SlideShare a Scribd company logo

framework_update_report-yer20170301.pptx

Download as PPTX, PDF
M
MuhammadAbdullah311866

framework_update_report

Education
1 of 17
Proposed Updates to the Framework for Improving Critical Infrastructure Cybersecurity (Draft Version 1.1) March 2017 cyberframework@nist.gov
Charter for Continued Development and Evolution Amends the National Institute of Standards and Technology Act to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 18 December 2014 2
Input to the Proposed Framework Update Draft Cybersecurity Framework Version 1.1 3 The Update was based on feedback from the cybersecurity community including: • December 2015 request for information • April 2016 Cybersecurity Framework workshop • Lessons learned from Framework use • Shared resources from industry partners • Advances made in areas identified in the Roadmap issued with the Framework in February 2014
Compatibility Draft Cybersecurity Framework Version 1.1 4 • Draft Version 1.1 of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework • Industry feedback through workshops and RFIs has made it clear that change should be minimal and that the Framework must remain compatible with v1.0 CHANGES… 0 DELETIONS… 0 FULLY BACKWARDS COMPATIBLE! • Additions including new categories and subcategories do not invalidate existing v1.0 work products
Proposed Core Updates Draft Cybersecurity Framework Version 1.1 Component Version 1.0 Version 1.1 Comments Functions 5 5 • No modification Categories 22 23 • Added a new category in ID.SC – Supply Chain • Expanded PR.AC to include identity management, authentication, and identity proofing Subcategories 98 106 • Added 5 Subcategories in ID.SC • Added 1 subcategory in PR.DS • Added 1 subcategory in PR.AC • Added 1 subcategory in PR.PT • Clarified language in 7 others Informative References 5 5 • No modification 5
Several major themes were identified and considered during the update which included: • Strengthening authentication & identity management in the Framework Core • Guidance for acquisition and supply chain risk management (SCRM) • Methodology for measurement and generating metrics • Clarity on Implementation Tiers and their relationship to Profiles 6 Major Themes from Inputs Draft Cybersecurity Framework Version 1.1
7 A primary objective of cyber SCRM is to identify, assess, and mitigate products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain • Determining cybersecurity requirements for suppliers and information technology (IT) and operational technology (OT) partners • Enacting cybersecurity requirements through formal agreement (e.g. contracts) • Communicating to suppliers and partners how those cybersecurity requirements will be verified and validated • Verifying cybersecurity requirements are met through a variety of assessment methodologies • Governing and managing the above activities Communicating Cybersecurity Requirements with Stakeholders
8 • Cyber SCRM in the Framework compliments SP800-161 • Graphic represents taxonomy of supply chain entities • Cyber SCRM encompasses IT and OT suppliers and buyers as well as non-IT and OT partners • Stakeholders should be identified and factored into the protective, detective, response, and recovery capabilities Cyber SCRM Taxonomy Draft Cybersecurity Framework Version 1.1
9 Cyber SCRM Additions to the Core Draft Cybersecurity Framework Version 1.1
10 Cyber SCRM in Framework Implementation Tiers Draft Cybersecurity Framework Version 1.1 Tier New Text 1 An organization may not understand the full implications of cyber supply chain risks or have the processes in place to identify, assess and mitigate its cyber supply chain risks. 2 The organization understands the cyber supply chain risks associated with the products and services that either supports the business mission function of the organization or that are utilized in the organization’s products or services. The organization has not formalized its capabilities to manage cyber supply chain risks internally or with its suppliers and partners and performs these activities inconsistently. 