Erick Kish, U.S. Commercial Service, profile picture
Uploaded byErick Kish, U.S. Commercial Service
PDF, PPTX6,737 views

NIST Cybersecurity Framework 101

The document outlines the framework for enhancing cybersecurity within the nation's critical infrastructure, emphasizing a flexible and cost-effective approach to identify and manage cyber risks. It includes standards and methodologies that align business and technological strategies, applicable to organizations of all sizes and sectors. The framework is continuously improved and encourages ongoing stakeholder engagement while being consistent with international standards and legal requirements.

Embed presentation

Download as PDF, PPTX
Framework for Improving Critical Infrastructure Cybersecurity March 2017 cyberframework@nist.gov
Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 2
The Cybersecurity Framework... •  Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. •  Provides a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. •  Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. •  Is consistent with voluntary international standards. 3
4 Development of the Framework Engage Stakeholders Collect, Categorize, Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – Feb 12, 2013 RFI Issued – Feb 2013 1st Workshop – April 2013 Completed – April 2013 2nd Workshop – May 2013 Draft Outline of Framework – June 2013 3rd Workshop – July 2013 4th Workshop – Sept 2013 5th Workshop – Nov 2013 Published – Feb 12, 2014 Ongoing Engagement: Open public comment/ review encouraged throughout the process… and to this day
The Framework Is for Organizations… 5 •  Of any size, in any sector in (and outside of) the critical infrastructure. •  That already have a mature cyber risk management and cybersecurity program. •  That don’t yet have a cyber risk management or cybersecurity program. •  Needing to keep up-to-date managing risks, facing business or societal threats. •  In the federal government, too…since it is compatible with FISMA requirements and goals.
Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 6
Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
Key Properties of Cyber Risk Management 8 Risk Management Process Integrated Risk Management Program External Par6cipa6on
Implementation Tiers 9 1 2 3 4 Par6al Risk Informed Repeatable Adap6ve Risk Management Process The func)onality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Par6cipa6on The degree to which the organiza)on benefits my sharing or receiving informa)on from outside par)es 9
Core Cybersecurity Framework Component 10 Senior Execu6ves Implementa6on/ Opera6ons •  Broad enterprise considera)ons •  Abstracted risk vocabulary •  Deep technical considera)ons •  Highly specialized vocabulary Specialists in Other Fields •  Specific focus outside of cybersecurity •  Specialized or no risk vocabulary
Core Cybersecurity Framework Component Func6on Category ID What processes and assets need protec6on? Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT What techniques can iden6fy incidents? Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM What techniques can restore capabili6es? Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO 11
Core Cybersecurity Framework Component 12 Func6on Category ID Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO Subcategory Informative References ID.BE-1: The organiza)on’s role in the supply chain is iden)fied and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A. 15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organiza)on’s place in cri)cal infrastructure and its industry sector is iden)fied and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priori)es for organiza)onal mission, objec)ves, and ac)vi)es are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and cri)cal func)ons for delivery of cri)cal services are established ISO/IEC 27001:2013 A.11.2.2, A. 11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of cri)cal services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A. 17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 12
Profile Cybersecurity Framework Component 13 Iden)fy Protect Detect Respond Recover Ways to think about a Profile: •  A customiza)on of the Core for a given sector, subsector, or organiza)on. •  A fusion of business/mission logic and cybersecurity outcomes. •  An alignment of cybersecurity requirements with opera)onal methodologies. •  A basis for assessment and expressing target state. •  A decision support tool for cybersecurity risk management.
