Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage?

Homeland
Security
Office of Cybersecurity and Communications
1
CYBER RESILIENCE REVIEW:
CAPABILITY MATURITY EVALUATION METHOD FOR CRITICAL
INFRASTRUCTURE
Sean McCloskey October 2014
Program Manager, Cybersecurity Evaluation Program
Office of Cybersecurity and Communications (CS&C)
U.S. Department of Homeland Security (DHS)

Homeland
Security
2
Overview
What is the Cyber Resilience Review (CRR)?
• A voluntary assessment
• A method that examines cybersecurity practices in critical infrastructure
organizations
• Evaluates the operational resilience of a specific critical service
• Measures the execution of key practices and the institutionalization of
processes
• Provides participants with a detailed report containing options for
consideration
• Utilizes the goals and practices found in the CERT Resilience
Management Model (CERT-RMM)
• Available in two versions:
- A self-assessment kit
- A facilitated workshop conducted in one day (typically 6–8 hours)
[data gathered on-site is protected under the DHS PCII] Program]

Cyber Resilience Value Proposition: What’s in It for Me?
Homeland
Security
3
Resilience management provides support to simplify the management of
complex cybersecurity challenges.
Efficiency: not too much and not too little; resilience equilibrium
• balancing risk and cost
• getting the most bang for your buck
• achieving compliance as a by-product of resilience management
Roadmap: what to do to manage cybersecurity; flexibility and scalability
• using an overarching approach - which standard is best
• deciding what versus how to manage cybersecurity risk
Cybersecurity ecosystem: addressing the interconnectedness challenge
• managing dependencies
• addressing both internal and external organizational challenges and silos

Homeland
Security
4
CRR Data Analysis: Selected Highlights
Summary Findings (115 organizations, 43 states, 12 sectors)
Asset Management: More than 70% of organizations identify critical services; however,
less than 50% of organizations assessed have identified the assets that support critical
services.
Vulnerability Management: More than 55% of organizations have not developed a
strategy to guide their vulnerability management efforts.
Incident Management: 65% of organizations lack a process to escalate and resolve
incidents.
External Dependencies Management: More than 80% of the organizations assessed
identify external dependencies that are vital to the delivery of critical services.
Risk Management: 70% of organizations do not have a documented risk management
plan.
Situational Awareness: 86% of organizations do not have a plan for performing situational
awareness activities.

Homeland
Security
5
Cyber Resilience Review and the Framework
Relationship between DHS’ Cyber Resilience Review and the NIST Cybersecurity
Framework [CRR to NIST CSF crosswalk available]
Identify
Services
Create Asset
Inventory
Protect
& Sustain
Assets
Disruption
Management
Cyber
Exercise
Identify and
prioritize
services
Identify assets,
align assets to
services, and
inventory assets
Establish risk
management,
resilience
requirements,
control objectives,
and controls
Establish
continuity
requirements
for assets
and develop
service
continuity
plans
Define objectives
for cyber exercise,
perform
exercises, and
evaluate results
Process Management and Improvement

Homeland
Security
6
What Is Cyber Resilience?
“… the ability to prepare for and adapt to changing
conditions and withstand and recover rapidly from
disruptions. Resilience includes the ability to
withstand and recover from deliberate attacks,
accidents, or naturally occurring threats or
incidents…”
- Presidential Policy Directive – PPD 21
February 12, 2013
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)

Homeland
Security
7
Operational Resilience Defined
Resilience: The physical property of
a material when it can return to its
original shape or position after
deformation that does not exceed
its elastic limit [wordnet.princeton.edu]
Operational resilience: The emergent
property of an organization that can
continue to carry out its mission after
disruption that does not exceed its
operational limit [CERT-RMM]
Where does the disruption come from? Realized risk.

Homeland
Security
Organization
Mission
8
Establishing a Critical Service Focus
Service
Mission
Service
Mission
people information technology facilities
Service
Mission

Homeland
Security
9
Ten Domains of Cybersecurity Capability
CRR Domains
AM Asset Management
CCM
Configuration and Change
Management
RM Risk Management
CTRL Controls Management
VM Vulnerability Management
IM Incident Management
SCM Service Continuity Management
EXD
External Dependencies
Management
TA Training and Awareness
SA Situational Awareness
The ten domains in CRR v2
represent important areas
that contribute to the cyber
resilience of an
organization.
The domains focus on
practices an organization
should have in place to
assure the protection and
sustainment of its critical
service.

