Uploaded byAshishRanjan546644
PPTX, PDF43 views

framework-version-1.1-overview-20180427-for-web-002.pptx

The document discusses version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity published by NIST in April 2018. It provides an overview of key additions and changes in version 1.1, including a new supply chain risk management category and subcategories, as well as clarified language for some existing subcategories. It also outlines NIST's role in developing cybersecurity standards and describes how organizations can use the Framework to manage cybersecurity risks by customizing profiles and conducting gap analyses.

Embed presentation

Download to read offline
The Framework for Improving Critical Infrastructure Cybersecurity April 2018 cyberframework@nist.gov
Objective: Convey Cybersecurity Framework use, while explaining features added in Version 1.1 Objective and Agenda 2 • Charter • Users • Attributes, Components, & Approaches • Draft Roadmap Version 1.1 • Framework Focus Areas • Web Site • Update Process
About NIST • Agency of U.S. Department of Commerce • NIST’s mission is to develop and promote measurement, standards and technology to enhance productivity, facilitate trade, and improve the quality of life. • Federal, non-regulatory agency around since 1901 NIST Cybersecurity • Cybersecurity since the 1970s • Computer Security Resource Center – csrc.nist.gov NIST Priority Research Areas National Institute of Standards and Technology Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 3
Cybersecurity Framework Current Charter Improving Critical Infrastructure Cybersecurity February 12, 2013 “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 4 December 18, 2014 Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274)
Cybersecurity Framework Users Framework for Improving Critical Infrastructure Cybersecurity 5
Version 1.0 and 1.1 Are Fully Compatible Framework for Improving Critical Infrastructure Cybersecurity Component Version 1.0 Version 1.1 Comments Functions 5 5 Categories 22 23 • Added a new category in ID.SC – Supply Chain Subcategories 98 108 • Added 5 subcategories in ID.SC • Added 2 subcategories in PR.AC • Added 1 subcategory each to PR.DS, PR.PT, RS.AN • Clarified language in 7 others Informative References 5 5 6 • Additions, including new categories and subcategories, do not invalidate existing V1.0 uses or work products
Key Framework Attributes Principles of the Current and Future Versions of Framework Common and accessible language • Understandable by many professionals It’s adaptable to many technologies1.1, lifecycle phases1.1, sectors and uses • Meant to be customized It’s risk-based • A Catalog of cybersecurity outcomes • Does not provide how or how much cybersecurity is appropriate It’s meant to be paired • Take advantage of great pre-existing things It’s a living document • Enable best practices to become standard practices for everyone • Can be updated as technology and threats change • Evolves faster than regulation and legislation • Can be updated as stakeholders learn from implementation 7
Cybersecurity outcomes and informative references Enables communication of cyber risk across an organization Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in an implementation scenario Supports prioritization and measurement while factoring in business needs 8
Implementation Tiers 9 1 Partial 2 Risk Informed 3 Repeatable 4 Adaptive Risk Management Process The functionality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Participation The degree to which the organization: • monitors and manages supply chain risk1.1 • benefits my sharing or receiving information from outside parties 9
Core A Catalog of Cybersecurity Outcomes Function What processes and assets need protection? Identify • Understandable by everyone • Applies to any type of risk management • Defines the entire breadth of cybersecurity • Spans both prevention and reaction What safeguards are available? Protect What techniques can identify incidents? Detect What techniques can contain impacts of incidents? Respond What techniques can restore capabilities? Recover 10
Core A Catalog of Cybersecurity Outcomes Function Category What processes and assets need protection? Identify Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Risk Management1.1 What safeguards are available? Protect Identity Management, Authentication and Access Control1.1 Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology What techniques can identify incidents? Detect Anomalies and Events Security Continuous Monitoring Detection Processes What techniques can contain impacts of incidents? Respond Response Planning Communications Analysis Mitigation Improvements What techniques can restore capabilities? Recover Recovery Planning Improvements Communications 11
12 Core – Example1.1 Cybersecurity Framework Component
13 Core – Example1.1 Cybersecurity Framework Component
14 Core – Example Cybersecurity Framework Component 1.1
Profile Customizing Cybersecurity Framework 15 Identify Protect Detect Respond Recover Ways to think about a Profile: • A customization of the Core for a given sector, subsector, or organization • A fusion of business/mission logic and cybersecurity outcomes • An alignment of cybersecurity requirements with operational methodologies • A basis for assessment and expressing target state • A decision support tool for cybersecurity risk management
Profile Foundational Information A Profile Can be Created from Three Types of Information 16 Subcategory 1 2 … 108 Cybersecurity Requirements Legislation Regulation Internal & External Policy Technical Environment Threats Vulnerabilities 1 2 3 Business Objectives Objective 1 Objective 2 Objective 3 Operating Methodologies Controls Catalogs Technical Guidance
