SlideShare a Scribd company logo

NIST Cybersecurity Framework 101

Erick Kish, U.S. Commercial Service
Erick Kish, U.S. Commercial Service

Presentation for March 2017 webcast by NIST. www.nist.gov/cyberframework Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.

Technology
1 of 28
Download to read offline
Framework for Improving Critical Infrastructure Cybersecurity March 2017 cyberframework@nist.gov
Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 2
The Cybersecurity Framework... •  Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. •  Provides a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. •  Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. •  Is consistent with voluntary international standards. 3
4 Development of the Framework Engage Stakeholders Collect, Categorize, Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – Feb 12, 2013 RFI Issued – Feb 2013 1st Workshop – April 2013 Completed – April 2013 2nd Workshop – May 2013 Draft Outline of Framework – June 2013 3rd Workshop – July 2013 4th Workshop – Sept 2013 5th Workshop – Nov 2013 Published – Feb 12, 2014 Ongoing Engagement: Open public comment/ review encouraged throughout the process… and to this day
The Framework Is for Organizations… 5 •  Of any size, in any sector in (and outside of) the critical infrastructure. •  That already have a mature cyber risk management and cybersecurity program. •  That don’t yet have a cyber risk management or cybersecurity program. •  Needing to keep up-to-date managing risks, facing business or societal threats. •  In the federal government, too…since it is compatible with FISMA requirements and goals.
Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 6
Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
Key Properties of Cyber Risk Management 8 Risk Management Process Integrated Risk Management Program External Par6cipa6on
Implementation Tiers 9 1 2 3 4 Par6al Risk Informed Repeatable Adap6ve Risk Management Process The func)onality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Par6cipa6on The degree to which the organiza)on benefits my sharing or receiving informa)on from outside par)es 9
Core Cybersecurity Framework Component 10 Senior Execu6ves Implementa6on/ Opera6ons •  Broad enterprise considera)ons •  Abstracted risk vocabulary •  Deep technical considera)ons •  Highly specialized vocabulary Specialists in Other Fields •  Specific focus outside of cybersecurity •  Specialized or no risk vocabulary
Core Cybersecurity Framework Component Func6on Category ID What processes and assets need protec6on? Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT What techniques can iden6fy incidents? Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM What techniques can restore capabili6es? Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO 11
Core Cybersecurity Framework Component 12 Func6on Category ID Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO Subcategory Informative References ID.BE-1: The organiza)on’s role in the supply chain is iden)fied and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A. 15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organiza)on’s place in cri)cal infrastructure and its industry sector is iden)fied and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priori)es for organiza)onal mission, objec)ves, and ac)vi)es are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and cri)cal func)ons for delivery of cri)cal services are established ISO/IEC 27001:2013 A.11.2.2, A. 11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of cri)cal services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A. 17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 12
Profile Cybersecurity Framework Component 13 Iden)fy Protect Detect Respond Recover Ways to think about a Profile: •  A customiza)on of the Core for a given sector, subsector, or organiza)on. •  A fusion of business/mission logic and cybersecurity outcomes. •  An alignment of cybersecurity requirements with opera)onal methodologies. •  A basis for assessment and expressing target state. •  A decision support tool for cybersecurity risk management.
Supporting Risk Management with Framework 14
Framework 7-Step Process •  Step 1: Prioritize and Scope •  Step 2: Orient •  Step 3: Create a Current Profile •  Step 4: Conduct a Risk Assessment •  Step 5: Create a Target Profile •  Step 6: Determine, Analyze, and Prioritize Gaps •  Step 7: Implementation Action Plan 15
Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1 2 3 … 98 Mission Objective A B C Cybersecurity Requirements Legisla)on Regula)on Internal & External Policy Best Prac)ce Opera6ng Methodologies Guidance and methodology on implemen)ng, managing, and monitoring 1 2 3
Conceptual Profile Value Proposition 17 Cybersecurity Requirements Subcategory Priority Operating Methodologies A 1 moderate I II B C 2 high III D E 3 moderate IV V F … … VI VII G 98 moderate VIII 1 2 3 When you organize yourself in this way: •  Compliance repor)ng becomes a byproduct of running your security opera)on •  Adding new security requirements is straighborward •  Adding or changing opera)onal methodology is non- intrusive to on-going opera)on
Resource and Budget Decision Making What Can You Do with a CSF Profile? 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 98 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be …and supports on-going opera)onal decisions, too
Profile Ecosystem 19 NIST TAXONOMY 1 2 3 ... 98 1 Req A 2 Req B 3 Req C ... ... 98 Req ZZ 1 Req A High 2 Req B Mod 3 Req C Low ... ... ... 98 Req ZZ High REQUIREMENTS PRIORITIES Community Organiza=on or Community Cybersecurity Framework Core Cybersecurity Framework Profile Crosswalks Mappings
Key Attributes It’s a framework, not a prescriptive standard •  Provides a common language and systematic methodology for managing cyber risk. •  Is meant to be adapted. •  Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. •  Enable best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. It’s voluntary It’s a living document •  It is intended to be updated as stakeholders learn from implementation, and as technology and risks change…more later. •  That’s one reason why the Framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not. 20
Common Patterns of Use •  Integrate the functions into your leadership vocabulary and management tool sets. •  Determine optimal risk management using Implementation Tiers. •  Measure current risk management using Implementation Tiers. •  Reflect on business environment, governance, and risk management strategy categories. •  Develop a Profile of cybersecurity priorities, leveraging (Sub)Sector Profiles when available. 21
Work in Progress: Framework Roadmap Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 22
Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance American Water Works Association’s Process Control System Security Guidance for the Water Sector Cybersecurity Risk Management and Best Prac)ces Working Group 4: Final Report 23 Italy’s National Framework for Cybersecurity
Examples of State & Local Use 24 Texas, Department of Information Resources •  Aligned Agency Security Plans with Framework •  Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership •  Integrated Framework into their Cybersecurity Guide •  Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department •  Allocated Roles & Responsibilities using Framework •  Adopted the Framework into their Security Operation Strategy National Association of State CIOs •  2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey •  Developed a cybersecurity framework that aligns controls and procedures with Framework
NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) 25 •  Self-assessment criteria with basis in Cybersecurity Framework •  Complements NIST Baldrige Program’s performance excellence successes. •  April 2-5, 2017 - 29th Annual Quest for Excellence Conference •  Pre-conference workshop that focuses on cybersecurity will be held on April 2nd - visit: https://www.nist.gov/baldrige/qe
Utilizing CSF Informative References to create tailored language for the manufacturing sector •  NIST SP 800-53 •  NIST SP 800-82 •  ISA / IEC 62443 26 www.)ger-global.co.uk NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
•  NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework •  Aligns the USCG’s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework •  The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. 27 USCG Maritime Bulk Liquids Transfer (BLT) Framework Profile The profile is available at: hjps://www.uscg.mil/hq/cg5/cg544/docs/Mari)me_BLT_CSF.pdf
Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current