Supporting Risk Management with Framework 14
Framework 7-Step Process •  Step 1: Prioritize and Scope •  Step 2: Orient •  Step 3: Create a Current Profile •  Step 4: Conduct a Risk Assessment •  Step 5: Create a Target Profile •  Step 6: Determine, Analyze, and Prioritize Gaps •  Step 7: Implementation Action Plan 15
Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1 2 3 … 98 Mission Objective A B C Cybersecurity Requirements Legisla)on Regula)on Internal & External Policy Best Prac)ce Opera6ng Methodologies Guidance and methodology on implemen)ng, managing, and monitoring 1 2 3
Conceptual Profile Value Proposition 17 Cybersecurity Requirements Subcategory Priority Operating Methodologies A 1 moderate I II B C 2 high III D E 3 moderate IV V F … … VI VII G 98 moderate VIII 1 2 3 When you organize yourself in this way: •  Compliance repor)ng becomes a byproduct of running your security opera)on •  Adding new security requirements is straighborward •  Adding or changing opera)onal methodology is non- intrusive to on-going opera)on
Resource and Budget Decision Making What Can You Do with a CSF Profile? 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 98 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be …and supports on-going opera)onal decisions, too
Profile Ecosystem 19 NIST TAXONOMY 1 2 3 ... 98 1 Req A 2 Req B 3 Req C ... ... 98 Req ZZ 1 Req A High 2 Req B Mod 3 Req C Low ... ... ... 98 Req ZZ High REQUIREMENTS PRIORITIES Community Organiza=on or Community Cybersecurity Framework Core Cybersecurity Framework Profile Crosswalks Mappings
Key Attributes It’s a framework, not a prescriptive standard •  Provides a common language and systematic methodology for managing cyber risk. •  Is meant to be adapted. •  Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. •  Enable best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. It’s voluntary It’s a living document •  It is intended to be updated as stakeholders learn from implementation, and as technology and risks change…more later. •  That’s one reason why the Framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not. 20
Common Patterns of Use •  Integrate the functions into your leadership vocabulary and management tool sets. •  Determine optimal risk management using Implementation Tiers. •  Measure current risk management using Implementation Tiers. •  Reflect on business environment, governance, and risk management strategy categories. •  Develop a Profile of cybersecurity priorities, leveraging (Sub)Sector Profiles when available. 21
Work in Progress: Framework Roadmap Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 22
Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance American Water Works Association’s Process Control System Security Guidance for the Water Sector Cybersecurity Risk Management and Best Prac)ces Working Group 4: Final Report 23 Italy’s National Framework for Cybersecurity
Examples of State & Local Use 24 Texas, Department of Information Resources •  Aligned Agency Security Plans with Framework •  Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership •  Integrated Framework into their Cybersecurity Guide •  Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department •  Allocated Roles & Responsibilities using Framework •  Adopted the Framework into their Security Operation Strategy National Association of State CIOs •  2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey •  Developed a cybersecurity framework that aligns controls and procedures with Framework
NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) 25 •  Self-assessment criteria with basis in Cybersecurity Framework •  Complements NIST Baldrige Program’s performance excellence successes. •  April 2-5, 2017 - 29th Annual Quest for Excellence Conference •  Pre-conference workshop that focuses on cybersecurity will be held on April 2nd - visit: https://www.nist.gov/baldrige/qe
Utilizing CSF Informative References to create tailored language for the manufacturing sector •  NIST SP 800-53 •  NIST SP 800-82 •  ISA / IEC 62443 26 www.)ger-global.co.uk NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
•  NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework •  Aligns the USCG’s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework •  The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. 27 USCG Maritime Bulk Liquids Transfer (BLT) Framework Profile The profile is available at: hjps://www.uscg.mil/hq/cg5/cg544/docs/Mari)me_BLT_CSF.pdf
Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current