Homeland
Security
10
Cyber Resilience Review by the Numbers

Homeland
Security
MIL Goals
Questions
11
CRR Domain Architecture
Focused Activity
Required
What to do to achieve
the capability
Expected
How to accomplish
the goal
Domain
Domain
Goals
Domain
Questions
MIL
Institutionalization
Elements

Process Institutionalization in the CRR
Maturity indictor levels (MIL) are used in CRR v2 to measure process institutionalization
Processes are
acculturated,
defined,
measured,
and
governed
Homeland
Security
12
Practices are
performed
Practices are
incomplete
Higher degrees of
institutionalization
translate to more
stable processes
that
• produce
consistent results
over time
• are retained
during times of
stress
Level 5-Defined
Level 4-Measured
Level 3-Managed
Level 2-Planned
Level 1-Performed
Level 0-Incomplete

Homeland
Security
13
CRR Self-Assessment Kit
Released in February 2014 to complement the
launch of the NIST CSF
The CRR Self-Assessment Kit allows organizations to
conduct a review without outside facilitation.
Contains the same questions, scoring, and reporting
as the facilitated assessment.
The kit contains the following resources:
 Method Description and User Guide
 Complete CRR Question Set with Guidance
 Self-Assessment Package (automated toolset)
 CRR to NIST CSF Crosswalk
CRR Self-Assessment Kit website:
http://www.us-cert.gov/ccubedvp/self-service-crr

Homeland
Security
14
Cyber Resilience Review – Self Assessment
Getting Started
• Review the CRR Method Description and User Guide
• Identify the scope of the CRR Self-Assessment
 Identify critical services to the organization and identify which
parts of the organization deliver those services
 Choose a critical service that will be the focus of the self-assessment
 Determine which assets (people, information, technology, and
facilities) are required for the delivery of the service
• Identify key participants in the self-assessment
 Managers and senior staff-members responsible for the areas of
operations and service being assessed (i.e., CIO, CISO, Director of IT,
Director of Ops., etc)
 Other stakeholders that can provide answers that best represent
the organization’s capabilities in a given CRR domain (i.e., office
managers, senior owners and operators, subject matter experts,
policy writers, etc.)
 typically 7-10 participants
1

Homeland
Security
15
Cyber Resilience Review: Self Assessment
Conduct CRR Self-Assessment
• Download and open the CRR Self-Assessment
Package
• Introduction from sponsor/ executive
management, hand-off to facilitator
• Facilitator guides participants through the
CRR
 Reviews CRR domains, methodology,
agenda and the agreed upon
assessment scope with the participants
 Directs questions to pre-identified
participants and confirms with others
 Encourages and maintains dialogue
throughout the CRR
 Manages time, breaks and the overall
flow of the CRR
1

Homeland
Security
16
Generate and Review Report
• Complete the CRR self-assessment
and generate a CRR
report
 Click the “Generate
Report” button at the
bottom of page 37
 Optionally, can print and
save as PDF
• Distribute the CRR report to
key personnel and interpret the
results
• Identify gaps, prioritize and
implement plans for
improvement
1
Cyber Resilience Review: Self Assessment

Homeland
Security
17
DHS PCII Program
• The information provided by the organization during the CRR is afforded protections
under the DHS Protected Critical Infrastructure Information (PCII) Program
• What does this mean for you?
• DHS cannot publicly disclose PCII, it is protected from:
• The Freedom of Information Act (FOIA)
• State and local disclosure laws
• Use in civil litigation
• DHS employees (and its contractors) who access PCII must be certified as PCII
Authorized Users
• DHS employees (and its contractors) may only access PCII in accordance with strict
safeguarding and handling requirements
• PCII cannot be used for regulatory purposes
• More information: http://www.dhs.gov/pcii

Homeland
Security
18
Questions?

P R O G R A M O V E R V I E W
Welcome to the community.