• Step 1: Prioritize and Scope • Implementation Tiers may be used to express varying risk tolerances1.1 • Step 2: Orient • Step 3: Create a Current Profile • Step 4: Conduct a Risk Assessment • Step 5: Create a Target Profile • When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes1.1 • Step 6: Determine, Analyze, and Prioritize Gaps • Step 7: Implementation Action Plan 17 Framework Seven Step Process Gap Analysis Using Framework Profiles
Resource and Budget Decisioning Framework supports operating decisions and improvement 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 108 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be
Resource and Budget Decisioning Framework supports operating decisions and improvement 19 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 108 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be Step 5 Target Profile Step 6 Step 7
20 Supporting Risk Management with Framework Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 1.1 1.1 •Internal •Supply Chain
Operate Use Cybersecurity Framework Profiles to distribute and organize labor 21 Subcats Reqs Priorities Who What When Where How 1 A, B High 2 C, D, E, F High 3 G, H, I, J Low ... ... ... 108 XX, YY, ZZ Mod
22 Cyber SCRM Taxonomy1.1 Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 • Simple Supplier-Buyer model • Technology minimally includes IT, OT, CPS, IoT • Applicable for public and private sector, including not-for- profits • Aligns with Federal guidance Supply Chain Risk Management Practices for Federal Information Systems and Organizations (Special Publication 800-161)
Emphasizes the role of measurements in self-assessment Stresses critical linkage of business results: - Cost - Benefit …to cybersecurity risk management Continued discussion of this linkage will occur under Roadmap area – Measuring Cybersecurity 23 Self-Assessing Cybersecurity Risk1.1 Framework for Improving Critical Infrastructure Cybersecurity Version 1.1
Roadmap Concepts Roadmap to Improving Critical Infrastructure Cybersecurity The Roadmap: • identifies key areas of development, alignment, and collaboration • provides a description of activities related to the Framework Roadmap items are generally: • Topics that are meaningful to critical infrastructure cybersecurity risk management • Focus areas of both private sector and the federal government • Related to Framework, but managed as separate efforts 11
Proposed Roadmap Topics Draft Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 Original Roadmap 9 topics Proposed Roadmap 12 topics Conformity Assessment Confidence Mechanisms Automated Indicator Sharing Cyber-Attack Lifecycle Includes Coordinated Vulnerability Disclosure Data Analytics Cybersecurity Workforce Cybersecurity Workforce Supply Chain Risk Management Cyber Supply Chain Risk Management Federal Agency Cybersecurity Alignment Federal Agency Cybersecurity Alignment Governance and Enterprise Risk Management Authentication Identity Management International Aspects, Impacts, and Alignment International Aspects, Impacts, and Alignment Measuring Cybersecurity Technical Privacy Standards Privacy Engineering Referencing Techniques Small Business Awareness and Resources Focus Focus Focus
Small Business Guidance and Initiatives Framework for Improving Critical Infrastructure Cybersecurity Small Business Information Security: the Fundamentals NIST Computer Security Resource Center 26 Small Business Center NIST Computer Security Resource Center CyberSecure My Business National Cyber Security Alliance Small Business Starter Profiles NIST Framework Team
International Use Framework for Improving Critical Infrastructure Cybersecurity • Japanese translation by Information-technology Promotion Agency • Italian adaptation within Italy’s National Framework for Cybersecurity • Hebrew adaptation by Government of Israel • Bermuda uses it within government and recommends it to industry • Uruguay government is currently on Version 3.1 of their adaptation • Focus of International Organization for Standardization & International Electrotechnical Commission 27
1. Integrate enterprise and cybersecurity risk management 2. Manage cybersecurity requirements 3. Integrate and align cybersecurity and acquisition processes 4. Evaluate organizational cybersecurity 5. Manage the cybersecurity program 6. Maintain a comprehensive understanding of cybersecurity risk (supports RMF Authorize) 7. Report cybersecurity risks (supports RMF Monitor) 8. Inform the tailoring process (supports RMF Select) 28 Proposed U.S. Federal Usage NIST IR 8170 The Cybersecurity Framework: Implementation Guidance for Federal Agencies Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800
NIST Special Publication 800-37, Revision 2: Risk Management Framework for Security and Privacy Initial Public Draft: May 2018 Final Public Draft: July 2018 Final Publication: October 2018 NIST Special Publication 800-53, Revision 5: Security and Privacy Controls Final Public Draft: October 2018 Final Publication: December 2018 NIST Special Publication 800-53A, Revision 5: Assessment Procedures for Security and Privacy Controls Initial Public Draft: March 2019 Final Public Draft: June 2019 Final Publication: September 2019 FIPS Publication 200, Revision 1: Minimum Security Requirements Initial Public Draft: October 2018 Final Public Draft: April 2019 Final Publication: July 2019 FIPS Publication 199, Revision 1: Security Categorization Initial Public Draft: December 2018 Final Public Draft: May 2019 Final Publication: August 2019 Updates - https://csrc.nist.gov/Projects/Risk- Management/Schedule Questions or comments - sec-cert@nist.gov FISMA Implementation Pub Schedule As of 8 February 2018, Subject to Change 29
