O L E O F T H E C R I T I C A L
I N F R A S T R U C T U R E C Y B E R
C O M M U N I T Y V O L U N T A R Y
P R O G R A M
23. Administration Policies
Critical Infrastructure
• Framework
implementation guidance
• Focal point for resources
Cybersecurity Framework
EO 13636 highlights the need
for improved cybersecurity
among critical infrastructure.
PPD-21 calls for efforts to
strengthen the physical and
cyber security and resilience
of our Nation’s critical
infrastructure.
Ranging from emergency services and
transportation systems to small and
medium sized businesses, the U.S. critical
infrastructure provides the essential
services that underpin American society.
One of the major components of
the EO is the development of the
Framework by NIST to help critical
infrastructure sectors and
organizations reduce and
manage their cyber risk as part of
their approach to enterprise risk
management.
and tools
• Relationship management
• Feedback collection
OUR ROLE
24. GOALS
o Support increasing critical infrastructure cyber resilience
o Increase awareness and use of the Framework
o Encourage organizations to manage cybersecurity as part
of an all hazards approach to enterprise risk management
25. There are three key activities the program is
supporting, which we emphasize as the Three C’s:
CONVERGING
o Converging critical infrastructure community resources to
COC NO VN EVR E GR GIN I NG G
support cybersecurity risk management and resilience
through use of the Framework;
C O N N E C T I N G
o Connecting critical infrastructure stakeholders to the
national resilience effort through cybersecurity resilience
advocacy, engagement and awareness; and
C O O R D I N A T I N G
o Coordinating critical infrastructure cross sector efforts to
maximize national cybersecurity resilience.
26. CONVERGING RESOURCES
• C3 Voluntary Program website offers an overview of the
program, downloadable tools, and outreach materials
• Links to the US-CERT C3 Voluntary Program gateway
• Existing programs/resources have been aligned with the Framework
Core Function Areas (Identify, Protect, Detect, Respond, Recover)
• Broken out by stakeholder type
• Demonstrates offerings to support the Framework’s principles
• As they become available, cross sector, private sector, S/L
resources will be referenced
27. CONVERGING RESOURCES, cont.
• DHS will support use of the Cybersecurity Framework
primarily through the Cyber Resiliency Review (CRR).
• No-cost, voluntary, non-technical assessment to evaluate an
organization’s information technology resilience.
• The CRR may be conducted as a self-assessment or in-person.
• To date, DHS has conducted more than 330 CRRs at the request of
critical infrastructure entities nationwide.
• The inherent principles and recommended practices within the CRR
align closely with the central tenets of the Cybersecurity Framework.
• Analyzes current practices and how they compare to the
principles of the Cybersecurity Framework.
28. CONNECTING STAKEHOLDERS
Government-to-Business
▶ Engage each of the sectors
through the CIPAC Framework
to establish sector-specific
approaches and guidance,
utilizing established partnership
mechanisms, models, and
approaches
▶ Work directly with organizations
interested in receiving
information about the
Framework, resources, and
initiatives
Business-to-Business
▶ Encourage organizations to
develop use cases or to work
with their industry peers and
business partners to promote
the Framework (the
Framework)
Government-to-Government
▶ Federal – Work with Federal
departments and agencies to
understand use of the
Framework
▶ SLTT outreach – Work with state
and local governments to
promote government use of
the Framework and to reach
businesses in their localities
29. NEXT STEPS
•Get engaged
•The C3 Voluntary Program will be supporting engagement during the coming
year
•The program will visit sector by sector events, potentially regional
events/workshops utilizing our CSAs, and will potentially look into RFIs for broad
public engagement
•Visit us at www.dhs.gov/ccubedvp, or www.us-cert.
gov/ccubedvp
•Check out the website, download and use the messaging kit, and reach out
to the different programs for support
•Try out the CRR and reach out to CSEP if you have questions on the
methodology or need assistance
•Contact us at CCubedVP@hq.dhs.gov
•Contact the C3 Voluntary Program to send feedback or for
any questions about what resources DHS is offering or how
to engage different programs
Suggest that participants start thinking about how they will use the model
Speaker:
This graphic depicts the approach presented during the workshop that organizations can use to build cyber resilience. The phases reflect a service based approach that focuses on assets that support the service. The Process Management and Improvement phase is an underlying phase that focuses on defining and maturing processes that are used to achieve cyber resilience.
You must consider the operational risks to your organization
People’s actions
Systems and technology failures
Failures of internal processes
External events
A framework is needed to put all these factors into a useable form
Must enable measurement
Should improve confidence in organization’s ability to respond to the risks
Key terms:
Survivability: The capability of a system to fulfill its mission in a timely manner, even in the presence of attacks or failures (including large scale natural disasters)
Disruption Tolerance: allows an organization to more realistically assess its operational risks and make strategic decisions for continuation of operations in the face of natural or man-made challenges / the ability for selected functions to continue to operate even when the supporting infrastructure is not operating at an optimum level
The quadrant at the bottom of the slide shows
“Protect” which requires controls (or security measures) to be in place to protect assets important in the delivery of a service
“Sustain” requires that plans be made to enable an organization to continue service delivery during times of significant disruption.
“Perform” requires that the organization have the capabilities to perform the tasks required for protection and sustainment.
“Repeat” means the organization has in place the infrastructure and processes that enable people to successfully respond to issues in an organized and repeatable manner.
We use the definition from the physical world.
An Emergent property .
What happens if I pull the slinky too far?
It won’t return to its original shape.
Resilience isn’t something that you do; it emerges from other collaborative and holistic activities.