“Repeated cyber intrusions into critical
infrastructure demonstrate the need for
improved cybersecurity.”
- The White House, Executive Order 13636

SOLUTION PROPOSED BY EO 13636
o NIST to develop a Cybersecurity Framework
o A voluntary program for critical infrastructure
cybersecurity to promote use of the Framework
o A whole of community approach to risk management,
security and resilience.
o Joint action by all levels of government and the owners
and operators of critical infrastructure

The C3 Voluntary Program is the
coordination point within the Federal
Government for members of the
critical infrastructure community
interested in improving their cyber
resilience.
R O L E O F T H E C R I T I C A L
I N F R A S T R U C T U R E C Y B E R
C O M M U N I T Y V O L U N T A R Y
P R O G R A M

Administration Policies
Critical Infrastructure
• Framework
implementation guidance
• Focal point for resources
Cybersecurity Framework
EO 13636 highlights the need
for improved cybersecurity
among critical infrastructure.
PPD-21 calls for efforts to
strengthen the physical and
cyber security and resilience
of our Nation’s critical
infrastructure.
Ranging from emergency services and
transportation systems to small and
medium sized businesses, the U.S. critical
infrastructure provides the essential
services that underpin American society.
One of the major components of
the EO is the development of the
Framework by NIST to help critical
infrastructure sectors and
organizations reduce and
manage their cyber risk as part of
their approach to enterprise risk
management.
and tools
• Relationship management
• Feedback collection
OUR ROLE

GOALS
o Support increasing critical infrastructure cyber resilience
o Increase awareness and use of the Framework
o Encourage organizations to manage cybersecurity as part
of an all hazards approach to enterprise risk management

There are three key activities the program is
supporting, which we emphasize as the Three C’s:
CONVERGING
o Converging critical infrastructure community resources to
COC NO VN EVR E GR GIN I NG G
support cybersecurity risk management and resilience
through use of the Framework;
C O N N E C T I N G
o Connecting critical infrastructure stakeholders to the
national resilience effort through cybersecurity resilience
advocacy, engagement and awareness; and
C O O R D I N A T I N G
o Coordinating critical infrastructure cross sector efforts to
maximize national cybersecurity resilience.

CONVERGING RESOURCES
• C3 Voluntary Program website offers an overview of the
program, downloadable tools, and outreach materials
• Links to the US-CERT C3 Voluntary Program gateway
• Existing programs/resources have been aligned with the Framework
Core Function Areas (Identify, Protect, Detect, Respond, Recover)
• Broken out by stakeholder type
• Demonstrates offerings to support the Framework’s principles
• As they become available, cross sector, private sector, S/L
resources will be referenced

CONVERGING RESOURCES, cont.
• DHS will support use of the Cybersecurity Framework
primarily through the Cyber Resiliency Review (CRR).
• No-cost, voluntary, non-technical assessment to evaluate an
organization’s information technology resilience.
• The CRR may be conducted as a self-assessment or in-person.
• To date, DHS has conducted more than 330 CRRs at the request of
critical infrastructure entities nationwide.
• The inherent principles and recommended practices within the CRR
align closely with the central tenets of the Cybersecurity Framework.
• Analyzes current practices and how they compare to the
principles of the Cybersecurity Framework.

CONNECTING STAKEHOLDERS
Government-to-Business
▶ Engage each of the sectors
through the CIPAC Framework
to establish sector-specific
approaches and guidance,
utilizing established partnership
mechanisms, models, and
approaches
▶ Work directly with organizations
interested in receiving
information about the
Framework, resources, and
initiatives
Business-to-Business
▶ Encourage organizations to
develop use cases or to work
with their industry peers and
business partners to promote
the Framework (the
Framework)
Government-to-Government
▶ Federal – Work with Federal
departments and agencies to
understand use of the
Framework
▶ SLTT outreach – Work with state
and local governments to
promote government use of
the Framework and to reach
businesses in their localities

NEXT STEPS
•Get engaged
•The C3 Voluntary Program will be supporting engagement during the coming
year
•The program will visit sector by sector events, potentially regional
events/workshops utilizing our CSAs, and will potentially look into RFIs for broad
public engagement
•Visit us at www.dhs.gov/ccubedvp, or www.us-cert.
gov/ccubedvp
•Check out the website, download and use the messaging kit, and reach out
to the different programs for support
•Try out the CRR and reach out to CSEP if you have questions on the
methodology or need assistance
•Contact us at CCubedVP@hq.dhs.gov
•Contact the C3 Voluntary Program to send feedback or for
any questions about what resources DHS is offering or how
to engage different programs

Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage?

Similar to Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage? (20)

More from Government Technology and Services Coalition

More from Government Technology and Services Coalition (20)

Recently uploaded

Recently uploaded (20)

Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage?

Editor's Notes