Supporting Healthy Regulatory Environments Framework for Improving Critical Infrastructure Cybersecurity Bulk Liquid Transport Profile U.S. Coast Guard 30 Financial Services Framework Customization and Profile Financial Services Sector Coordinating Council Connected Vehicle Profile U.S. Department of Transportation Smart City Pilot Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Communications Security, Reliability, and Interoperability Council
Eras of Cybersecurity Framework 31
The Framework Web Site www.nist.gov/cyberframework 32
Self-Help Web Materials www.nist.gov/cyberframework 33
Self-Help Web Materials www.nist.gov/cyberframework 34
Resources https://www.nist.gov/cyberframework/framework-resources-0 35 Over 150 Unique Resources for Your Understanding and Use! General Resources sorted by User Group: • Critical Infrastructure • Small and Medium Business • International • Federal • State Local Tribal Territorial Governments • Academia • Assessments & Auditing • General
Resources - State & Local https://www.nist.gov/cyberframework/state-local-tribal-and-territorial-resources 36 Texas, Department of Information Resources • Aligned Agency Security Plans with Framework • Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership • Integrated Framework into their Cybersecurity Guide • Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department • Allocated Roles & Responsibilities using Framework • Adopted the Framework into their Security Operation Strategy National Association of State CIOs • 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey • Developed a cybersecurity framework that aligns controls and procedures with Framework
Recent NIST Work Products https://www.nist.gov/cyberframework/framework-resources-0 Maritime Profile U.S. Coast Guard Bulk Liquid Transport Profile Self-Assessment Criteria Baldrige Cybersecurity Excellence Builder 37 Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
Resources https://www.nist.gov/cyberframework/framework-resources-0 38 Over 150 Unique Resources for Your Understanding and Use! NIST Special Publications Computer Security Resource Center 800 Series @ csrc.nist.gov National Cybersecurity Center of Excellence 1800 Series @ nccoe.nist.gov
NIST Special Publications by Category https://www.nist.gov/cyberframework/protect 39
Online Informative References https://www.nist.gov/cyberframework/informative-references 40
41 Core – Example1.1 Cybersecurity Framework Component
Relationship Types Online Informative References 42 Key Framework – blue Reference Document - red Case 3 Case 5 Case 1 Case 2 Case 4 Equivalent to Not related to Subset of Intersects with Superset of F R F F F R F & R R R
Update Activities Engagement Request for Information – Views on the Framework for Improving Critical Infrastructure Cybersecurity – Dec 2015 105 Responses 7th Workshop – Apr 2016 653 Physical Attendees, 140 Online Attendees Draft 1 – Framework Version 1.1 – Released Jan 2017 Approx. 42,000+ downloads As of 4/27/18 Request for Comment – Proposed update to the Framework for Improving Critical Infrastructure Cybersecurity – Jan 2017 129 Responses 8th Workshop – May 2017 517 Physical Attendees, 1528 Online Attendees Draft 2 – Framework Version 1.1 – Released Dec 2017 Approx. 32,000+ downloads As of 4/27/18 Request for Comment – Cybersecurity Framework Version 1.1 – Draft 2 – Dec 2017 89 Responses Framework Version 1.1 – Release April 2018 Approx. 27,000+ downloads thus far Continued Improvement of Critical Infrastructure Cybersecurity 43
Continued Improvement Living Document Process https://www.nist.gov/cyberframework/online-learning/update-process 44
Milestones Three Year Minimum Update Cycle https://www.nist.gov/cyberframework/online-learning/update-process Features List (Version A) Major Minor Administrative Annual Conference New Version? 3 years from last Final Update Features List (Version B) Major Minor Administrative Features List (Version C) Major Minor Administrative Annual Conference Annual Conference Annual Conference Publish Framework Update Draft Framework Update X 45
Ways to Help Stakeholder Recommended Actions • Create and share your Resources with others in coordination with NIST • Customize Framework for your sector or community • Publish a sector or community Profile or relevant Online Informative Reference • Publish Success Stories of your Framework implementation in coordination with NIST • Advocate for the Framework throughout your sector or community, with related sectors and communities. • Submit an idea for the NIST Call for Speakers cyberframework@nist.gov for all NIST coordination and communication 46
Upcoming 15-16 May 2018 Federal Computer Security Managers Forum https://csrc.nist.gov/Events/2018/Federal-Computer-Security-Managers-Forum-2-day Spring 2018 Publication of Roadmap for Improving Critical Infrastructure Cybersecurity Spring 2018 Publication of NIST Interagency Report 8170 Summer 2018 Spanish Language Framework Version 1.1 6-8 November 2018 NIST Cybersecurity Risk Management Conference - Call for Speakers Winter 2018-19 Small Business Starter Profiles 47
Resources • Framework for Improving Critical Infrastructure Cybersecurity and related news and information: • www.nist.gov/cyberframework • Additional cybersecurity resources: • http://csrc.nist.gov/ • Questions, comments, ideas: • cyberframework@nist.gov 48
Questions? 49