More Related Content

PDF
NIST Cybersecurity Framework (CSF) 2.0 Workshop
byBachir Benyammi
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PPTX
NIST Critical Security Framework (CSF)
byPriyanka Aash
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
PPTX
How to implement NIST cybersecurity standards in my organization
byExigent Technologies LLC
 
PDF
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
PPTX
Cybersecurity Assessment Framework - Slideshare.pptx
byAzra'ee Mamat
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
byBachir Benyammi
 
NIST cybersecurity framework
byShriya Rai
 
NIST Critical Security Framework (CSF)
byPriyanka Aash
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
How to implement NIST cybersecurity standards in my organization
byExigent Technologies LLC
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
Cybersecurity Assessment Framework - Slideshare.pptx
byAzra'ee Mamat
 

What's hot

PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PDF
Information Security Strategic Management
byMarcelo Martins
 
PPTX
Cybersecurity Priorities and Roadmap: Recommendations to DHS
byJohn Gilligan
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
byShah Sheikh
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
PDF
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
byPriyanka Aash
 
PDF
ISO 27001
byn|u - The Open Security Community
 
PPTX
SOC Cyber Security
bySteppa Cyber Security
 
PDF
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
Roadmap to security operations excellence
byErik Taavila
 
PDF
Cyber Security Governance
byPriyanka Aash
 
PPTX
Security Operation Center - Design & Build
bySameer Paradia
 
PPT
Isms awareness training
bySAROJ BEHERA
 
PDF
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
PDF
From NIST CSF 1.1 to 2.0.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Introduction to NIST’s Risk Management Framework (RMF)
byDonald E. Hester
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
Information Security Strategic Management
byMarcelo Martins
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
byJohn Gilligan
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
byShah Sheikh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
byPriyanka Aash
 
ISO 27001
byn|u - The Open Security Community
 
SOC Cyber Security
bySteppa Cyber Security
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
Roadmap to security operations excellence
byErik Taavila
 
Cyber Security Governance
byPriyanka Aash
 
Security Operation Center - Design & Build
bySameer Paradia
 
Isms awareness training
bySAROJ BEHERA
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
From NIST CSF 1.1 to 2.0.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to NIST’s Risk Management Framework (RMF)
byDonald E. Hester
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 

Similar to NIST Cybersecurity Framework 101

PPTX
cybersecurity_framework_webinar_2017.pptx
byMuhammadAbdullah311866
 
PPTX
framework-version-1.1-overview-20180427-for-web-002.pptx
byAshishRanjan546644
 
PDF
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
PPTX
NIST_Framework_overview_20150219 YEAR 2015
bymagesh527916
 
PDF
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
byAT-NET Services, Inc. - Charleston Division
 
DOCX
Project 7 - Organization Security PlanChoose an organization fro.docx
byanitramcroberts
 
PDF
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
PDF
Improving Cyber Readiness with the NIST Cybersecurity Framework
byWilliam McBorrough
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PDF
Implementing a Security Management Framework
byJoseph Wynn
 
PPTX
DOC-20250530-WA0008.pptx.................
bysalmannawaz6566504
 
DOCX
Project 7 Organization Security PlanChoose an organization from.docx
bywkyra78
 
PPT
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
PPTX
cybersecurity_framework_v1-1_presentation.pptx
byssuserda58e2
 
PPTX
cybersecurity_framework_v1-1_presentation.pptx
bycommentcava2000
 
PPTX
Cybersecurity framework v1-1_presentation
byezhilnarasu
 
PPTX
cybersecurity_framework_v1-1_presentation.pptx
bycirodussan
 
PPTX
Cybersecurity framework v1-1_presentation
byMonchai Phaichitchan
 
PPTX
history_and_development.pptx
byMarcosCristianMungua
 
DOCX
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
byOllieShoresna
 
cybersecurity_framework_webinar_2017.pptx
byMuhammadAbdullah311866
 
framework-version-1.1-overview-20180427-for-web-002.pptx
byAshishRanjan546644
 
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
NIST_Framework_overview_20150219 YEAR 2015
bymagesh527916
 
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
byAT-NET Services, Inc. - Charleston Division
 
Project 7 - Organization Security PlanChoose an organization fro.docx
byanitramcroberts
 
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
byWilliam McBorrough
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
Implementing a Security Management Framework
byJoseph Wynn
 
