The NIST Frameworkfor CybersecurityMatthew ToddSF Bay InfraGard

Get the Framework

The National Instituteof Standards and Technology

[NIST]Framework for Improving

Critical Infrastructure Cybersecurity

http://www.nist.gov/cyberframework/

The Executive Order

“It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”Executive Order 13636, February 12, 2013

This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk.

What is it, exactly?

• Voluntary• Risk-based framework• Industry standards and best practices• Provides organization, structure, and language• Cost-effective• Based on business needs• Considers privacy• Can complement or test existing programs

Key Goals of the Framework “Lifetime”

1. Describe the current cybersecurity risk management posture

2. Describe the target posture3. Identify and prioritize gaps4. Assess progress towards the target state5. Communicate with internal and external

stakeholders6. Iterate

It may be used outside of a cyclic process, as with a vendor.

The Framework: The Parts

• The Core• The essential elements of a cybersecurity program• A common language

• The Implementation Tiers• A way to talk about the extent and sophistication of risk management

• The Profiles• A description of current or target risk management programs

The Framework: Core

• A matrix of:• Functions• Categories• Subcategories• Informative references

• Describes activities and desired outcomes• Functional areas:

• Identify• Protect• Detect• Respond• Recover

Function Unique

IdentifierFunction

Category Unique

IdentifierCategory Subcategory References

ID Identify

ID.AM Asset Management

ID.BE Business Environment

ID.GV Governance

ID.RA Risk Assessment

ID.RM Risk Management Strategy

PR Protect

PR.AC Access Control

PR.AT Awareness and Training

PR.DS Data Security

PR.IP Information Protection Processes and Procedures

PR.MA Maintenance

PR.PT Protective Technology

DE DetectDE.AE Anomalies and Events

DE.CM Security Continuous Monitoring

DE.DP Detection Processes

RS Respond

RS.RP Response Planning

RS.CO Communications

RS.AN Analysis

RS.MI Mitigation

RS.IM Improvements

RC RecoverRC.RP Recovery Planning

RC.IM Improvements

RC.CO Communications

Function Category Subcategory ReferencesDetect Security Continuous Monitoring DE.CM-6: External service

provider activity is monitored to detect potential cybersecurity events

COBIT 5 APO07.06 ISO/IEC 27001:2013

A.14.2.7, A.15.2.1 NIST SP 800-53 Rev. 4 CA-7,

PS-7, SA-4, SA-9, SI-4

Function Category Subcategory ReferencesIdentify Asset Management ID.AM-1: Physical devices and

systems within the organization are inventoried

CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013

A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8

Function Category Subcategory ReferencesRecover Improvements RC.IM-1: Recovery plans

incorporate lessons learned COBIT 5 BAI05.07 ISA 62443-2-1:2009 4.4.3.4 NIST SP 800-53 Rev. 4 CP-2,

IR-4, IR-8

The Framework: Implementation Tiers

• Perspective on risks, and the extent of mitigation• Organization-wide• Four Tiers:

1. Partial2. Risk-informed3. Repeatable4. Adaptive

• Can be used with executive management

How to use the Tiers is not clearly defined in the Framework!

The Framework: Profiles

• A Profile is a description of a risk management program• Current Profile is an assessment of the current

state• Target Profile is a goal state, considering:

• Risks• Business requirements• Available resources• Regulatory or other requirements

• Current vs. Target is the gap

Implementation

Risk ManagementOrganizational Structure

Executive Level

Business/Process Level

Implementation/Operations Level

Budget and Priorities

Desired ProfileProgress to Goal

BIA/Risk Assessment

Put it All Together: A Basic Security Program

1. Identify Business Objectives and Scope2. Identify Context (environment, regulations, etc.)3. Create a Current Profile4. Conduct a Risk Assessment5. Create a Target Profile6. Identify and prioritize gaps7. Create and implement an Action Plan8. Iterate!

Caution

• The framework relies on your ability to objectively:• Identify current risk• Assess mitigating controls

• Acknowledged risks can be used against you.

• Privacy risks

• Competing risks

Seek independent counsel

Prioritize: “What” and “Why”

Ensure that privacy requirements are considered

Identify and empower the right business ownerto make key risk decisions

Other Sources

• SANS Critical Security Controls• 20 key controls• Available at http://www.sans.org/critical-security-controls

• ISO/IEC 27000-series• International standard for information security• Certifications are available, but non-US based (generally)

• Federal Financial Institution Examination Council (FFIEC)• Examination “handbooks”• “…uniform principles, standards, and report forms for the federal examination of financial

institutions “• http://ithandbook.ffiec.gov/

• US-CERT C-Cubed• http://www.us-cert.gov/ccubedvp/getting-started-business

• PCI/DSS• SSAE 16/SOC 2

The Framework Template

• An Excel spreadsheet• Set high/low water marks• Highlights areas in yellow and red• Rolls up to categories• Can be used internally or with vendors

Available at member site or on request

Q&A