Add to collection(s) Add to saved
  1. Business
  2. Management

update on the us cybersecurity framework for protection of critical

advertisement 
ORGANIZACION DE LOS ESTADOS AMERICANOS
ORGANIZATION OF AMERICAN STATES
Comisión Interamericana de Telecomunicaciones
Inter-American Telecommunication Commission
XXIII MEETING OF PERMANENT CONSULTATIVE
COMMITTEE I: TELECOMMUNICATIONS/
INFORMATION AND COMMUNICATION
TECHNOLOGIES
October 8 to 11, 2013
Mendoza, Argentina
OEA/Ser.L/XVII.4.1
CCP.I-TIC/doc. 3047/13
26 September 2013
Original: English
UPDATE ON THE U.S. CYBERSECURITY FRAMEWORK
FOR PROTECTION OF CRITICAL INFRASTRUCTURE
(Item on the Agenda: 3.3.3)
(Document submitted by the delegation of United States of
America)
1.
BACKGROUND
PCC.I members are invited to consider potential solutions to address the issue of cybersecurity protection
of their critical infrastructure, in a way that enables the CI Sectors to benefit from a competitive market
for products and services that meet standards and avoid the creation of technical barriers to trade.
Discussion of the U.S. Executive Order “Improving Critical Infrastructure Cybersecurity” supports such
considerations at PCC.I.
Recognizing that national and economic security depends on the reliable functioning of critical
infrastructure, the U.S. President under the Executive Order “Improving Critical Infrastructure
Cybersecurity” has directed the National Institute of Standards and Technology (NIST) to work with
stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure (CI):
<http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-criticalinfrastructure-cybersecurity>. This document provides an update on the development of this Framework
since the May 2013 meeting of PCC.I.
2.
NIST RESPONSIBILITIES AND PROCESS
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed NIST to develop the
voluntary cybersecurity framework. The Framework is being developed through ongoing engagement
with, and input from, stakeholders in government, industry, and academia, including an open public
review and comment process, workshops and other means of engagement.
To develop the Framework, NIST used a Request for Information (RFI) and ongoing stakeholder
engagement to:
CITEL, 1889 F ST. NW., WASHINGTON, D.C. 20006, U.S.A.
TEL: +1 202 458 3004 FAX: +1 202 458 6854 e-mail: citel@oas.org
Web page: http://citel.oas.org
(i)
(ii)
(iii)
identify existing cybersecurity standards, guidelines, frameworks, and best practices that are
applicable to increase the security of critical infrastructure (CI) sectors and other interested
entities;
specify high-priority gaps for which new or revised standards are needed; and
collaboratively develop action plans by which these gaps can be addressed.
The Framework is being developed through an open process, allowing for a robust technical basis that
aligns with business interests. By relying on practices developed, managed, and updated by industry, the
Framework will evolve with technological advances and will align with business needs.
The Framework will seek to promote the wide adoption of practices to increase cybersecurity across all
sectors and industry types. It will seek to provide owners and operators a flexible, repeatable and cost
effective risk-based approach to implementing security practices while allowing organizations to express
requirements to multiple authorities and regulators. The prioritized, flexible, repeatable, and cost-effective
approach of the framework will help owners and operators of critical infrastructure to manage
cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
The Framework
The Framework provides a uniform guide for developing robust cybersecurity programs for
organizations. This includes industry-driven standards, best practices and implementation measures to
manage cybersecurity risks to information technology and operational technology.
The Framework provides a common structure for managing cybersecurity risk and will help organizations
identify and understand their dependencies with its business partners, vendors, and suppliers. In doing so,
it will allow organizations to coordinate cybersecurity risk within their industry and sector for the delivery
of critical infrastructure services.
Unique missions, threats, vulnerabilities, and risk tolerances may require different risk management
strategies. One organization’s decisions on how to manage cybersecurity risk may differ from another.