DOC-20250530-WA0008.pptx.................
bysalmannawaz6566504
 
Project 7 Organization Security PlanChoose an organization from.docx
bywkyra78
 
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
cybersecurity_framework_v1-1_presentation.pptx
byssuserda58e2
 
cybersecurity_framework_v1-1_presentation.pptx
bycommentcava2000
 
Cybersecurity framework v1-1_presentation
byezhilnarasu
 
cybersecurity_framework_v1-1_presentation.pptx
bycirodussan
 
Cybersecurity framework v1-1_presentation
byMonchai Phaichitchan
 
history_and_development.pptx
byMarcosCristianMungua
 
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
byOllieShoresna
 

Recently uploaded

PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 

NIST Cybersecurity Framework 101

  • 1.
    Framework for ImprovingCritical Infrastructure Cybersecurity March 2017 cyberframework@nist.gov
  • 2.
    Improving Critical InfrastructureCybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 2
  • 3.
    The Cybersecurity Framework... • Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. •  Provides a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. •  Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. •  Is consistent with voluntary international standards. 3
  • 4.
    4 Development of theFramework Engage Stakeholders Collect, Categorize, Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – Feb 12, 2013 RFI Issued – Feb 2013 1st Workshop – April 2013 Completed – April 2013 2nd Workshop – May 2013 Draft Outline of Framework – June 2013 3rd Workshop – July 2013 4th Workshop – Sept 2013 5th Workshop – Nov 2013 Published – Feb 12, 2014 Ongoing Engagement: Open public comment/ review encouraged throughout the process… and to this day
  • 5.
    The Framework Isfor Organizations… 5 •  Of any size, in any sector in (and outside of) the critical infrastructure. •  That already have a mature cyber risk management and cybersecurity program. •  That don’t yet have a cyber risk management or cybersecurity program. •  Needing to keep up-to-date managing risks, facing business or societal threats. •  In the federal government, too…since it is compatible with FISMA requirements and goals.
  • 6.
    Continued Improvement ofCritical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 6
  • 7.
    Cybersecurity Framework Components Describeshow cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
  • 8.
    Key Properties ofCyber Risk Management 8 Risk Management Process Integrated Risk Management Program External Par6cipa6on
  • 9.
    Implementation Tiers 9 1 2 3 4 Par6al Risk Informed Repeatable Adap6ve Risk Management Process The func)onality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Par6cipa6on The degree to which the organiza)on benefits my sharing or receiving informa)on from outside par)es 9
  • 10.
    Core Cybersecurity Framework Component 10 Senior Execu6ves Implementa6on/ Opera6ons • Broad enterprise considera)ons •  Abstracted risk vocabulary •  Deep technical considera)ons •  Highly specialized vocabulary Specialists in Other Fields •  Specific focus outside of cybersecurity •  Specialized or no risk vocabulary
  • 11.
    Core Cybersecurity Framework Component Func6on Category ID What processes and assets need protec6on? Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT What techniques can iden6fy incidents? Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM What techniques can restore capabili6es? Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO 11
  • 12.
    Core Cybersecurity Framework Component 12 Func6on Category ID Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO Subcategory Informative References ID.BE-1: The organiza)on’s role in the supply chain is iden)fied and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A. 15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organiza)on’s place in cri)cal infrastructure and its industry sector is iden)fied and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priori)es for organiza)onal mission, objec)ves, and ac)vi)es are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and cri)cal func)ons for delivery of cri)cal services are established ISO/IEC 27001:2013 A.11.2.2, A. 11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of cri)cal services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A. 17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 12
  • 13.
    Profile Cybersecurity Framework Component 13 Iden)fy Protect Detect Respond Recover Ways to think about a Profile: • A customiza)on of the Core for a given sector, subsector, or organiza)on. •  A fusion of business/mission logic and cybersecurity outcomes. •  An alignment of cybersecurity requirements with opera)onal methodologies. •  A basis for assessment and expressing target state. •  A decision support tool for cybersecurity risk management.
  • 14.
