SlideShare a Scribd company logo

NIST Cybersecurity Framework 101

Erick Kish, U.S. Commercial Service
Erick Kish, U.S. Commercial Service

Presentation for March 2017 webcast by NIST. www.nist.gov/cyberframework Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.

Technology
1 of 28
Download to read offline
Framework for Improving Critical Infrastructure Cybersecurity March 2017 cyberframework@nist.gov
Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 2
The Cybersecurity Framework... •  Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. •  Provides a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. •  Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. •  Is consistent with voluntary international standards. 3
4 Development of the Framework Engage Stakeholders Collect, Categorize, Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – Feb 12, 2013 RFI Issued – Feb 2013 1st Workshop – April 2013 Completed – April 2013 2nd Workshop – May 2013 Draft Outline of Framework – June 2013 3rd Workshop – July 2013 4th Workshop – Sept 2013 5th Workshop – Nov 2013 Published – Feb 12, 2014 Ongoing Engagement: Open public comment/ review encouraged throughout the process… and to this day
The Framework Is for Organizations… 5 •  Of any size, in any sector in (and outside of) the critical infrastructure. •  That already have a mature cyber risk management and cybersecurity program. •  That don’t yet have a cyber risk management or cybersecurity program. •  Needing to keep up-to-date managing risks, facing business or societal threats. •  In the federal government, too…since it is compatible with FISMA requirements and goals.
Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 6
Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
Key Properties of Cyber Risk Management 8 Risk Management Process Integrated Risk Management Program External Par6cipa6on
Implementation Tiers 9 1 2 3 4 Par6al Risk Informed Repeatable Adap6ve Risk Management Process The func)onality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Par6cipa6on The degree to which the organiza)on benefits my sharing or receiving informa)on from outside par)es 9
Core Cybersecurity Framework Component 10 Senior Execu6ves Implementa6on/ Opera6ons •  Broad enterprise considera)ons •  Abstracted risk vocabulary •  Deep technical considera)ons •  Highly specialized vocabulary Specialists in Other Fields •  Specific focus outside of cybersecurity •  Specialized or no risk vocabulary
Core Cybersecurity Framework Component Func6on Category ID What processes and assets need protec6on? Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT What techniques can iden6fy incidents? Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM What techniques can restore capabili6es? Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO 11
Core Cybersecurity Framework Component 12 Func6on Category ID Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO Subcategory Informative References ID.BE-1: The organiza)on’s role in the supply chain is iden)fied and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A. 15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organiza)on’s place in cri)cal infrastructure and its industry sector is iden)fied and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priori)es for organiza)onal mission, objec)ves, and ac)vi)es are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and cri)cal func)ons for delivery of cri)cal services are established ISO/IEC 27001:2013 A.11.2.2, A. 11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of cri)cal services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A. 17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 12
Profile Cybersecurity Framework Component 13 Iden)fy Protect Detect Respond Recover Ways to think about a Profile: •  A customiza)on of the Core for a given sector, subsector, or organiza)on. •  A fusion of business/mission logic and cybersecurity outcomes. •  An alignment of cybersecurity requirements with opera)onal methodologies. •  A basis for assessment and expressing target state. •  A decision support tool for cybersecurity risk management.
Supporting Risk Management with Framework 14
Framework 7-Step Process •  Step 1: Prioritize and Scope •  Step 2: Orient •  Step 3: Create a Current Profile •  Step 4: Conduct a Risk Assessment •  Step 5: Create a Target Profile •  Step 6: Determine, Analyze, and Prioritize Gaps •  Step 7: Implementation Action Plan 15
Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1 2 3 … 98 Mission Objective A B C Cybersecurity Requirements Legisla)on Regula)on Internal & External Policy Best Prac)ce Opera6ng Methodologies Guidance and methodology on implemen)ng, managing, and monitoring 1 2 3
Conceptual Profile Value Proposition 17 Cybersecurity Requirements Subcategory Priority Operating Methodologies A 1 moderate I II B C 2 high III D E 3 moderate IV V F … … VI VII G 98 moderate VIII 1 2 3 When you organize yourself in this way: •  Compliance repor)ng becomes a byproduct of running your security opera)on •  Adding new security requirements is straighborward •  Adding or changing opera)onal methodology is non- intrusive to on-going opera)on
Resource and Budget Decision Making What Can You Do with a CSF Profile? 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 98 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be …and supports on-going opera)onal decisions, too
Profile Ecosystem 19 NIST TAXONOMY 1 2 3 ... 98 1 Req A 2 Req B 3 Req C ... ... 98 Req ZZ 1 Req A High 2 Req B Mod 3 Req C Low ... ... ... 98 Req ZZ High REQUIREMENTS PRIORITIES Community Organiza=on or Community Cybersecurity Framework Core Cybersecurity Framework Profile Crosswalks Mappings
Key Attributes It’s a framework, not a prescriptive standard •  Provides a common language and systematic methodology for managing cyber risk. •  Is meant to be adapted. •  Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. •  Enable best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. It’s voluntary It’s a living document •  It is intended to be updated as stakeholders learn from implementation, and as technology and risks change…more later. •  That’s one reason why the Framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not. 20
Common Patterns of Use •  Integrate the functions into your leadership vocabulary and management tool sets. •  Determine optimal risk management using Implementation Tiers. •  Measure current risk management using Implementation Tiers. •  Reflect on business environment, governance, and risk management strategy categories. •  Develop a Profile of cybersecurity priorities, leveraging (Sub)Sector Profiles when available. 21
Work in Progress: Framework Roadmap Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 22
Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance American Water Works Association’s Process Control System Security Guidance for the Water Sector Cybersecurity Risk Management and Best Prac)ces Working Group 4: Final Report 23 Italy’s National Framework for Cybersecurity
Examples of State & Local Use 24 Texas, Department of Information Resources •  Aligned Agency Security Plans with Framework •  Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership •  Integrated Framework into their Cybersecurity Guide •  Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department •  Allocated Roles & Responsibilities using Framework •  Adopted the Framework into their Security Operation Strategy National Association of State CIOs •  2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey •  Developed a cybersecurity framework that aligns controls and procedures with Framework
NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) 25 •  Self-assessment criteria with basis in Cybersecurity Framework •  Complements NIST Baldrige Program’s performance excellence successes. •  April 2-5, 2017 - 29th Annual Quest for Excellence Conference •  Pre-conference workshop that focuses on cybersecurity will be held on April 2nd - visit: https://www.nist.gov/baldrige/qe
Utilizing CSF Informative References to create tailored language for the manufacturing sector •  NIST SP 800-53 •  NIST SP 800-82 •  ISA / IEC 62443 26 www.)ger-global.co.uk NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
•  NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework •  Aligns the USCG’s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework •  The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. 27 USCG Maritime Bulk Liquids Transfer (BLT) Framework Profile The profile is available at: hjps://www.uscg.mil/hq/cg5/cg544/docs/Mari)me_BLT_CSF.pdf
Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current

