Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIST Cybersecurity Framework

Published byNeil Lang Modified over 5 years ago

Similar presentations

Presentation on theme: "NIST Cybersecurity Framework"— Presentation transcript:

1 NIST Cybersecurity Framework
Overview and proposed changes in V1.1

2 About Will Bechtel Director, Technical Services at Online Business Systems Oversee technical security assessment consulting services Background Application development, security consulting, product management Verisign Global Security Consulting, ATT Security Consulting, Qualys, PrevSec Customers: SDGE, SAIC, Scripps, Apple, Microsoft, Nvidia, BofA, Home Depot

3 NIST Cybersecurity Framework
Overview of version 1.0

4 Audience Technical Practitioners? Managers? Educational? Other?
Use NIST CF? Audience

5 NIST Cybersecurity Framework
Established with a 2013 executive order issued by President Obama Voluntary development of a risk-based cybersecurity framework Goal of improving critical infrastructure cybersecurity Apply the principles and best practices of risk management Improving the security and resilience of critical infrastructure *Above is taken directly from NIST

6 What NCF can do for your organization?
#1 #3 Describe your current & desired cybersecurity posture Assess progress toward the desired state #2 #4 Identify and prioritize areas that require improvement Communicate among stakeholders about cybersecurity risk

7 Why NCF? Easy to understand Concise Many organizations are using it
Maps to other standards

8 Framework Implementation Tiers
Framework has 3 parts Framework Core Framework Implementation Tiers Framework Profiles

9 Framework Categories

10 NCF Core Concepts Understand your assets and resources
IDENTIFY Understand your assets and resources PROTECT Develop and implement the appropriate safeguards DETECT Identify the occurrence of a cybersecurity event Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk RESPOND Take action for detected cybersecurity event RECOVER Activities to maintain plans for resilience NIST FRAMEWORK RESPOND RECOVER DETECT IDENTIFY PROTECT

11 NCF Categories and Subcategories
INDENTIFY ID: ID.AM Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried. ID.AM-2: Software platforms and applications within the organization are inventoried. ID.AM-3: Organizational communication and data flows are mapped. ID.AM-4: External information systems are catalogued. ID.AM-5: Resources (e.g., hardware, devices, data, time and software) are prioritized based on their classification, criticality, and business value. ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established. ID.BE Business Environment The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. ID.BE-1: The organization’s role in the supply chain is identified and communicated. ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated. ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated. ID.BE-4: Dependencies and critical functions for delivery of critical services are established. ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

12 NCF Implementation Tiers
Provides Context How organization views cybersecurity risk Processes in place to manage risk Characterize an organization’s practices Partial, Risk Informed, Repeatable, Adaptive

13 NCF Implementation Tiers
Tier chosen should: Meet organizations goals Is feasible to implement Reduces risk to acceptable levels As high as “would reduce cybersecurity risk and be cost effective” Partial Risk Informed Repeatable Adaptive

14 NCF Profiles Alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Assess current state (profile) Set target state (target profile) Measure progress (from current profile to target profile)

15 NCF Manage to Target INDENTIFY ID: Categories Score Target % of Target
Function Categories Subcategories Score Target % of Target INDENTIFY ID: ID.AM Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried. 4 7 57.14% ID.AM-2: Software platforms and applications within the organization are inventoried. 6 85.71% ID.AM-3: Organizational communication and data flows are mapped. 2 28.57% ID.AM-4: External information systems are catalogued. ID.AM-5: Resources (e.g., hardware, devices, data, time and software) are prioritized based on their classification, criticality, and business value. 5 71.43% ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established. 9 100.00%

16 NCF Cycle Prioritize and Scope Orient Create Current Profile
Conduct Risk Assessment Create Target Profile Determine, Analyze, Prioritize Gaps Implement Action Plan NCF Cycle

17 NIST Cybersecurity Framework
Proposed changes for V1.1

18 NCF Proposed v1.1 A new section on cybersecurity measurement
Greatly expanded cyber supply chain risk management Refinements for authentication, authorization, and identity proofing A better explanation of the relationship between implementation tiers and profiles

19 NCF Proposed v1.1 - Measurement
Measuring state and trends over time Metrics communicate performance and improve accountability Measures are observable data used to support the metrics Connect cybersecurity with business objectives to understand and quantify cause and effect

20 NCF v1.1 - Measurement

21 NCF v1.1 Supply Chain Risk Management
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed… ID.SC-2: Identify, prioritize and assess suppliers… ID.SC-3: Suppliers and partners are required by contract… ID.SC-4: Suppliers and partners are monitored … ID.SC-5: Response and recovery planning and testing…

22 NCF Proposed v1.1 – Auth, Identity
”Access Control” becomes “Identity Management, Authentication and Access Control” PR.AC-6: Identities are proofed and bound to credentials… Several tweaks to protect subcategories wording

23 Future of NCF “The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity.  Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.”

24 3 Things to Remember: It is a framework, you build the structure
You can customize it as needed Something doesn’t apply? Don’t use it! It is a great way to be sure you are covering the bases

25 References https://www.nist.gov/cyberframework NCF Overview Page
-cybersecurity-framework-v1.1-with-markup1.pdf Markup of proposed changes in v1.1 cybersecurity-program-latest-framework-from-bechtel (LinkedIn article on changes) Scorecard Spreadsheet

26 Will Bechtel 858.598.4657 wbechtel@obsglobal.com
Director, Technical Services Online Business Systems

Download ppt "NIST Cybersecurity Framework"

Similar presentations

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,

U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
Strategy 2022: A Holistic View Tony Hayes International President ISACA 2013-2014 © 2012, ISACA. All rights reserved.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
The U.S. Coast Guard’s Role in Cybersecurity

The U.S. Coast Guard’s Role in Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
The NIST Framework for Cybersecurity

The NIST Framework for Cybersecurity
Cybersecurity Framework October 7, 2014

Cybersecurity Framework October 7, 2014
project management office(PMO)

project management office(PMO)
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Procurement Functions - Service Service Function - Provides client department with procurement services so clients can focus on their core responsibilities.

Procurement Functions - Service Service Function - Provides client department with procurement services so clients can focus on their core responsibilities.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
1 Module 4: Designing Performance Indicators for Environmental Compliance and Enforcement Programs.

1 Module 4: Designing Performance Indicators for Environmental Compliance and Enforcement Programs.

Similar presentations

Ads by Google