More Related Content

PPTX
cybersecurity_framework_webinar_2017.pptx
byMuhammadAbdullah311866
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PPTX
framework_update_report-yer20170301.pptx
byMuhammadAbdullah311866
 
PDF
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
DOCX
Framework for Improving Critical Infrastructure Cyber.docx
bybudbarber38650
 
PDF
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
byAT-NET Services, Inc. - Charleston Division
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
cybersecurity_framework_v1-1_presentation.pptx
byssuserda58e2
 
cybersecurity_framework_webinar_2017.pptx
byMuhammadAbdullah311866
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
framework_update_report-yer20170301.pptx
byMuhammadAbdullah311866
 
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
Framework for Improving Critical Infrastructure Cyber.docx
bybudbarber38650
 
Framework for Improving Critical Infrastructure Cybersecurity - Nist.cswp.041...
byAT-NET Services, Inc. - Charleston Division
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
cybersecurity_framework_v1-1_presentation.pptx
byssuserda58e2
 

Similar to framework-version-1.1-overview-20180427-for-web-002.pptx

PPTX
cybersecurity_framework_v1-1_presentation.pptx
bycirodussan
 
PPTX
cybersecurity_framework_v1-1_presentation.pptx
bycommentcava2000
 
PPTX
Cybersecurity framework v1-1_presentation
byezhilnarasu
 
PPTX
Cybersecurity framework v1-1_presentation
byMonchai Phaichitchan
 
PDF
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
PDF
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
DOCX
Project 7 - Organization Security PlanChoose an organization fro.docx
byanitramcroberts
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
DOCX
Elements of Music #1 Handout1. Rhythm the flow of music in te.docx
bytoltonkendal
 
DOCX
Elements of Music #1 Handout1. Rhythm the flow of music in te.docx
byjack60216
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
DOCX
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
byOllieShoresna
 
DOCX
Project 7 Organization Security PlanChoose an organization from.docx
bywkyra78
 
PPT
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
PDF
Improving Cyber Readiness with the NIST Cybersecurity Framework
byWilliam McBorrough
 
PDF
From NIST CSF 1.1 to 2.0.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
byCohesive Networks
 
PPTX
Components of Cybersecurity Framework
byOmerZia11
 
PPTX
DOC-20250530-WA0008.pptx.................
bysalmannawaz6566504
 
PPTX
CYBER SECURITY
byharsh arora
 
cybersecurity_framework_v1-1_presentation.pptx
bycirodussan
 
cybersecurity_framework_v1-1_presentation.pptx
bycommentcava2000
 
Cybersecurity framework v1-1_presentation
byezhilnarasu
 
Cybersecurity framework v1-1_presentation
byMonchai Phaichitchan
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
Project 7 - Organization Security PlanChoose an organization fro.docx
byanitramcroberts
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
Elements of Music #1 Handout1. Rhythm the flow of music in te.docx
bytoltonkendal
 
Elements of Music #1 Handout1. Rhythm the flow of music in te.docx
byjack60216
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
byOllieShoresna
 
Project 7 Organization Security PlanChoose an organization from.docx
bywkyra78
 
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
byWilliam McBorrough
 
From NIST CSF 1.1 to 2.0.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
byCohesive Networks
 
Components of Cybersecurity Framework
byOmerZia11
 
DOC-20250530-WA0008.pptx.................
bysalmannawaz6566504
 
CYBER SECURITY
byharsh arora
 

Recently uploaded

PPTX
Importance of Management of Change | MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
DOCX
19EC704 Optical and Microwave Lab Manual.docx
bytamil arasan
 
PDF
Synopsys ICC2_ Essential Commands for Physical Design.pdf
byMIK72
 
PPTX
19ECX25-CAD for VLSI Circuits Unit-1.pptx
bytamil arasan
 
PPTX
Develop and Implement a Maintenance Competency Plan | Build Skilled, Reliable...
byMaintWiz Technologies Private Limited
 