Recommended

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

Recommended

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 

More Related Content

What's hot

Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 

What's hot (20)

Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
 

Similar to NIST Cybersecurity Framework 101

cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management FrameworkJoseph Wynn
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxMuhammadAbdullah311866
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security FrameworkNorbi Hegedus
 

Similar to NIST Cybersecurity Framework 101 (20)

cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINAL
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

NIST Cybersecurity Framework 101

  • 1. Framework for Improving Critical Infrastructure Cybersecurity March 2017 cyberframework@nist.gov
  • 2. Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 2
  • 3. The Cybersecurity Framework... •  Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. •  Provides a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. •  Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. •  Is consistent with voluntary international standards. 3
  • 4. 4 Development of the Framework Engage Stakeholders Collect, Categorize, Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – Feb 12, 2013 RFI Issued – Feb 2013 1st Workshop – April 2013 Completed – April 2013 2nd Workshop – May 2013 Draft Outline of Framework – June 2013 3rd Workshop – July 2013 4th Workshop – Sept 2013 5th Workshop – Nov 2013 Published – Feb 12, 2014 Ongoing Engagement: Open public comment/ review encouraged throughout the process… and to this day
  • 5. The Framework Is for Organizations… 5 •  Of any size, in any sector in (and outside of) the critical infrastructure. •  That already have a mature cyber risk management and cybersecurity program. •  That don’t yet have a cyber risk management or cybersecurity program. •  Needing to keep up-to-date managing risks, facing business or societal threats. •  In the federal government, too…since it is compatible with FISMA requirements and goals.
  • 6. Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 6
  • 7. Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
  • 8. Key Properties of Cyber Risk Management 8 Risk Management Process Integrated Risk Management Program External Par6cipa6on
  • 9. Implementation Tiers 9 1 2 3 4 Par6al Risk Informed Repeatable Adap6ve Risk Management Process The func)onality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Par6cipa6on The degree to which the organiza)on benefits my sharing or receiving informa)on from outside par)es 9
  • 10. Core Cybersecurity Framework Component 10 Senior Execu6ves Implementa6on/ Opera6ons •  Broad enterprise considera)ons •  Abstracted risk vocabulary •  Deep technical considera)ons •  Highly specialized vocabulary Specialists in Other Fields •  Specific focus outside of cybersecurity •  Specialized or no risk vocabulary
  • 11. Core Cybersecurity Framework Component Func6on Category ID What processes and assets need protec6on? Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT What techniques can iden6fy incidents? Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM What techniques can restore capabili6es? Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO 11
  • 12. Core Cybersecurity Framework Component 12 Func6on Category ID Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO Subcategory Informative References ID.BE-1: The organiza)on’s role in the supply chain is iden)fied and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A. 15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organiza)on’s place in cri)cal infrastructure and its industry sector is iden)fied and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priori)es for organiza)onal mission, objec)ves, and ac)vi)es are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and cri)cal func)ons for delivery of cri)cal services are established ISO/IEC 27001:2013 A.11.2.2, A. 11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of cri)cal services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A. 17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 12
  • 13. Profile Cybersecurity Framework Component 13 Iden)fy Protect Detect Respond Recover Ways to think about a Profile: •  A customiza)on of the Core for a given sector, subsector, or organiza)on. •  A fusion of business/mission logic and cybersecurity outcomes. •  An alignment of cybersecurity requirements with opera)onal methodologies. •  A basis for assessment and expressing target state. •  A decision support tool for cybersecurity risk management.