The Framework is intended to help each organization manage cybersecurity risks while maintaining
flexibility and the ability to meet business needs. As a result, the Framework is not designed to replace
existing processes. If an organization does not have an existing risk management process for
cybersecurity, the Framework provides the tools to build one. By implementing the Framework, an
organization can take steps to improve the resilience of its services while protecting data and intellectual
property. This methodology is designed to instill trust from the sector and partners and protects the
organization’s brand and reputation.
Using the Framework
In the most recent draft, the Framework is composed of three parts: the Framework Core, the Framework
Implementation Tiers, and the Framework Profile. Current descriptions of these are provided below, but
they are subject to change in future versions.
The Framework Core is a compilation of cybersecurity activities and references that are common across
critical infrastructure sectors. The Core presents standards and best practices in a manner that allows for
communication and risk management across the organization from the senior executive level to the
implementation/operations level.
116104099
12.02.16
1
The Framework Core consists of five functions:
 identify,
 protect,
 detect,
 respond, and
 recover.
Organizations should implement capabilities in each of these areas. In addition to these functions, the
Framework identifies underlying key categories and subcategories for each of these functions and
matches them with informative references such as existing standards, guidelines, and practices for each
subcategory.
The Framework Implementation Tiers (“Tiers”) demonstrate the implementation of the Framework Core
functions and categories and indicate how cybersecurity risk is managed. These Tiers range from Partial
(Tier 0) to Adaptive (Tier 3), with each Tier building on the previous Tier.
The Framework Profile (“Profile”) conveys how an organization manages cybersecurity risk in each of
the Framework Core functions and categories by identifying the subcategories that are implemented or
planned for implementation. Profiles are also used to identify the appropriate goals for an organization or
for a critical infrastructure sector and to assess progress against meeting those goals.
Previously released drafts are available at the URL provided below, and the Preliminary Framework will
be made available on 10 October 2013. Every organization involved in critical infrastructure services is
invited to actively participate in the development, validation, and implementation of the Cybersecurity
Framework.
Events
Throughout the development of the Framework, NIST has hosted a series of events and workshops to
gather additional input and develop the Framework. Archived webcasts of those events as well as
announcements
for
future
workshops
and/or
conferences
are
available
here:
<http://www.nist.gov/itl/cyberframework.cfm>. Note that NIST will host a workshop on 14-15
November 2013.
The most recent event was held in September 2013, where NIST presented the draft Preliminary
Cybersecurity Framework (dated 28 August 2013) for discussion. There are three presentations available
from this workshop: a pre-workshop overview, opening plenary, and closing Plenary. These three
presentations and the August draft are available on the Cybersecurity Framework webpage (at the URL
provided in the previous paragraph).
3.
PROPOSAL
PCC.I members are invited to
- review the Preliminary Cybersecurity Framework that will be made available on 10 October
2013, here (http://www.nist.gov/itl/cyberframework.cfm) and participate in the 45-day comment
period (immediately following its release);
116104099
12.02.16
2
-
participate in-person or remotely in future events for the Preliminary Framework, including a
workshop on 14-15 November 2013; and
consider their own potential solutions to address the issue of cybersecurity protection of their
critical infrastructure, in a way that enables the CI Sectors to benefit from a competitive market
for products and services that meet standards and avoid the creation of technical barriers to trade.
116104099
12.02.16
3
Related documents
Read Key Cybersecurity`s full description of
Read Key Cybersecurity`s full description of
Improving Critical Infastructure Cybersecurity
Improving Critical Infastructure Cybersecurity
BroadBand Building Future Skills for National Security and Business
BroadBand Building Future Skills for National Security and Business
ARS Results
ARS Results
National Security Key Issues Deck
National Security Key Issues Deck
The Political Economy of Cybersecurity
The Political Economy of Cybersecurity
Final Reflection Essay–Qi Zhu
Final Reflection Essay–Qi Zhu
Technology Readiness Level
Technology Readiness Level
Download
advertisement