3 An organization-wide approach to managing cyber supply chain risks is enacted via enterprise risk management policies, processes and procedures. This likely includes a governance structure (e.g. Risk Council) that manages cyber supply chain risks in balance with other enterprise risks. Policies, processes, and procedures are implemented consistently, as intended, and continuously monitored and reviewed. Personnel possess the knowledge and skills to perform their appointed cyber supply chain risk management responsibilities. The organization has formal agreements in place to communicate baseline requirements to its suppliers and partners. 4 The organization can quickly and efficiently account for emerging cyber supply chain risks using real- time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization. The organization communicates proactively and uses formal (e.g. agreements) and informal mechanisms to develop and maintain strong relationships with its suppliers, partners, and individual and organizational buyers.
11 • Additional language added on use of Framework Tiers to include prioritization within target Profile and to inform progress in addressing Profile gaps • Language added to reflect integration of Framework considerations within organizational risk management programs • Tiers have been expanded to include cyber SCRM considerations • Figure 2.0 updated to include actions from the Framework Tiers Implementation Tiers and Profiles Draft Cybersecurity Framework Version 1.1
• Step 1: Prioritize and Scope • Implementation Tiers may be used to express varying risk tolerances • Step 2: Orient • Step 3: Create a Current Profile • Step 4: Conduct a Risk Assessment • Step 5: Create a Target Profile • When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes • Step 6: Determine, Analyze, and Prioritize Gaps • Step 7: Implementation Action Plan 12 Tiers Included in the Framework 7-Step Process Draft Cybersecurity Framework Version 1.1
13 Integrated Risk Management in Implementation Tiers Draft Cybersecurity Framework Version 1.1 Tier New Text 1 No Modification 2 Consideration of cybersecurity in mission/business objectives may occur at some levels of the organization, but not at all levels. Cyber risk assessment of organizational assets is not typically repeatable or reoccurring. 3 The organization consistently and accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risk. Senior executives ensure consideration of cybersecurity through all lines of operation in the organization. 4 The relationship between cybersecurity risk and mission/business objectives is clearly understood and considered when making decisions. Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on understanding of current and predicted risk environment and future risk appetites. Business units implement executive vision and analyze system level risks in the context of the organizational risk appetite and tolerances. Cybersecurity risk is clearly articulated and understood across all strata of the enterprise. The organization can quickly and efficiently account for changes to business/mission objectives and threat and technology landscapes in how risk is communicated and approached.
14 • Language of the Access Control category refined to better account for authentication, authorization, and identity proofing • Subcategory on identity proofing (PR.AC-6) added to the Access Control category • Access Control category renamed to “Identity Management, Authentication, and Access Control” (PR.AC) to better represent Category and Subcategories scope Identity Management Draft Cybersecurity Framework Version 1.1
15 Sections 4.0 and 4.1 • Correlation between business results and cybersecurity risk management outcomes • Metrics versus measures • Leading versus lagging Section 4.2 • Types of Cybersecurity Measurement • Framework measurement provides a basis for strong, trusted relationships, both inside and outside of an organization Cybersecurity Measurement Draft Cybersecurity Framework Version 1.1 Behaviors Outcomes Higher-Level Implementation Tiers Core Lower-Level Process Informative References Behaviors Outcomes “Metrics” ”Practices” ”Management” “Measures” “Process” “Technical”
Feedback Appreciated! Draft Cybersecurity Framework Version 1.1 • 90-day public comment period ends April 10, 2017 • Spring 2017 workshop scheduled for May 16th and 17th to encourage additional feedback on Framework draft Version 1.1 and on V1.0 experience, including: ○ Use cases ○ Best Practice sharing ○ The Framework’s further development 18
Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current 19