Recommended

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 

Recommended

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
MuhammadAbdullah311866
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 

More Related Content

What's hot

How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 

What's hot (20)

Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 

Similar to NIST Cybersecurity Framework 101

EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
Scott Baron
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 

Similar to NIST Cybersecurity Framework 101 (20)

cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Mandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINALMandelaris_SecureWorld_2016_FINAL
Mandelaris_SecureWorld_2016_FINAL
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

NIST Cybersecurity Framework 101

  • 1. Framework for Improving Critical Infrastructure Cybersecurity March 2017 cyberframework@nist.gov
  • 2. Improving Critical Infrastructure Cybersecurity “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” Executive Order 13636 February 12, 2013 2
  • 3. The Cybersecurity Framework... •  Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. •  Provides a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. •  Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. •  Is consistent with voluntary international standards. 3
  • 4. 4 Development of the Framework Engage Stakeholders Collect, Categorize, Post RFI Responses Analyze RFI Responses Identify Framework Elements Prepare and Publish Framework EO 13636 Issued – Feb 12, 2013 RFI Issued – Feb 2013 1st Workshop – April 2013 Completed – April 2013 2nd Workshop – May 2013 Draft Outline of Framework – June 2013 3rd Workshop – July 2013 4th Workshop – Sept 2013 5th Workshop – Nov 2013 Published – Feb 12, 2014 Ongoing Engagement: Open public comment/ review encouraged throughout the process… and to this day
  • 5. The Framework Is for Organizations… 5 •  Of any size, in any sector in (and outside of) the critical infrastructure. •  That already have a mature cyber risk management and cybersecurity program. •  That don’t yet have a cyber risk management or cybersecurity program. •  Needing to keep up-to-date managing risks, facing business or societal threats. •  In the federal government, too…since it is compatible with FISMA requirements and goals.
  • 6. Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure” Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 18 December 2014 6
  • 7. Cybersecurity Framework Components Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Supports prioritization and measurement while factoring in business needs Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Core Framework Implementation Tiers Framework Profile 7
  • 8. Key Properties of Cyber Risk Management 8 Risk Management Process Integrated Risk Management Program External Par6cipa6on
  • 9. Implementation Tiers 9 1 2 3 4 Par6al Risk Informed Repeatable Adap6ve Risk Management Process The func)onality and repeatability of cybersecurity risk management Integrated Risk Management Program The extent to which cybersecurity is considered in broader risk management decisions External Par6cipa6on The degree to which the organiza)on benefits my sharing or receiving informa)on from outside par)es 9
  • 10. Core Cybersecurity Framework Component 10 Senior Execu6ves Implementa6on/ Opera6ons •  Broad enterprise considera)ons •  Abstracted risk vocabulary •  Deep technical considera)ons •  Highly specialized vocabulary Specialists in Other Fields •  Specific focus outside of cybersecurity •  Specialized or no risk vocabulary
  • 11. Core Cybersecurity Framework Component Func6on Category ID What processes and assets need protec6on? Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM What safeguards are available? Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT What techniques can iden6fy incidents? Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM What techniques can restore capabili6es? Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO 11
  • 12. Core Cybersecurity Framework Component 12 Func6on Category ID Iden6fy Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Informa)on Protec)on Processes & Procedures PR.IP Maintenance PR.MA Protec)ve Technology PR.PT Detect Anomalies and Events DE.AE Security Con)nuous Monitoring DE.CM Detec)on Processes DE.DP Respond Response Planning RS.RP Communica)ons RS.CO Analysis RS.AN Mi)ga)on RS.MI Improvements RS.IM Recover Recovery Planning RC.RP Improvements RC.IM Communica)ons RC.CO Subcategory Informative References ID.BE-1: The organiza)on’s role in the supply chain is iden)fied and communicated COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A. 15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organiza)on’s place in cri)cal infrastructure and its industry sector is iden)fied and communicated COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 ID.BE-3: Priori)es for organiza)onal mission, objec)ves, and ac)vi)es are established and communicated COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 ID.BE-4: Dependencies and cri)cal func)ons for delivery of cri)cal services are established ISO/IEC 27001:2013 A.11.2.2, A. 11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 ID.BE-5: Resilience requirements to support delivery of cri)cal services are established COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A. 17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14 12