    Supporting Risk Managementwith Framework 14
  • 15.
    Framework 7-Step Process • Step 1: Prioritize and Scope •  Step 2: Orient •  Step 3: Create a Current Profile •  Step 4: Conduct a Risk Assessment •  Step 5: Create a Target Profile •  Step 6: Determine, Analyze, and Prioritize Gaps •  Step 7: Implementation Action Plan 15
  • 16.
    Building a Profile AProfile Can be Created in Three Steps 16 Subcategory 1 2 3 … 98 Mission Objective A B C Cybersecurity Requirements Legisla)on Regula)on Internal & External Policy Best Prac)ce Opera6ng Methodologies Guidance and methodology on implemen)ng, managing, and monitoring 1 2 3
  • 17.
    Conceptual Profile Value Proposition 17 Cybersecurity RequirementsSubcategory Priority Operating Methodologies A 1 moderate I II B C 2 high III D E 3 moderate IV V F … … VI VII G 98 moderate VIII 1 2 3 When you organize yourself in this way: •  Compliance repor)ng becomes a byproduct of running your security opera)on •  Adding new security requirements is straighborward •  Adding or changing opera)onal methodology is non- intrusive to on-going opera)on
  • 18.
    Resource and BudgetDecision Making What Can You Do with a CSF Profile? 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 98 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be …and supports on-going opera)onal decisions, too
  • 19.
    Profile Ecosystem 19 NIST TAXONOMY 1 2 3 ... 98 1 Req A 2 Req B 3 Req C ... ... 98 Req ZZ 1 Req A High 2 Req B Mod 3 Req C Low ... ... ... 98 Req ZZ High REQUIREMENTS PRIORITIES Community Organiza=on or Community Cybersecurity Framework Core Cybersecurity Framework Profile Crosswalks Mappings
  • 20.
    Key Attributes It’s aframework, not a prescriptive standard •  Provides a common language and systematic methodology for managing cyber risk. •  Is meant to be adapted. •  Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. •  Enable best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. It’s voluntary It’s a living document •  It is intended to be updated as stakeholders learn from implementation, and as technology and risks change…more later. •  That’s one reason why the Framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not. 20
  • 21.
    Common Patterns ofUse •  Integrate the functions into your leadership vocabulary and management tool sets. •  Determine optimal risk management using Implementation Tiers. •  Measure current risk management using Implementation Tiers. •  Reflect on business environment, governance, and risk management strategy categories. •  Develop a Profile of cybersecurity priorities, leveraging (Sub)Sector Profiles when available. 21
  • 22.
    Work in Progress:Framework Roadmap Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 22
  • 23.
    Examples of FrameworkIndustry Resources www.nist.gov/cyberframework/industry-resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance American Water Works Association’s Process Control System Security Guidance for the Water Sector Cybersecurity Risk Management and Best Prac)ces Working Group 4: Final Report 23 Italy’s National Framework for Cybersecurity
  • 24.
    Examples of State& Local Use 24 Texas, Department of Information Resources •  Aligned Agency Security Plans with Framework •  Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership •  Integrated Framework into their Cybersecurity Guide •  Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department •  Allocated Roles & Responsibilities using Framework •  Adopted the Framework into their Security Operation Strategy National Association of State CIOs •  2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey •  Developed a cybersecurity framework that aligns controls and procedures with Framework
  • 25.
    NIST Baldrige ExcellenceBuilders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) 25 •  Self-assessment criteria with basis in Cybersecurity Framework •  Complements NIST Baldrige Program’s performance excellence successes. •  April 2-5, 2017 - 29th Annual Quest for Excellence Conference •  Pre-conference workshop that focuses on cybersecurity will be held on April 2nd - visit: https://www.nist.gov/baldrige/qe
  • 26.
    Utilizing CSF InformativeReferences to create tailored language for the manufacturing sector •  NIST SP 800-53 •  NIST SP 800-82 •  ISA / IEC 62443 26 www.)ger-global.co.uk NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
  • 27.
    •  NCCoE andUnited States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework •  Aligns the USCG’s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework •  The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. 27 USCG Maritime Bulk Liquids Transfer (BLT) Framework Profile The profile is available at: hjps://www.uscg.mil/hq/cg5/cg544/docs/Mari)me_BLT_CSF.pdf
  • 28.
    Framework for ImprovingCritical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current