  • 14. Supporting Risk Management with Framework 14
  • 15. Framework 7-Step Process •  Step 1: Prioritize and Scope •  Step 2: Orient •  Step 3: Create a Current Profile •  Step 4: Conduct a Risk Assessment •  Step 5: Create a Target Profile •  Step 6: Determine, Analyze, and Prioritize Gaps •  Step 7: Implementation Action Plan 15
  • 16. Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1 2 3 … 98 Mission Objective A B C Cybersecurity Requirements Legisla)on Regula)on Internal & External Policy Best Prac)ce Opera6ng Methodologies Guidance and methodology on implemen)ng, managing, and monitoring 1 2 3
  • 17. Conceptual Profile Value Proposition 17 Cybersecurity Requirements Subcategory Priority Operating Methodologies A 1 moderate I II B C 2 high III D E 3 moderate IV V F … … VI VII G 98 moderate VIII 1 2 3 When you organize yourself in this way: •  Compliance repor)ng becomes a byproduct of running your security opera)on •  Adding new security requirements is straighborward •  Adding or changing opera)onal methodology is non- intrusive to on-going opera)on
  • 18. Resource and Budget Decision Making What Can You Do with a CSF Profile? 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 98 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be …and supports on-going opera)onal decisions, too
  • 19. Profile Ecosystem 19 NIST TAXONOMY 1 2 3 ... 98 1 Req A 2 Req B 3 Req C ... ... 98 Req ZZ 1 Req A High 2 Req B Mod 3 Req C Low ... ... ... 98 Req ZZ High REQUIREMENTS PRIORITIES Community Organiza=on or Community Cybersecurity Framework Core Cybersecurity Framework Profile Crosswalks Mappings
  • 20. Key Attributes It’s a framework, not a prescriptive standard •  Provides a common language and systematic methodology for managing cyber risk. •  Is meant to be adapted. •  Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. •  Enable best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. It’s voluntary It’s a living document •  It is intended to be updated as stakeholders learn from implementation, and as technology and risks change…more later. •  That’s one reason why the Framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not. 20
  • 21. Common Patterns of Use •  Integrate the functions into your leadership vocabulary and management tool sets. •  Determine optimal risk management using Implementation Tiers. •  Measure current risk management using Implementation Tiers. •  Reflect on business environment, governance, and risk management strategy categories. •  Develop a Profile of cybersecurity priorities, leveraging (Sub)Sector Profiles when available. 21
  • 22. Work in Progress: Framework Roadmap Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 22
  • 23. Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance American Water Works Association’s Process Control System Security Guidance for the Water Sector Cybersecurity Risk Management and Best Prac)ces Working Group 4: Final Report 23 Italy’s National Framework for Cybersecurity
  • 24. Examples of State & Local Use 24 Texas, Department of Information Resources •  Aligned Agency Security Plans with Framework •  Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership •  Integrated Framework into their Cybersecurity Guide •  Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department •  Allocated Roles & Responsibilities using Framework •  Adopted the Framework into their Security Operation Strategy National Association of State CIOs •  2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey •  Developed a cybersecurity framework that aligns controls and procedures with Framework
  • 25. NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) 25 •  Self-assessment criteria with basis in Cybersecurity Framework •  Complements NIST Baldrige Program’s performance excellence successes. •  April 2-5, 2017 - 29th Annual Quest for Excellence Conference •  Pre-conference workshop that focuses on cybersecurity will be held on April 2nd - visit: https://www.nist.gov/baldrige/qe
  • 26. Utilizing CSF Informative References to create tailored language for the manufacturing sector •  NIST SP 800-53 •  NIST SP 800-82 •  ISA / IEC 62443 26 www.)ger-global.co.uk NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
  • 27. •  NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework •  Aligns the USCG’s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework •  The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. 27 USCG Maritime Bulk Liquids Transfer (BLT) Framework Profile The profile is available at: hjps://www.uscg.mil/hq/cg5/cg544/docs/Mari)me_BLT_CSF.pdf
  • 28. Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current