slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cybersecurity Framework Overview Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” PowerPoint Presentation
Download Presentation
Cybersecurity Framework Overview Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Loading in 2 Seconds...

play fullscreen
1 / 15

Cybersecurity Framework Overview Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” - PowerPoint PPT Presentation


  • 175 Views
  • Uploaded on

Cybersecurity Framework Overview Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”. Brian Hubbard Account Manager b rian.hubbard @g2-inc.com (301) 575-5106. January 22, 2014. Executive Order 13636—Improving Critical Infrastructure Cybersecurity.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cybersecurity Framework Overview Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”' - imala


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Cybersecurity Framework OverviewExecutive Order 13636“Improving Critical Infrastructure Cybersecurity”

Brian Hubbard

Account Manager

brian.hubbard@g2-inc.com

(301) 575-5106

January 22, 2014

executive order 13636 improving critical infrastructure cybersecurity
Executive Order 13636—Improving Critical Infrastructure Cybersecurity

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties”

  • NIST is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure
the cybersecurity framework
The Cybersecurity Framework

For the Cybersecurity Framework to meet the requirements of the Executive Order, it must:

  • include a set of standards, methodologies, procedures, and processesthat align policy, business, and technological approaches to address cyber risks.
  • provide a prioritized, flexible, repeatable, performance-based, and cost-effective approachto help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  • identify areas for improvement
development of the preliminary framework
Development of the Preliminary Framework

EO 13636 Issued – February 12, 2013

NIST Issues RFI – February 26, 2013

1st Framework Workshop – April 03, 2013

Completed – April 08, 2013

Identify Common Practices/Themes – May 15, 2013

2nd Framework Workshop at CMU – May 29-31, 2013

Ongoing Engagement:

Open public comment and review encouraged and promoted throughout the process

Draft Outline of Preliminary Framework – June 2013

3rd Framework Workshop at UCSD – July 10-12, 2013

4th Framework Workshop at UT Dallas – September 11-13, 2013

Publish Preliminary Framework – October 29, 2013

getting from the preliminary framework to the final framework and beyond
Getting from the Preliminary Framework to the Final Framework and Beyond

Publish Preliminary Framework – October 29, 2013

Begin 45 day Public Comment Period

Stakeholder outreach discussion continue

5th Framework Workshop at NCSU – Nov 14-15, 2013

Public comment period closed – December 13, 2013

Ongoing Engagement:

Open public comment and review encouraged and promoted throughout the process

Complete comment resolution and disposition

Publish Cybersecurity Framework – February 2014

Framework maintenance and updates

framework components
Framework Components

Framework Core

    • Cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes.

Framework Profile

  • Alignment of standards, guidelines and practices to the Framework Core in a particular implementation scenario
  • “Current” Profile vs. “Target” Profile

Framework Implementation Tiers

  • Capture how an organization views cybersecurity risk and the processes in place to manage that risk
framework functions
Framework Functions

The five Framework Core Functions provide the highest level of structure:

  • Identify – Develop the institutional understanding to manage cybersecurity risk to systems, assets, data, and capabilities
  • Protect– Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond– Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
  • Recover- Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired due to a cybersecurity event.   
framework categories
Framework Categories
  • Categories are the subdivisions of a Function into groups of cybersecurity activities, more closely tied to programmatic needs
subcategories and informative references
Subcategories and Informative References
  • Informative References are specific sections of standards, guidelines and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.
  • The Informative References presented in the Framework Core are not exhaustive, and organizations are free to implement other standards, guidelines, and practices.
  • Subcategories- subdivide a Category into specific outcomes of technical and/or management activiites
framework profiles
Framework Profiles
  • Enables organizations to establish a roadmap to reducing cybersecurity risk
  • Used to describe current state and desired target state
  • Comparison of profiles reveals gaps that may be addressed to meet cybersecurity risk management objectives
framework implementation tiers
Framework Implementation Tiers
  • The Framework Implementation Tiers (“Tiers”) are a lens through which to view the characteristics of the organization’s approach to risk
  • Tiers range from Partial (Tier 1) to Adaptive (Tier 4)
  • Tier selection process considers
    • an organization’s current risk management practices
    • threat environment
    • legal and regulatory requirements
    • business/mission objectives
    • organizational constraints
how to use the framework
How to Use the Framework

An organization’s risks, policies, and procedures will ultimately drive its Framework adoption

Framework Use Cases:

  • Basic Review of Cybersecurity Practices
  • Establish or Improve a Cybersecurity Program
  • Communicating Cybersecurity Requirements with Stakeholders
  • Identifying Opportunities for New or Revised Informative References

Framework Provides a Methodology to Protect Privacy and Civil Liberties

thank you
Thank You

The Cybersecurity Framework is available at http://www.nist.gov/itl/cyberframework.cfm

Brian Hubbard

G2 Inc.

Brian.hubbard@g2-inc.com

(301) 575-5106