PDF
Operating System Concepts-Linux and Shell Programming by K. Adi
byAdiseshaK
 
PPTX
Trade Secret.pptx (Trade Secret.pptx.pptx)
byganeshchalla7
 
PPT
Unit 2 Gas and Diesel Power Plant and working
byRoeverDirectoroffice
 
PDF
From Orchestration to Platform The Missing Puzzles to Unify Polyglot Services...
byRichárd Kovács
 
PDF
Introduction Cloud Computing-Cloud Solutions ppt by Dr. K. Adisesha
byAdiseshaK
 
PDF
Unit - III Analysis of Pin Jointed Plane Trusses / Frames
bynmmorkane
 
PPTX
Brick- its Types , uses , advantages and limitations .pptx
bydhanashree78
 
PDF
A Guide to Boiler Construction and Design
byMahmoud Moghtaderi
 
PPTX
Unit 1_Introduction to Automation & Robotics.pptx
bybekhem2008
 
PPTX
Beyond SAP: Domain-Specific SaaS for Maintenance 4.0 | MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
PPTX
Green-ICT-and-Sustainable-Technology-Powering-a-Greener-Digital-Future.pptx
byRAJVEEPATEL13
 
PDF
Impact of Different Curing Techniques in Evaluating the Strength of the Rolle...
byAbdullah Al-Ani
 
PPTX
Centrifugal Pumping Energy Efficiency .pptx
bykailashtarde2
 
PDF
EFFECT OF ULTRAVIOLET RADIATION ON STRUCTURAL PROPERTIES OF NANOWIRES
byijoejnl
 
PDF
Operating System Concepts-Memory Management by Dr. K. Adisesha
byAdiseshaK
 
Importance of Management of Change | MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
19EC704 Optical and Microwave Lab Manual.docx
bytamil arasan
 
Synopsys ICC2_ Essential Commands for Physical Design.pdf
byMIK72
 
19ECX25-CAD for VLSI Circuits Unit-1.pptx
bytamil arasan
 
Develop and Implement a Maintenance Competency Plan | Build Skilled, Reliable...
byMaintWiz Technologies Private Limited
 
Operating System Concepts-Linux and Shell Programming by K. Adi
byAdiseshaK
 
Trade Secret.pptx (Trade Secret.pptx.pptx)
byganeshchalla7
 
Unit 2 Gas and Diesel Power Plant and working
byRoeverDirectoroffice
 
From Orchestration to Platform The Missing Puzzles to Unify Polyglot Services...
byRichárd Kovács
 
Introduction Cloud Computing-Cloud Solutions ppt by Dr. K. Adisesha
byAdiseshaK
 
Unit - III Analysis of Pin Jointed Plane Trusses / Frames
bynmmorkane
 
Brick- its Types , uses , advantages and limitations .pptx
bydhanashree78
 
A Guide to Boiler Construction and Design
byMahmoud Moghtaderi
 
Unit 1_Introduction to Automation & Robotics.pptx
bybekhem2008
 
Beyond SAP: Domain-Specific SaaS for Maintenance 4.0 | MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
Green-ICT-and-Sustainable-Technology-Powering-a-Greener-Digital-Future.pptx
byRAJVEEPATEL13
 
Impact of Different Curing Techniques in Evaluating the Strength of the Rolle...
byAbdullah Al-Ani
 
