NIST Cybersecurity Framework Overview and proposed changes in V1.1
About Will Bechtel Director, Technical Services at Online Business Systems Oversee technical security assessment consulting services Background Application development, security consulting, product management Verisign Global Security Consulting, ATT Security Consulting, Qualys, PrevSec Customers: SDGE, SAIC, Scripps, Apple, Microsoft, Nvidia, BofA, Home Depot
NIST Cybersecurity Framework Overview of version 1.0
Audience Technical Practitioners? Managers? Educational? Other? Use NIST CF? Audience
NIST Cybersecurity Framework Established with a 2013 executive order issued by President Obama Voluntary development of a risk-based cybersecurity framework Goal of improving critical infrastructure cybersecurity Apply the principles and best practices of risk management Improving the security and resilience of critical infrastructure *Above is taken directly from NIST
What NCF can do for your organization? #1 #3 Describe your current & desired cybersecurity posture Assess progress toward the desired state #2 #4 Identify and prioritize areas that require improvement Communicate among stakeholders about cybersecurity risk
Why NCF? Easy to understand Concise Many organizations are using it Maps to other standards
Framework Implementation Tiers Framework has 3 parts Framework Core Framework Implementation Tiers Framework Profiles
Framework Categories
NCF Core Concepts Understand your assets and resources IDENTIFY Understand your assets and resources PROTECT Develop and implement the appropriate safeguards DETECT Identify the occurrence of a cybersecurity event Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk RESPOND Take action for detected cybersecurity event RECOVER Activities to maintain plans for resilience NIST FRAMEWORK RESPOND RECOVER DETECT IDENTIFY PROTECT
NCF Categories and Subcategories INDENTIFY ID: ID.AM Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried. ID.AM-2: Software platforms and applications within the organization are inventoried. ID.AM-3: Organizational communication and data flows are mapped. ID.AM-4: External information systems are catalogued. ID.AM-5: Resources (e.g., hardware, devices, data, time and software) are prioritized based on their classification, criticality, and business value. ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established. ID.BE Business Environment The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. ID.BE-1: The organization’s role in the supply chain is identified and communicated. ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated. ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated. ID.BE-4: Dependencies and critical functions for delivery of critical services are established. ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).
NCF Implementation Tiers Provides Context How organization views cybersecurity risk Processes in place to manage risk Characterize an organization’s practices Partial, Risk Informed, Repeatable, Adaptive
NCF Implementation Tiers Tier chosen should: Meet organizations goals Is feasible to implement Reduces risk to acceptable levels As high as “would reduce cybersecurity risk and be cost effective” Partial Risk Informed Repeatable Adaptive
NCF Profiles Alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Assess current state (profile) Set target state (target profile) Measure progress (from current profile to target profile)
NCF Manage to Target INDENTIFY ID: Categories Score Target % of Target Function Categories Subcategories Score Target % of Target INDENTIFY ID: ID.AM Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried. 4 7 57.14% ID.AM-2: Software platforms and applications within the organization are inventoried. 6 85.71% ID.AM-3: Organizational communication and data flows are mapped. 2 28.57% ID.AM-4: External information systems are catalogued. ID.AM-5: Resources (e.g., hardware, devices, data, time and software) are prioritized based on their classification, criticality, and business value. 5 71.43% ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established. 9 100.00%
NCF Cycle Prioritize and Scope Orient Create Current Profile Conduct Risk Assessment Create Target Profile Determine, Analyze, Prioritize Gaps Implement Action Plan NCF Cycle
NIST Cybersecurity Framework Proposed changes for V1.1
NCF Proposed v1.1 A new section on cybersecurity measurement Greatly expanded cyber supply chain risk management Refinements for authentication, authorization, and identity proofing A better explanation of the relationship between implementation tiers and profiles
NCF Proposed v1.1 - Measurement Measuring state and trends over time Metrics communicate performance and improve accountability Measures are observable data used to support the metrics Connect cybersecurity with business objectives to understand and quantify cause and effect
NCF v1.1 - Measurement
NCF v1.1 Supply Chain Risk Management ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed… ID.SC-2: Identify, prioritize and assess suppliers… ID.SC-3: Suppliers and partners are required by contract… ID.SC-4: Suppliers and partners are monitored … ID.SC-5: Response and recovery planning and testing…
NCF Proposed v1.1 – Auth, Identity ”Access Control” becomes “Identity Management, Authentication and Access Control” PR.AC-6: Identities are proofed and bound to credentials… Several tweaks to protect subcategories wording
Future of NCF “The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity. Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.” http://www.natlawreview.com/article/government-agencies-to-be-rated-cybersecurity-using-nist-framework
3 Things to Remember: It is a framework, you build the structure You can customize it as needed Something doesn’t apply? Don’t use it! It is a great way to be sure you are covering the bases
References https://www.nist.gov/cyberframework NCF Overview Page https://www.nist.gov/sites/default/files/documents////draft -cybersecurity-framework-v1.1-with-markup1.pdf Markup of proposed changes in v1.1 https://www.linkedin.com/pulse/evaluate-your- cybersecurity-program-latest-framework-from-bechtel (LinkedIn article on changes) http://scorecard1-1.prevsec.com/ Scorecard Spreadsheet
Will Bechtel 858.598.4657 wbechtel@obsglobal.com Director, Technical Services Online Business Systems 858.598.4657 wbechtel@obsglobal.com