Cybersecurity Framework
Overview
Executive Order 13636
“Improving Critical Infrastructure Cybersecurity”
Brian Hubbard
Account Manager
brian.hubbard@g2-inc.com
(301) 575-5106
January 22, 2014
Executive Order 13636—Improving
Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the
security and resilience of the Nation’s critical
infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic
prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties”
•
NIST is directed to work with stakeholders to develop
a voluntary framework for reducing cyber risks to
critical infrastructure
2
The Cybersecurity Framework
For the Cybersecurity Framework to meet the
requirements of the Executive Order, it must:
• include a set of standards, methodologies, procedures,
and processes that align policy, business, and
technological approaches to address cyber risks.
• provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach to help owners and
operators of critical infrastructure identify, assess, and
manage cyber risk.
• identify areas for improvement
3
Development of the Preliminary Framework
Engage the
Framework
Stakeholders
EO 13636 Issued – February 12, 2013
NIST Issues RFI – February 26, 2013
1st Framework Workshop – April 03, 2013
Collect,
Categorize,
and Post RFI
Responses
Completed – April 08, 2013
Analyze RFI
Responses
Ongoing
Engagement:
Open public comment
and review
encouraged and
promoted throughout
the process
Identify Common Practices/Themes – May 15, 2013
2nd Framework Workshop at CMU – May 29-31, 2013
Identify
Framework
Elements
Draft Outline of Preliminary Framework – June 2013
3rd Framework Workshop at UCSD – July 10-12, 2013
Prepare and
Publish
Preliminary
Framework
4th Framework Workshop at UT Dallas –
September 11-13, 2013
Publish Preliminary Framework –
October 29, 2013
4
Getting from the Preliminary Framework
to the Final Framework and Beyond
Prepare and
Publish
Preliminary
Framework
Publish Preliminary Framework – October 29, 2013
Begin 45 day Public Comment Period
Additional
Ongoing
Public
Engagement
Stakeholder outreach discussion continue
5th Framework Workshop at NCSU – Nov 14-15, 2013
Public
Comment
Period
Ongoing
Engagement:
Open public comment
and review
encouraged and
promoted throughout
the process
Public comment period closed – December 13, 2013
Final
Cybersecurity
Framework
Complete comment resolution and disposition
Publish Cybersecurity Framework – February 2014
Framework
Governance
Framework maintenance and updates
5
Framework Components
Framework Core
○ Cybersecurity activities and references that are common across critical
infrastructure sectors organized around particular outcomes.
Framework Profile
 Alignment of standards, guidelines and practices to the Framework Core in a
particular implementation scenario
 “Current” Profile vs. “Target” Profile
Framework Implementation Tiers
 Capture how an organization views cybersecurity risk and the processes in place
to manage that risk
6
Framework Core
7
Framework Functions
The five Framework Core Functions provide the highest level of structure:
 Identify – Develop the institutional understanding to manage cybersecurity risk to
systems, assets, data, and capabilities
 Protect – Develop and implement the appropriate safeguards, prioritized through
the organization’s risk management process, to ensure delivery of critical
infrastructure services
 Detect – Develop and implement the appropriate activities to identify the
occurrence of a cybersecurity event.
 Respond – Develop and implement the appropriate activities, prioritized through
the organization’s risk management process (including effective planning), to take
action regarding a detected cybersecurity event.
 Recover - Develop and implement the appropriate activities, prioritized through the
organization’s risk management process, to restore the appropriate capabilities that
were impaired due to a cybersecurity event.
8
Framework Categories
•
Categories are the subdivisions of a Function into groups of
cybersecurity activities, more closely tied to programmatic needs
9
Subcategories and Informative
References
•
Subcategories - subdivide a
Category into specific outcomes
of technical and/or
management activiites
•
•
Informative References are
specific sections of standards,
guidelines and practices
common among critical
infrastructure sectors that
illustrate a method to achieve
the outcomes associated with
each Subcategory.
The Informative References
presented in the Framework
Core are not exhaustive, and
organizations are free to
implement other standards,
guidelines, and practices.
10
Framework Core - Sample
11
Framework Profiles

Enables organizations to establish
a roadmap to reducing
cybersecurity risk

Used to describe
current state and desired
target state

Comparison of profiles reveals
gaps that may be addressed to
meet cybersecurity risk
management objectives
12
Framework Implementation Tiers



The Framework Implementation Tiers (“Tiers”) are a
lens through which to view the characteristics of the
organization’s approach to risk
Tiers range from Partial (Tier 1) to Adaptive (Tier 4)
Tier selection process considers
 an organization’s current risk management practices
 threat environment
 legal and regulatory requirements
 business/mission objectives
 organizational constraints
13
How to Use the Framework
An organization’s risks, policies, and procedures will
ultimately drive its Framework adoption
Framework Use Cases:
• Basic Review of Cybersecurity Practices
• Establish or Improve a Cybersecurity Program
• Communicating Cybersecurity Requirements
with Stakeholders
• Identifying Opportunities for New or Revised
Informative References
Framework Provides a Methodology to Protect
Privacy and Civil Liberties
14
Thank You
The Cybersecurity Framework is available at
http://www.nist.gov/itl/cyberframework.cfm
Brian Hubbard
G2 Inc.
Brian.hubbard@g2-inc.com
(301) 575-5106
15