Centrifugal Pumping Energy Efficiency .pptx
bykailashtarde2
 
EFFECT OF ULTRAVIOLET RADIATION ON STRUCTURAL PROPERTIES OF NANOWIRES
byijoejnl
 
Operating System Concepts-Memory Management by Dr. K. Adisesha
byAdiseshaK
 

framework-version-1.1-overview-20180427-for-web-002.pptx

  • 1.
    The Framework forImproving Critical Infrastructure Cybersecurity April 2018 [email protected]
  • 2.
    Objective: Convey CybersecurityFramework use, while explaining features added in Version 1.1 Objective and Agenda 2 • Charter • Users • Attributes, Components, & Approaches • Draft Roadmap Version 1.1 • Framework Focus Areas • Web Site • Update Process
  • 3.
    About NIST • Agencyof U.S. Department of Commerce • NIST’s mission is to develop and promote measurement, standards and technology to enhance productivity, facilitate trade, and improve the quality of life. • Federal, non-regulatory agency around since 1901 NIST Cybersecurity • Cybersecurity since the 1970s • Computer Security Resource Center – csrc.nist.gov NIST Priority Research Areas National Institute of Standards and Technology Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 3
  • 4.
    Cybersecurity Framework CurrentCharter Improving Critical Infrastructure Cybersecurity February 12, 2013 “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 4 December 18, 2014 Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274)
  • 5.
    Cybersecurity Framework Users Frameworkfor Improving Critical Infrastructure Cybersecurity 5
  • 6.
    Version 1.0 and1.1 Are Fully Compatible Framework for Improving Critical Infrastructure Cybersecurity Component Version 1.0 Version 1.1 Comments Functions 5 5 Categories 22 23 • Added a new category in ID.SC – Supply Chain Subcategories 98 108 • Added 5 subcategories in ID.SC • Added 2 subcategories in PR.AC • Added 1 subcategory each to PR.DS, PR.PT, RS.AN • Clarified language in 7 others Informative References 5 5 6 • Additions, including new categories and subcategories, do not invalidate existing V1.0 uses or work products
  • 7.
    Key Framework Attributes Principlesof the Current and Future Versions of Framework Common and accessible language • Understandable by many professionals It’s adaptable to many technologies1.1, lifecycle phases1.1, sectors and uses • Meant to be customized It’s risk-based • A Catalog of cybersecurity outcomes • Does not provide how or how much cybersecurity is appropriate It’s meant to be paired • Take advantage of great pre-existing things It’s a living document • Enable best practices to become standard practices for everyone • Can be updated as technology and threats change • Evolves faster than regulation and legislation • Can be updated as stakeholders learn from implementation 7
  • 8.
    Cybersecurity outcomes and informative references Enables communication ofcyber risk across an organization Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in an implementation scenario Supports prioritization and measurement while factoring in business needs 8
  • 9.
    Implementation Tiers 9 1 Partial 2 Risk Informed 3 Repeatable 4 Adaptive Risk Management Process Thefunctionality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Participation The degree to which the organization: • monitors and manages supply chain risk1.1 • benefits my sharing or receiving information from outside parties 9
  • 10.
    Core A Catalog ofCybersecurity Outcomes Function What processes and assets need protection? Identify • Understandable by everyone • Applies to any type of risk management • Defines the entire breadth of cybersecurity • Spans both prevention and reaction What safeguards are available? Protect What techniques can identify incidents? Detect What techniques can contain impacts of incidents? Respond What techniques can restore capabilities? Recover 10
  • 11.
    Core A Catalog ofCybersecurity Outcomes Function Category What processes and assets need protection? Identify Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Risk Management1.1 What safeguards are available? Protect Identity Management, Authentication and Access Control1.1 Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology What techniques can identify incidents? Detect Anomalies and Events Security Continuous Monitoring Detection Processes What techniques can contain impacts of incidents? Respond Response Planning Communications Analysis Mitigation Improvements What techniques can restore capabilities? Recover Recovery Planning Improvements Communications 11
  • 12.
  • 13.
  • 14.
    14 Core – Example CybersecurityFramework Component 1.1
  • 15.
    Profile Customizing Cybersecurity Framework 15 Identify Protect Detect Respond Recover Waysto think about a Profile: • A customization of the Core for a given sector, subsector, or organization • A fusion of business/mission logic and cybersecurity outcomes • An alignment of cybersecurity requirements with operational methodologies • A basis for assessment and expressing target state • A decision support tool for cybersecurity risk management
  • 16.
    Profile Foundational Information AProfile Can be Created from Three Types of Information 16 Subcategory 1 2 … 108 Cybersecurity Requirements Legislation Regulation Internal & External Policy Technical Environment Threats Vulnerabilities 1 2 3 Business Objectives Objective 1 Objective 2 Objective 3 Operating Methodologies Controls Catalogs Technical Guidance
  • 17.
