NIST Cybersecurity Framework Explained · 2019-07-26 · Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) • Framework Overview •

NIST Cybersecurity Framework Explained

© 2018 RSA Conference. All rights reserved.

Introduction

2

Tom ConkleG2 Inc, Cybersecurity Engineer & CForum Founding Member

Kelly HoodG2 Inc, Cybersecurity Engineer & CForum Member


Agenda

• Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”)

• Framework Overview• Framework Core Categories

Framework for Improving Critical Infrastructure

Cybersecurity

Version 1.1

4


Risk Management Framework (RMF)

Workforce Framework (NICE)

Privacy Engineering Framework (PEF)

Cyber Physical Systems (CPS) Framework

Cybersecurity Framework (CSF)

The Cybersecurity Framework helps organizes and communicate about cybersecurity improvements

NIST Frameworks

5


Framework Core

Framework Profiles

Implementation Tiers

The Cybersecurity Framework established three primary components

6


The Framework Core establishes a common language for describing a cybersecurity program

Framework Core

• Common set of cybersecurity• activities, • desired outcomes, and • applicable references

• Used across critical infrastructure sectors

• Provides a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk

7


Framework Core

The subcategories describe expected outcomes of a cybersecurity program

8


Each subcategory is matched with relevant Informative References

Framework Core

9


Implementation Tier Characteristics• Tier 1: Partial

• Cybersecurity program is ad-hoc

• Tier 2: Risk Informed• Cybersecurity roles are beginning to be

informally defined

• Tier 3: Repeatable• Cybersecurity program is defined in

formal, approved policies

• Tier 4: Adaptive• Cybersecurity program is robust with formal, approved policies and roles• Organization is seeking out information on new threats before they occur to

help stay ahead

10


Profiles help organizations align & prioritize cybersecurity activities

11


Current and Target state Profiles help organizations capture their cybersecurity program

• Current State Profile• Present state of the

organization’s unique cybersecurity program

• Target State Profile• Captures the to-be state

for the organization’s cybersecurity program

12


Category updates in the Framework Version 1.1

13

• Functions: 5 5• Categories: 22 23• Subcategories: 98 108

Supply Chain Risk

Management

Identity Management & Access Control


Version 1.1 clarified and enhanced the Core

14


Asset Management is the first category in the Identify Function

(ID.AM)

15


Business Environment is the second category in the Identify Function.

(ID.BE)

16


Governance is the third category in the Identify Function.

(ID.GV)

17


Risk Assessment is the forth category in the Identify Function.

(ID.RA)

18


Risk Management Strategy is the fifth category in the Identify Function.

(ID.RM)

19


Supply Chain Risk Management was added as the sixth category in the Identify Function.

(ID.SC)

20


Identity Management, Authentication, and Access Control is the first category in the Protect Function.

(PR.AC)

21


Awareness and Training is the second category in the Protect Function.

(PR.AT)

22


Data Security is the third category in the Protect Function.

(PR.DS)

23


Information Protection Processes and Procedures is the forth category in the Protect Function.

(PR.IP)

24


Maintenance is the fifth category in the Protect Function.

(PR.MA)

25


Protective Technology is the sixth category in the Protect Function.

(PR.PT)

26


Anomalies and Events is the first category in the Detect Function.

(DE.AE)

27


Security Continuous Monitoring is the second category in the Detect Function.

(DE.CM)

28


Detection Processes is the third category in the Detect Function.

(DE.DP)

29


Response Planning is the first category in the Respond Function.

(RS.RP)

30


Communications is the second category in the Respond Function.

(RS.CO)

31


Analysis is the third category in the Respond Function.

(RS.AN)

32


Mitigation is the forth category in the Respond Function.

(RS.MI)

33


Improvements is the fifth category in the Respond Function.

(RS.IM)

34


Recovery Planning is the first category in the Recover Function.

(RC.RP)

35


Improvements is the second category in the Recover Function.

(RC.IM)

36


Communications is the third category in the Recover Function.

(RC.CO)

37


There are several benefits for using the NIST Cybersecurity Framework

• Common Language• Collaboration Opportunities• Maintain Compliance• Demonstrate Due Care• Secure Supply Chain• Measuring Cybersecurity Status• Cost Efficiency

39

Compliance Secure


Resources to aid in understanding & implementation of the NIST Cybersecurity Framework

Cybersecurity Framework Websitewww.NIST.gov/CyberFramework

CForum Websitewww.Cyber.securityFramework.org

G2 Templates & Implementation Assistance

www.ManageTheRisk.com

40

http://www.nist.gov/CyberFramework

http://www.cyber.securityframework.org/

http://www.managetherisk.com/


Questions?

41

Tom ConkleCybersecurity [email protected](443) 292-6679

Kelly HoodCybersecurity [email protected](443) 741-1968

mailto:[email protected]

mailto:[email protected]

Documents

NIST Cybersecurity Framework Explained · 2019-07-26 · Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) • Framework Overview •