Professional Documents
Culture Documents
Framework 20180611 002
Framework 20180611 002
Framework 20180611 002
Infrastructure Cybersecurity
June 2018
cyberframework@nist.gov
Objective and Agenda
Objective: Convey Cybersecurity Framework use,
explain the new version, and highlight some
additional NIST resources
•NIST
•Healthcare Guidance
•Charter
•Users
•Component Overview
•Roadmap
•Resources 2
National Institute of Standards and Technology
About NIST NIST Priority Research Areas
• Agency of U.S. Department of
Commerce Advanced Manufacturing
• NIST’s mission is to develop
IT and Cybersecurity
and promote measurement,
standards and technology to
enhance productivity, facilitate Healthcare
trade, and improve the quality
of life. Forensic Science
• Federal, non-regulatory Disaster Resilience
agency around since 1901
NIST Cybersecurity
Cyber-physical Systems
• Cybersecurity since the 1970s
• Computer Security Resource Advanced
Center – csrc.nist.gov Communications
3
Health Care Specific Guidance
Available at the Computer Security Resource Center
5
Cybersecurity Framework Current Charter
Improving Critical Infrastructure Cybersecurity
7
Cybersecurity Framework Components
Describes how
Cybersecurity outcomes cybersecurity risk is
and informative managed by an
references organization and
degree the risk
Enables management
communication practices
of cyber risk across exhibit key
an organization characteristics
Risk Management
Process External
Participation
9
Implementation Tiers
1 2 3 4
Partial Risk Informed Repeatable Adaptive
Risk
The functionality and repeatability of cybersecurity risk
Management
management
Process
Integrated Risk
The extent to which cybersecurity is considered in
Management
broader risk management decisions
Program
External The degree to which the organization:
Participation • monitors and manages supply chain risk1.1
• benefits my sharing or receiving information from
outside parties
10
10
Core
A Catalog of Cybersecurity Outcomes
Function
What processes and
assets need Identify • Understandable by
protection?
everyone
What safeguards are • Applies to any type of
Protect
available? risk management
What techniques can
• Defines the entire
Detect
identify incidents? breadth of
What techniques can cybersecurity
contain impacts of Respond
incidents? • Spans both prevention
What techniques can and reaction
Recover
restore capabilities?
11
Core
A Catalog of Cybersecurity Outcomes
Function Category
Asset Management
What processes and Business Environment
assets need Governance
Identify Risk Assessment
protection?
Risk Management Strategy
Supply Chain Risk Management1.1
Identity Management, Authentication and
Access Control1.1
Awareness and Training
What safeguards are Data Security
Protect
available? Information Protection Processes & Procedures
Maintenance
Protective Technology
Anomalies and Events
What techniques can
Detect Security Continuous Monitoring
identify incidents? Detection Processes
Response Planning
What techniques can Communications
contain impacts of Respond Analysis
Mitigation
incidents?
Improvements
Recovery Planning
What techniques can
Recover Improvements
12
restore capabilities? Communications
Core – Example1.1
Cybersecurity Framework Component
13
Core – Example1.1
Cybersecurity Framework Component
14
Core – Example
Cybersecurity Framework Component
15
1.1
Core – Flow Down & Report Up
Cybersecurity Framework Component
Organizational Inputs
Architecture Description
5 Functions
23 Categories
108 Subcategories
Reporting
16
Analysis
Profile
Customizing Cybersecurity Framework
18
Creating Target Profiles
A Profile Can be Created from Three Types of Information
Business
1 Objectives
Objective 1
Objective 2
Objective 3
Cybersecurity Technical
2 Requirements
Subcategory
Environment 3
1
Legislation 2 Threats
Regulation Vulnerabilities
…
Internal & External Policy 108
Operating
Methodologies
Controls Catalogs
19
Technical Guidance
Framework Seven Step Process
Gap Analysis Using Framework Profiles
Year 1 Year 2
As-Is
To-Be To-Be
1.1
1.1
•Internal
•Supply
Chain
23
Cyber SCRM Taxonomy1.1
Framework for Improving Critical Infrastructure Cybersecurity
• Simple Supplier-Buyer
model
• Technology minimally
includes IT, OT, CPS,
IoT
• Applicable for public
and private sector,
including not-for-
profits
• Aligns with Federal guidance
Supply Chain Risk
Management Practices for
Federal Information Systems
and Organizations (Special
Publication 800-161) 24
Self-Assessing Cybersecurity Risk1.1
Framework for Improving Critical Infrastructure Cybersecurity Version 1.1
25
Key Framework Attributes
Principles of the Current and Future Versions of Framework
Common and accessible language
• Understandable by many professionals
It’s adaptable to many technologies1.1, lifecycle phases1.1, sectors and uses
• Meant to be customized
It’s risk-based
• A Catalog of cybersecurity outcomes
• Does provide how or how much cybersecurity is appropriate
It’s meant to be paired
• Take advantage of great pre-existing things
It’s a living document
• Enable best practices to become standard practices for everyone
• Can be updated as technology and threats change
• Evolves faster than regulation and legislation
• Can be updated as stakeholders learn from implementation 26
Roadmap Concepts
Roadmap for Improving Critical Infrastructure Cybersecurity
The Roadmap:
• identifies key areas of development, alignment, and
collaboration
• provides a description of activities related to the Framework
27
Proposed Roadmap Topics
Draft Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1
General Resources
sorted by User Group:
• Critical Infrastructure
• Small and Medium
Business
• International
• Federal
• State Local Tribal
Territorial Governments
• Academia
• Assessments & Auditing
• General
Over 150 Unique
Resources for Your
Understanding and Use! 31
Examples of Framework Industry Resources
www.nist.gov/cyberframework/industry-resources
Manufacturing Profile
NIST Discrete Manufacturing
Cybersecurity Framework Profile
Self-Assessment Criteria
Baldrige Cybersecurity
Excellence Builder
Maritime Profile
U.S. Coast Guard Bulk Liquid
Transport Profile
33
Resources
www.nist.gov/cyberframework/industry-resources
NIST Special
Publications
Computer Security
Resource Center
800 Series @ csrc.nist.gov
National Cybersecurity
Center of Excellence
1800 Series @ nccoe.nist.gov
35
Small Business Guidance
36
ISO/IEC Technical Report 27103:2018
Information technology – Security techniques – Cybersecurity and ISO and IEC Standards
37
Proposed U.S. Federal Usage
NIST IR 8170 The Cybersecurity Framework: Implementation Guidance for Federal Agencies
39
Upcoming for Framework
40
Resources & Next Steps
• Consider Using or Extending Your Use of Cybersecurity Framework
• Perspectives to inform you decision to use
• Online Learning to understand more
• Resources and Success Stories to
learn how others use
• Share your use via Resources or at
the NIST Cybersecurity Risk
Management conference
• Communicate with NIST via
cyberframework@nist.gov
• Review other NIST health resources
• Computer Security Resource Center
• National Cybersecurity Center of
Excellence
41
Thoughts and Questions?
42