    • Step 1:Prioritize and Scope • Implementation Tiers may be used to express varying risk tolerances1.1 • Step 2: Orient • Step 3: Create a Current Profile • Step 4: Conduct a Risk Assessment • Step 5: Create a Target Profile • When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes1.1 • Step 6: Determine, Analyze, and Prioritize Gaps • Step 7: Implementation Action Plan 17 Framework Seven Step Process Gap Analysis Using Framework Profiles
  • 18.
    Resource and BudgetDecisioning Framework supports operating decisions and improvement 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 108 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be
  • 19.
    Resource and BudgetDecisioning Framework supports operating decisions and improvement 19 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 108 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be Step 5 Target Profile Step 6 Step 7
  • 20.
    20 Supporting Risk Managementwith Framework Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 1.1 1.1 •Internal •Supply Chain
  • 21.
    Operate Use Cybersecurity FrameworkProfiles to distribute and organize labor 21 Subcats Reqs Priorities Who What When Where How 1 A, B High 2 C, D, E, F High 3 G, H, I, J Low ... ... ... 108 XX, YY, ZZ Mod
  • 22.
    22 Cyber SCRM Taxonomy1.1 Frameworkfor Improving Critical Infrastructure Cybersecurity Version 1.1 • Simple Supplier-Buyer model • Technology minimally includes IT, OT, CPS, IoT • Applicable for public and private sector, including not-for- profits • Aligns with Federal guidance Supply Chain Risk Management Practices for Federal Information Systems and Organizations (Special Publication 800-161)
  • 23.
    Emphasizes the roleof measurements in self-assessment Stresses critical linkage of business results: - Cost - Benefit …to cybersecurity risk management Continued discussion of this linkage will occur under Roadmap area – Measuring Cybersecurity 23 Self-Assessing Cybersecurity Risk1.1 Framework for Improving Critical Infrastructure Cybersecurity Version 1.1
  • 24.
    Roadmap Concepts Roadmap toImproving Critical Infrastructure Cybersecurity The Roadmap: • identifies key areas of development, alignment, and collaboration • provides a description of activities related to the Framework Roadmap items are generally: • Topics that are meaningful to critical infrastructure cybersecurity risk management • Focus areas of both private sector and the federal government • Related to Framework, but managed as separate efforts 11
  • 25.
    Proposed Roadmap Topics DraftRoadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 Original Roadmap 9 topics Proposed Roadmap 12 topics Conformity Assessment Confidence Mechanisms Automated Indicator Sharing Cyber-Attack Lifecycle Includes Coordinated Vulnerability Disclosure Data Analytics Cybersecurity Workforce Cybersecurity Workforce Supply Chain Risk Management Cyber Supply Chain Risk Management Federal Agency Cybersecurity Alignment Federal Agency Cybersecurity Alignment Governance and Enterprise Risk Management Authentication Identity Management International Aspects, Impacts, and Alignment International Aspects, Impacts, and Alignment Measuring Cybersecurity Technical Privacy Standards Privacy Engineering Referencing Techniques Small Business Awareness and Resources Focus Focus Focus
  • 26.
    Small Business Guidanceand Initiatives Framework for Improving Critical Infrastructure Cybersecurity Small Business Information Security: the Fundamentals NIST Computer Security Resource Center 26 Small Business Center NIST Computer Security Resource Center CyberSecure My Business National Cyber Security Alliance Small Business Starter Profiles NIST Framework Team
  • 27.
    International Use Framework forImproving Critical Infrastructure Cybersecurity • Japanese translation by Information-technology Promotion Agency • Italian adaptation within Italy’s National Framework for Cybersecurity • Hebrew adaptation by Government of Israel • Bermuda uses it within government and recommends it to industry • Uruguay government is currently on Version 3.1 of their adaptation • Focus of International Organization for Standardization & International Electrotechnical Commission 27
  • 28.
    1. Integrate enterpriseand cybersecurity risk management 2. Manage cybersecurity requirements 3. Integrate and align cybersecurity and acquisition processes 4. Evaluate organizational cybersecurity 5. Manage the cybersecurity program 6. Maintain a comprehensive understanding of cybersecurity risk (supports RMF Authorize) 7. Report cybersecurity risks (supports RMF Monitor) 8. Inform the tailoring process (supports RMF Select) 28 Proposed U.S. Federal Usage NIST IR 8170 The Cybersecurity Framework: Implementation Guidance for Federal Agencies Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800
  • 29.
    NIST Special Publication800-37, Revision 2: Risk Management Framework for Security and Privacy Initial Public Draft: May 2018 Final Public Draft: July 2018 Final Publication: October 2018 NIST Special Publication 800-53, Revision 5: Security and Privacy Controls Final Public Draft: October 2018 Final Publication: December 2018 NIST Special Publication 800-53A, Revision 5: Assessment Procedures for Security and Privacy Controls Initial Public Draft: March 2019 Final Public Draft: June 2019 Final Publication: September 2019 FIPS Publication 200, Revision 1: Minimum Security Requirements Initial Public Draft: October 2018 Final Public Draft: April 2019 Final Publication: July 2019 FIPS Publication 199, Revision 1: Security Categorization Initial Public Draft: December 2018 Final Public Draft: May 2019 Final Publication: August 2019 Updates - https://csrc.nist.gov/Projects/Risk- Management/Schedule Questions or comments - [email protected] FISMA Implementation Pub Schedule As of 8 February 2018, Subject to Change 29