The CRR takes a “service-oriented” approach. One of the foundational principles of its design is the idea that an organization deploys its assets to support specific operational missions, or services. These services are often aligned with the descriptions of critical infrastructure sectors in order to identify how a given organization’s operations connect to national security interests. For example, The IT Sector self identified six sector functions within its Sector Specific Plan:
IT products and services;
Incident management capabilities;
Domain name resolution services;
Identity management and associated trust services;
Internet-based content, information and communications services; and
Internet routing, access and connection services.
These broad categories of activities of sector members are used as guideposts to identify operations within a participant site that may be of national interest. Organizations are left to determine whether or not the analyzed service is representative of their overall operations.
The service orientation is useful because it enables the identification of the important assets that underpin its delivery. An organization deploys at least four types of assets to deliver its services: people, information, technology, and facilities. The CRR addresses the management of all four of these asset types.
http://www.dhs.gov/xlibrary/assets/IT_SSP_5_21_07.pdf
9.7 SPs per PA
3.6 SGs per PA
2.7 SPs per SG
This is the 30K ft. view and a diagram of how the components fit together.
We’ll walk through each of these concepts in more detail.
In February 2013, the President signed Executive Order (EO) 13636 on Improving Cybersecurity Critical Infrastructure and Presidential Policy Directive-21 (PPD) on Critical Infrastructure Security and Resilience
In recognition of the growing cyber threat, the EO called for the National Institute of Standards and Technology (NIST) to create a Cybersecurity Framework to increase cyber resilience for critical infrastructure, and for the Department of Homeland Security to create a voluntary program to support use of this Framework
Together, the EO and PPD drive action toward a “whole of community” approach to risk management, security, and resilience, calling for joint efforts from all levels of government and the private sector
In response to this requirement, the Department has created the Critical Infrastructure Cyber Community Voluntary Program (or C-Cubed Voluntary Program for short).
The C3 Voluntary Program is the coordination point within the Federal Government for members of the critical infrastructure community interested in improving their cyber resilience.
The program has been created as a mechanism to support greater coordination within the Department, across government, and with the private sector to support improving critical infrastructure cyber resilience.
The C-Cubed Voluntary Program has 3 goals:
First - Support increasing cyber resilience of critical infrastructure
Second - Increase awareness and use of the NIST Cybersecurity Framework;
And Third - Encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management
There are three key activities the program is supporting, which we emphasize as the Three C’s:
Converging critical infrastructure community resources to support cybersecurity risk management and resilience through use of the Framework;
Connecting critical infrastructure stakeholders to the national resilience effort through advocacy, engagement, and awareness; and
Coordinating critical infrastructure cross sector efforts to maximize cybersecurity resilience
- It’s important to note that this is just the beginning, and that a key part of the Department’s execution will be to receive feedback on the program activities and support for continuous improvement and effective customer service.
The Department is consolidating all of its available resources to reinforce cyber resilience at the C-Cubed Voluntary Program site at US-CERT.gov. These resources have been aligned with the NIST Cybersecurity Framework’s core functions:
The NIST core functions are five categories for cybersecurity activities (including Identify, Protect, Detect, Respond, and Recover)
Resources have been broken out by stakeholder type (including Federal Government, State and local, and private sector)
This alignment demonstrates what the Department can offer to support the Framework’s principles to reinforce cybersecurity risk management and resilience
The goal is for the US-CERT.gov site to be expanded to include cross sector, private sector, and State and local resources as they become available
The Department is offering the Cyber Resilience Review for technical assistance with the Cybersecurity Framework and support for organizations interested in increasing cyber resilience.
The Cyber Resilience Review can be used as a self-assessment and downloaded from the C-Cubed Voluntary Program website, or supported by direct engagement with the Department’s Cybersecurity Evaluations Program as requested
The Cybersecurity Evaluations Program has supported over three hundred of these assessments to date
The Cyber Resilience Review helps organizations understand where they are in terms of the Framework
The Cyber Resilience Review is a no cost assessment, not focused on organization size or type. It’s not sector or technology focused
Through the C-Cubed Voluntary Program US-CERT.gov website, you can access additional self-service options. We are offering outreach and communications materials, which can be customizable (Examples include a sample blog post, newsletter language, leadership message, and FAQs)
In addition to enhancing the Department’s customer service for critical infrastructure cyber resilience through the creation of the C-Cubed website, updating the Cyber Resilience Review to both map to and reinforce the NIST Cybersecurity Framework, and releasing a suite of self service options to support increased involvement in cybersecurity critical infrastructure security and resilience, the C-Cubed Voluntary Program is just at “version 1.0”, and there will be additional services being supported and enhancements being made over time as feedback is provided.
The Department is connecting stakeholders to the national resilience effort through broad engagement across all levels of government and with the private sector.
Working to support Federal and State and local engagement to reinforce the Framework
Engaging key stakeholders from the business community to support “Business to Business” (B2B) awareness and mentoring opportunities, and industry drivers for using the Framework
Working sector by sector to develop strategies for Framework use, focusing on increased awareness of cyber threats, and approaches to cybersecurity risk management that reinforce Framework principles
How to get involved:
Check out the DHS.gov and US-CERT.gov websites on the C-Cubed Voluntary Program and reach out to the different programs listed on the website for support
The Department is looking into supporting events in the coming year, and there is potential for broader engagement with the public through mechanisms like RFIs
Keep your eye out for announcements and updates the Department will be making for the Program.
Check out the Cyber Resilience Review if you have not already, reach out to the Cybersecurity Evaluations Program if you have questions on the methodology or need assistance
Contact the C-Cubed Voluntary Program for any questions about what’s being offered and how to engage different programs or resources
Again here’s our web page, and please feel free to use our hash tag when engaging on your social media channels.