Recommended

framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxAshishRanjan546644
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity OverviewBrian Matteson, CISSP CISA
 
Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successClaus Thaudahl Hansen
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 

Recommended

framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxAshishRanjan546644
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity OverviewBrian Matteson, CISSP CISA
 
Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successClaus Thaudahl Hansen
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Software Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your CybersecuritySoftware Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your CybersecurityAggregage
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Utility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesUtility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesBooz Allen Hamilton
 
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
22317-DIPLOMA_SEM4_software_engg-chap-06.pptDeepgaichor1
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcommentcava2000
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcirodussan
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationMonchai Phaichitchan
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationezhilnarasu
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxssuserda58e2
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxbudbarber38650
 
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...AT-NET Services, Inc. - Charleston Division
 
Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureAlan McSweeney
 
New Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web ApplicationNew Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web Applicationijsrd.com
 
Project Access Control ProposalPurposeThis course project i
Project Access Control ProposalPurposeThis course project iProject Access Control ProposalPurposeThis course project i
Project Access Control ProposalPurposeThis course project idavieec5f
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
How to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdfHow to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdfBaek Yongsun
 
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdfNVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdfMuhammadAbdullah311866
 
GCCS-privacy-PP-final presentation-3-1.pptx
GCCS-privacy-PP-final presentation-3-1.pptxGCCS-privacy-PP-final presentation-3-1.pptx
GCCS-privacy-PP-final presentation-3-1.pptxMuhammadAbdullah311866
 

More Related Content

Similar to framework_update_report-yer20170301.pptx

NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Software Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your CybersecuritySoftware Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your CybersecurityAggregage
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Montrium
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Utility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesUtility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesBooz Allen Hamilton
 
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
22317-DIPLOMA_SEM4_software_engg-chap-06.pptDeepgaichor1
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcommentcava2000
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcirodussan
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationMonchai Phaichitchan
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationezhilnarasu
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxssuserda58e2
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxbudbarber38650
 
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...AT-NET Services, Inc. - Charleston Division
 
Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureAlan McSweeney
 
New Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web ApplicationNew Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web Applicationijsrd.com
 
Project Access Control ProposalPurposeThis course project i
Project Access Control ProposalPurposeThis course project iProject Access Control ProposalPurposeThis course project i
Project Access Control ProposalPurposeThis course project idavieec5f
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
How to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdfHow to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdfBaek Yongsun
 

Similar to framework_update_report-yer20170301.pptx (20)

NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Software Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your CybersecuritySoftware Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your Cybersecurity
 
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
Strategies for Conducting GxP Vendor Assessment of Cloud Service Providers - ...
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Utility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesUtility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance Capabilities
 
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
22317-DIPLOMA_SEM4_software_engg-chap-06.ppt
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptx
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptx
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
 
cybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptxcybersecurity_framework_v1-1_presentation.pptx
cybersecurity_framework_v1-1_presentation.pptx
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
Framework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docxFramework for Improving Critical Infrastructure Cyber.docx
Framework for Improving Critical Infrastructure Cyber.docx
 
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
 
Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution Architecture
 
New Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web ApplicationNew Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web Application
 
Project Access Control ProposalPurposeThis course project i
Project Access Control ProposalPurposeThis course project iProject Access Control ProposalPurposeThis course project i
Project Access Control ProposalPurposeThis course project i
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
How to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdfHow to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdf
 

More from MuhammadAbdullah311866

NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdfNVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdfMuhammadAbdullah311866
 
GCCS-privacy-PP-final presentation-3-1.pptx
GCCS-privacy-PP-final presentation-3-1.pptxGCCS-privacy-PP-final presentation-3-1.pptx
GCCS-privacy-PP-final presentation-3-1.pptxMuhammadAbdullah311866
 
presentationcloud-18123333331185718.pptx
presentationcloud-18123333331185718.pptxpresentationcloud-18123333331185718.pptx
presentationcloud-18123333331185718.pptxMuhammadAbdullah311866
 
cybersecurity assessS-Ment-and-I(1).pptx
cybersecurity assessS-Ment-and-I(1).pptxcybersecurity assessS-Ment-and-I(1).pptx
cybersecurity assessS-Ment-and-I(1).pptxMuhammadAbdullah311866
 
Security-Monitoring-and-Improvement.pptx
Security-Monitoring-and-Improvement.pptxSecurity-Monitoring-and-Improvement.pptx
Security-Monitoring-and-Improvement.pptxMuhammadAbdullah311866
 
Responsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxResponsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxMuhammadAbdullah311866
 
Fusion-Center-ITS-Security-and-Privacy-Operations (1).pptx
Fusion-Center-ITS-Security-and-Privacy-Operations (1).pptxFusion-Center-ITS-Security-and-Privacy-Operations (1).pptx
Fusion-Center-ITS-Security-and-Privacy-Operations (1).pptxMuhammadAbdullah311866
 
bash_1_2021-command line introduction.pdf
bash_1_2021-command line introduction.pdfbash_1_2021-command line introduction.pdf
bash_1_2021-command line introduction.pdfMuhammadAbdullah311866
 
package module in the python environement.pptx
package module in the python environement.pptxpackage module in the python environement.pptx
package module in the python environement.pptxMuhammadAbdullah311866
 