  • 30.
    Supporting Healthy RegulatoryEnvironments Framework for Improving Critical Infrastructure Cybersecurity Bulk Liquid Transport Profile U.S. Coast Guard 30 Financial Services Framework Customization and Profile Financial Services Sector Coordinating Council Connected Vehicle Profile U.S. Department of Transportation Smart City Pilot Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Communications Security, Reliability, and Interoperability Council
  • 31.
  • 32.
    The Framework WebSite www.nist.gov/cyberframework 32
  • 33.
  • 34.
  • 35.
    Resources https://www.nist.gov/cyberframework/framework-resources-0 35 Over 150 Unique Resourcesfor Your Understanding and Use! General Resources sorted by User Group: • Critical Infrastructure • Small and Medium Business • International • Federal • State Local Tribal Territorial Governments • Academia • Assessments & Auditing • General
  • 36.
    Resources - State& Local https://www.nist.gov/cyberframework/state-local-tribal-and-territorial-resources 36 Texas, Department of Information Resources • Aligned Agency Security Plans with Framework • Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership • Integrated Framework into their Cybersecurity Guide • Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department • Allocated Roles & Responsibilities using Framework • Adopted the Framework into their Security Operation Strategy National Association of State CIOs • 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey • Developed a cybersecurity framework that aligns controls and procedures with Framework
  • 37.
    Recent NIST WorkProducts https://www.nist.gov/cyberframework/framework-resources-0 Maritime Profile U.S. Coast Guard Bulk Liquid Transport Profile Self-Assessment Criteria Baldrige Cybersecurity Excellence Builder 37 Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
  • 38.
    Resources https://www.nist.gov/cyberframework/framework-resources-0 38 Over 150 Unique Resourcesfor Your Understanding and Use! NIST Special Publications Computer Security Resource Center 800 Series @ csrc.nist.gov National Cybersecurity Center of Excellence 1800 Series @ nccoe.nist.gov
  • 39.
    NIST Special Publicationsby Category https://www.nist.gov/cyberframework/protect 39
  • 40.
  • 41.
  • 42.
    Relationship Types Online InformativeReferences 42 Key Framework – blue Reference Document - red Case 3 Case 5 Case 1 Case 2 Case 4 Equivalent to Not related to Subset of Intersects with Superset of F R F F F R F & R R R
  • 43.
    Update Activities Engagement Requestfor Information – Views on the Framework for Improving Critical Infrastructure Cybersecurity – Dec 2015 105 Responses 7th Workshop – Apr 2016 653 Physical Attendees, 140 Online Attendees Draft 1 – Framework Version 1.1 – Released Jan 2017 Approx. 42,000+ downloads As of 4/27/18 Request for Comment – Proposed update to the Framework for Improving Critical Infrastructure Cybersecurity – Jan 2017 129 Responses 8th Workshop – May 2017 517 Physical Attendees, 1528 Online Attendees Draft 2 – Framework Version 1.1 – Released Dec 2017 Approx. 32,000+ downloads As of 4/27/18 Request for Comment – Cybersecurity Framework Version 1.1 – Draft 2 – Dec 2017 89 Responses Framework Version 1.1 – Release April 2018 Approx. 27,000+ downloads thus far Continued Improvement of Critical Infrastructure Cybersecurity 43
  • 44.
    Continued Improvement Living DocumentProcess https://www.nist.gov/cyberframework/online-learning/update-process 44
  • 45.
    Milestones Three Year MinimumUpdate Cycle https://www.nist.gov/cyberframework/online-learning/update-process Features List (Version A) Major Minor Administrative Annual Conference New Version? 3 years from last Final Update Features List (Version B) Major Minor Administrative Features List (Version C) Major Minor Administrative Annual Conference Annual Conference Annual Conference Publish Framework Update Draft Framework Update X 45
  • 46.
    Ways to Help StakeholderRecommended Actions • Create and share your Resources with others in coordination with NIST • Customize Framework for your sector or community • Publish a sector or community Profile or relevant Online Informative Reference • Publish Success Stories of your Framework implementation in coordination with NIST • Advocate for the Framework throughout your sector or community, with related sectors and communities. • Submit an idea for the NIST Call for Speakers [email protected] for all NIST coordination and communication 46
  • 47.
    Upcoming 15-16 May 2018 Federal ComputerSecurity Managers Forum https://csrc.nist.gov/Events/2018/Federal-Computer-Security-Managers-Forum-2-day Spring 2018 Publication of Roadmap for Improving Critical Infrastructure Cybersecurity Spring 2018 Publication of NIST Interagency Report 8170 Summer 2018 Spanish Language Framework Version 1.1 6-8 November 2018 NIST Cybersecurity Risk Management Conference - Call for Speakers Winter 2018-19 Small Business Starter Profiles 47
  • 48.
    Resources • Framework forImproving Critical Infrastructure Cybersecurity and related news and information: • www.nist.gov/cyberframework • Additional cybersecurity resources: • http://csrc.nist.gov/ • Questions, comments, ideas: • [email protected] 48
  • 49.

Editor's Notes

  • #6 And also: Cisco Motorola IBM Microsoft Dell CA Technologies Emblem Health AdvaMed Merck Kaiser Permanente Sempra Energy Boeing
  • #17 “…Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. …phrases like “compliance with the Framework” can be confusing and mean something very different to various stakeholders.1.1”