  • 13. Profile Cybersecurity Framework Component 13 Iden)fy Protect Detect Respond Recover Ways to think about a Profile: •  A customiza)on of the Core for a given sector, subsector, or organiza)on. •  A fusion of business/mission logic and cybersecurity outcomes. •  An alignment of cybersecurity requirements with opera)onal methodologies. •  A basis for assessment and expressing target state. •  A decision support tool for cybersecurity risk management.
  • 14. Supporting Risk Management with Framework 14
  • 15. Framework 7-Step Process •  Step 1: Prioritize and Scope •  Step 2: Orient •  Step 3: Create a Current Profile •  Step 4: Conduct a Risk Assessment •  Step 5: Create a Target Profile •  Step 6: Determine, Analyze, and Prioritize Gaps •  Step 7: Implementation Action Plan 15
  • 16. Building a Profile A Profile Can be Created in Three Steps 16 Subcategory 1 2 3 … 98 Mission Objective A B C Cybersecurity Requirements Legisla)on Regula)on Internal & External Policy Best Prac)ce Opera6ng Methodologies Guidance and methodology on implemen)ng, managing, and monitoring 1 2 3
  • 17. Conceptual Profile Value Proposition 17 Cybersecurity Requirements Subcategory Priority Operating Methodologies A 1 moderate I II B C 2 high III D E 3 moderate IV V F … … VI VII G 98 moderate VIII 1 2 3 When you organize yourself in this way: •  Compliance repor)ng becomes a byproduct of running your security opera)on •  Adding new security requirements is straighborward •  Adding or changing opera)onal methodology is non- intrusive to on-going opera)on
  • 18. Resource and Budget Decision Making What Can You Do with a CSF Profile? 18 Sub- category Priority Gaps Budget Year 1 Activities Year 2 Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X … … … … 98 moderate none $$ reassess As-Is Year 1 To-Be Year 2 To-Be …and supports on-going opera)onal decisions, too
  • 19. Profile Ecosystem 19 NIST TAXONOMY 1 2 3 ... 98 1 Req A 2 Req B 3 Req C ... ... 98 Req ZZ 1 Req A High 2 Req B Mod 3 Req C Low ... ... ... 98 Req ZZ High REQUIREMENTS PRIORITIES Community Organiza=on or Community Cybersecurity Framework Core Cybersecurity Framework Profile Crosswalks Mappings
  • 20. Key Attributes It’s a framework, not a prescriptive standard •  Provides a common language and systematic methodology for managing cyber risk. •  Is meant to be adapted. •  Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. •  Enable best practices to become standard practices for everyone via common lexicon to enable action across diverse stakeholders. It’s voluntary It’s a living document •  It is intended to be updated as stakeholders learn from implementation, and as technology and risks change…more later. •  That’s one reason why the Framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not. 20
  • 21. Common Patterns of Use •  Integrate the functions into your leadership vocabulary and management tool sets. •  Determine optimal risk management using Implementation Tiers. •  Measure current risk management using Implementation Tiers. •  Reflect on business environment, governance, and risk management strategy categories. •  Develop a Profile of cybersecurity priorities, leveraging (Sub)Sector Profiles when available. 21
  • 22. Work in Progress: Framework Roadmap Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 22
  • 23. Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources The Cybersecurity Framework in Action: An Intel Use Case Energy Sector Cybersecurity Framework Implementation Guidance American Water Works Association’s Process Control System Security Guidance for the Water Sector Cybersecurity Risk Management and Best Prac)ces Working Group 4: Final Report 23 Italy’s National Framework for Cybersecurity
  • 24. Examples of State & Local Use 24 Texas, Department of Information Resources •  Aligned Agency Security Plans with Framework •  Aligned Product and Service Vendor Requirements with Framework Houston, Greater Houston Partnership •  Integrated Framework into their Cybersecurity Guide •  Offer On-Line Framework Self-Assessment North Dakota, Information Technology Department •  Allocated Roles & Responsibilities using Framework •  Adopted the Framework into their Security Operation Strategy National Association of State CIOs •  2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy New Jersey •  Developed a cybersecurity framework that aligns controls and procedures with Framework
  • 25. NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) 25 •  Self-assessment criteria with basis in Cybersecurity Framework •  Complements NIST Baldrige Program’s performance excellence successes. •  April 2-5, 2017 - 29th Annual Quest for Excellence Conference •  Pre-conference workshop that focuses on cybersecurity will be held on April 2nd - visit: https://www.nist.gov/baldrige/qe
  • 26. Utilizing CSF Informative References to create tailored language for the manufacturing sector •  NIST SP 800-53 •  NIST SP 800-82 •  ISA / IEC 62443 26 www.)ger-global.co.uk NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile
  • 27. •  NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework •  Aligns the USCG’s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework •  The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. 27 USCG Maritime Bulk Liquids Transfer (BLT) Framework Profile The profile is available at: hjps://www.uscg.mil/hq/cg5/cg544/docs/Mari)me_BLT_CSF.pdf
  • 28. Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www.nist.gov/cyberframework Additional cybersecurity resources: http://csrc.nist.gov/ Questions, comments, ideas: cyberframework@nist.gov Resources Where to Learn More and Stay Current