Supply-Chain-Management-and-Cloud-Security.pptx
Supply-Chain-Management-and-Cloud-Security.pptxSupply-Chain-Management-and-Cloud-Security.pptx
Supply-Chain-Management-and-Cloud-Security.pptxMuhammadAbdullah311866
 
1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...
1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...
1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...MuhammadAbdullah311866
 
overview of principles of computerss.ppt
overview of principles of computerss.pptoverview of principles of computerss.ppt
overview of principles of computerss.pptMuhammadAbdullah311866
 
information security importance and use.ppt
information security importance and use.pptinformation security importance and use.ppt
information security importance and use.pptMuhammadAbdullah311866
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
compatibility and complexity in the IS.ppt
compatibility and complexity in the IS.pptcompatibility and complexity in the IS.ppt
compatibility and complexity in the IS.pptMuhammadAbdullah311866
 
turning test, how it works and winners.ppt
turning test, how it works and winners.pptturning test, how it works and winners.ppt
turning test, how it works and winners.pptMuhammadAbdullah311866
 
games, infosec, privacy, adversaries .ppt
games, infosec, privacy, adversaries .pptgames, infosec, privacy, adversaries .ppt
games, infosec, privacy, adversaries .pptMuhammadAbdullah311866
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptMuhammadAbdullah311866
 
PTE-A Coaching- information slidess.pptx
PTE-A Coaching- information slidess.pptxPTE-A Coaching- information slidess.pptx
PTE-A Coaching- information slidess.pptxMuhammadAbdullah311866
 
Information security power point slides.ppt
Information security power point slides.pptInformation security power point slides.ppt
Information security power point slides.pptMuhammadAbdullah311866
 

More from MuhammadAbdullah311866 (20)

NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdfNVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
NVIDIA DGX User Group 1st Meet Up_30 Apr 2021.pdf
 
GCCS-privacy-PP-final presentation-3-1.pptx
GCCS-privacy-PP-final presentation-3-1.pptxGCCS-privacy-PP-final presentation-3-1.pptx
GCCS-privacy-PP-final presentation-3-1.pptx
 
presentationcloud-18123333331185718.pptx
presentationcloud-18123333331185718.pptxpresentationcloud-18123333331185718.pptx
presentationcloud-18123333331185718.pptx
 
cybersecurity assessS-Ment-and-I(1).pptx
cybersecurity assessS-Ment-and-I(1).pptxcybersecurity assessS-Ment-and-I(1).pptx
cybersecurity assessS-Ment-and-I(1).pptx
 
Security-Monitoring-and-Improvement.pptx
Security-Monitoring-and-Improvement.pptxSecurity-Monitoring-and-Improvement.pptx
Security-Monitoring-and-Improvement.pptx
 
Responsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxResponsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptx
 
Fusion-Center-ITS-Security-and-Privacy-Operations (1).pptx
Fusion-Center-ITS-Security-and-Privacy-Operations (1).pptxFusion-Center-ITS-Security-and-Privacy-Operations (1).pptx
Fusion-Center-ITS-Security-and-Privacy-Operations (1).pptx
 
bash_1_2021-command line introduction.pdf
bash_1_2021-command line introduction.pdfbash_1_2021-command line introduction.pdf
bash_1_2021-command line introduction.pdf
 
package module in the python environement.pptx
package module in the python environement.pptxpackage module in the python environement.pptx
package module in the python environement.pptx
 
Supply-Chain-Management-and-Cloud-Security.pptx
Supply-Chain-Management-and-Cloud-Security.pptxSupply-Chain-Management-and-Cloud-Security.pptx
Supply-Chain-Management-and-Cloud-Security.pptx
 
1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...
1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...
1-William Stallings - Effective Cybersecurity_ A Guide to Using Best Practice...
 
overview of principles of computerss.ppt
overview of principles of computerss.pptoverview of principles of computerss.ppt
overview of principles of computerss.ppt
 
information security importance and use.ppt
information security importance and use.pptinformation security importance and use.ppt
information security importance and use.ppt
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
compatibility and complexity in the IS.ppt
compatibility and complexity in the IS.pptcompatibility and complexity in the IS.ppt
compatibility and complexity in the IS.ppt
 
turning test, how it works and winners.ppt
turning test, how it works and winners.pptturning test, how it works and winners.ppt
turning test, how it works and winners.ppt
 
games, infosec, privacy, adversaries .ppt
games, infosec, privacy, adversaries .pptgames, infosec, privacy, adversaries .ppt
games, infosec, privacy, adversaries .ppt
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
 
PTE-A Coaching- information slidess.pptx
PTE-A Coaching- information slidess.pptxPTE-A Coaching- information slidess.pptx
PTE-A Coaching- information slidess.pptx
 
Information security power point slides.ppt
Information security power point slides.pptInformation security power point slides.ppt
Information security power point slides.ppt
 

Recently uploaded

“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 

Recently uploaded (20)

“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 

framework_update_report-yer20170301.pptx

  • 1. Proposed Updates to the Framework for Improving Critical Infrastructure Cybersecurity (Draft Version 1.1) March 2017 cyberframework@nist.gov
  • 2. Charter for Continued Development and Evolution Amends the National Institute of Standards and Technology Act to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 18 December 2014 2
  • 3. Input to the Proposed Framework Update Draft Cybersecurity Framework Version 1.1 3 The Update was based on feedback from the cybersecurity community including: • December 2015 request for information • April 2016 Cybersecurity Framework workshop • Lessons learned from Framework use • Shared resources from industry partners • Advances made in areas identified in the Roadmap issued with the Framework in February 2014
  • 4. Compatibility Draft Cybersecurity Framework Version 1.1 4 • Draft Version 1.1 of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework • Industry feedback through workshops and RFIs has made it clear that change should be minimal and that the Framework must remain compatible with v1.0 CHANGES… 0 DELETIONS… 0 FULLY BACKWARDS COMPATIBLE! • Additions including new categories and subcategories do not invalidate existing v1.0 work products
  • 5. Proposed Core Updates Draft Cybersecurity Framework Version 1.1 Component Version 1.0 Version 1.1 Comments Functions 5 5 • No modification Categories 22 23 • Added a new category in ID.SC – Supply Chain • Expanded PR.AC to include identity management, authentication, and identity proofing Subcategories 98 106 • Added 5 Subcategories in ID.SC • Added 1 subcategory in PR.DS • Added 1 subcategory in PR.AC • Added 1 subcategory in PR.PT • Clarified language in 7 others Informative References 5 5 • No modification 5
  • 6. Several major themes were identified and considered during the update which included: • Strengthening authentication & identity management in the Framework Core • Guidance for acquisition and supply chain risk management (SCRM) • Methodology for measurement and generating metrics • Clarity on Implementation Tiers and their relationship to Profiles 6 Major Themes from Inputs Draft Cybersecurity Framework Version 1.1
  • 7. 7 A primary objective of cyber SCRM is to identify, assess, and mitigate products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain • Determining cybersecurity requirements for suppliers and information technology (IT) and operational technology (OT) partners • Enacting cybersecurity requirements through formal agreement (e.g. contracts) • Communicating to suppliers and partners how those cybersecurity requirements will be verified and validated • Verifying cybersecurity requirements are met through a variety of assessment methodologies • Governing and managing the above activities Communicating Cybersecurity Requirements with Stakeholders
  • 8. 8 • Cyber SCRM in the Framework compliments SP800-161 • Graphic represents taxonomy of supply chain entities • Cyber SCRM encompasses IT and OT suppliers and buyers as well as non-IT and OT partners • Stakeholders should be identified and factored into the protective, detective, response, and recovery capabilities Cyber SCRM Taxonomy Draft Cybersecurity Framework Version 1.1
  • 9. 9 Cyber SCRM Additions to the Core Draft Cybersecurity Framework Version 1.1
  • 10. 10 Cyber SCRM in Framework Implementation Tiers Draft Cybersecurity Framework Version 1.1 Tier New Text 1 An organization may not understand the full implications of cyber supply chain risks or have the processes in place to identify, assess and mitigate its cyber supply chain risks. 2 The organization understands the cyber supply chain risks associated with the products and services that either supports the business mission function of the organization or that are utilized in the organization’s products or services. The organization has not formalized its capabilities to manage cyber supply chain risks internally or with its suppliers and partners and performs these activities inconsistently. 3 An organization-wide approach to managing cyber supply chain risks is enacted via enterprise risk management policies, processes and procedures. This likely includes a governance structure (e.g. Risk Council) that manages cyber supply chain risks in balance with other enterprise risks. Policies, processes, and procedures are implemented consistently, as intended, and continuously monitored and reviewed. Personnel possess the knowledge and skills to perform their appointed cyber supply chain risk management responsibilities. The organization has formal agreements in place to communicate baseline requirements to its suppliers and partners. 4 The organization can quickly and efficiently account for emerging cyber supply chain risks using real- time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization. The organization communicates proactively and uses formal (e.g. agreements) and informal mechanisms to develop and maintain strong relationships with its suppliers, partners, and individual and organizational buyers.
  • 11. 11 • Additional language added on use of Framework Tiers to include prioritization within target Profile and to inform progress in addressing Profile gaps • Language added to reflect integration of Framework considerations within organizational risk management programs • Tiers have been expanded to include cyber SCRM considerations • Figure 2.0 updated to include actions from the Framework Tiers Implementation Tiers and Profiles Draft Cybersecurity Framework Version 1.1
  • 12. • Step 1: Prioritize and Scope • Implementation Tiers may be used to express varying risk tolerances • Step 2: Orient • Step 3: Create a Current Profile • Step 4: Conduct a Risk Assessment • Step 5: Create a Target Profile • When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes • Step 6: Determine, Analyze, and Prioritize Gaps • Step 7: Implementation Action Plan 12 Tiers Included in the Framework 7-Step Process Draft Cybersecurity Framework Version 1.1
  • 13. 13 Integrated Risk Management in Implementation Tiers Draft Cybersecurity Framework Version 1.1 Tier New Text 1 No Modification 2 Consideration of cybersecurity in mission/business objectives may occur at some levels of the organization, but not at all levels. Cyber risk assessment of organizational assets is not typically repeatable or reoccurring. 3 The organization consistently and accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risk. Senior executives ensure consideration of cybersecurity through all lines of operation in the organization. 4 The relationship between cybersecurity risk and mission/business objectives is clearly understood and considered when making decisions. Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on understanding of current and predicted risk environment and future risk appetites. Business units implement executive vision and analyze system level risks in the context of the organizational risk appetite and tolerances. Cybersecurity risk is clearly articulated and understood across all strata of the enterprise. The organization can quickly and efficiently account for changes to business/mission objectives and threat and technology landscapes in how risk is communicated and approached.
  • 14. 14 • Language of the Access Control category refined to better account for authentication, authorization, and identity proofing • Subcategory on identity proofing (PR.AC-6) added to the Access Control category • Access Control category renamed to “Identity Management, Authentication, and Access Control” (PR.AC) to better represent Category and Subcategories scope Identity Management Draft Cybersecurity Framework Version 1.1
  • 15. 15 Sections 4.0 and 4.1 • Correlation between business results and cybersecurity risk management outcomes • Metrics versus measures • Leading versus lagging Section 4.2 • Types of Cybersecurity Measurement • Framework measurement provides a basis for strong, trusted relationships, both inside and outside of an organization Cybersecurity Measurement Draft Cybersecurity Framework Version 1.1 Behaviors Outcomes Higher-Level Implementation Tiers Core Lower-Level Process Informative References Behaviors Outcomes “Metrics” ”Practices” ”Management” “Measures” “Process” “Technical”
  • 16. Feedback Appreciated! Draft Cybersecurity Framework Version 1.1 • 90-day public comment period ends April 10, 2017 • Spring 2017 workshop scheduled for May 16th and 17th to encourage additional feedback on Framework draft Version 1.1 and on V1.0 experience, including: ○ Use cases ○ Best Practice sharing ○ The Framework’s further development 18
  • 17. Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current 19