US Cybersecurity Framework – Common Concerns
Spending on security continues to increase. Recent Wall Street Journal article says, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier, according to Allied Business Intelligence Inc.”
President Obama released E.O. 13636 on Feb. 12, 2013 including Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure – the Cybersecurity Framework
The US Cybersecurity Framework, prepared by the National Institute of Standards and Technology (NIST), has been in the works for a year and after several rounds of the government soliciting input and reviews from the private sector, its full iteration was published after then.The framework is organized in 5 sections: Identify, Protect, Detect, Respond, and Recover
The Framework focuses on using business drivers to guide cybersecurity activities and
considering cybersecurity risks as part of the organization’s risk management processes. The
Framework consists of three parts: the Framework Core, the Framework Profile, and the
Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities,
outcomes, and informative references that are common across critical infrastructure sectors,
providing the detailed guidance for developing individual organizational Profiles. Through use of
the Profiles, the Framework will help the organization align its cybersecurity activities with its
business requirements, risk tolerances, and resources. The Tiers provide a mechanism for
organizations to view and understand the characteristics of their approach to managing
Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
- The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions — Identify, Protect, Detect, Respond, Recover — that provide a high-level view of an organization’s management of cyber risks.
- The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
- The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.
Since Executive Order 13636 was issued, NIST has played a convening role in developing the Framework, drawing heavily on standards, guidelines, and best practices already available to address key cybersecurity needs. NIST also relied on organizations and individuals with experience in reducing cybersecurity risk and managing critical infrastructure. NIST released a broad Request for Information (RFI) and received 243 responses containing thousands of comments. NIST analyzed results to identify common standards, success, challenges, and themes.
A skilled cybersecurity workforce is needed to meet the unique cybersecurity needs of critical infrastructure. There is a well-documented shortage of general cybersecurity experts; however, there is a greater shortage of qualified cybersecurity experts who also have an understanding of the unique challenges posed to particular parts of critical infrastructure. As the cybersecurity threat and technology environment evolves, the cybersecurity workforce must continue to
adapt to design, develop, implement, maintain and continuously improve the necessary cybersecurity practices within critical infrastructure environments. Various efforts, including the National Initiative for Cybersecurity Education (NICE), are currently fostering the training of a cybersecurity workforce for the future, establishing an operational, sustainable and continually improving cybersecurity education program to provide a pipeline of skilled workers for the private sector and government. Organizations must understand their current and future
cybersecurity workforce needs, and develop hiring, acquisition, and training resources to raise the level of technical competence of those who build, operate, and defend systems delivering critical infrastructure services.
Future NIST activities may include to address the common concerns such as
- Extending and integrating NICE activities across critical infrastructure (CI) sectors to raise cybersecurity awareness;
- Identifying and supporting foundational research opportunities in areas including cybersecurity awareness, training, and education, and security usability;
- Understanding CI cybersecurity workforce needs
- Issuing guidelines, tools, and other resources to develop, customize and deliver cybersecurity awareness, training, and education materials.
- Continue to support the development of better identity and authentication solutions through NSTIC pilots, as well as an active partnership with the IDESG;
- Support and participate in identity and authentication standards activities, seeking to advance a more complete set of standards to promote security and interoperability; this will include standards development work to address gaps that may emerge from new approaches in the NSTIC pilots.
- Conduct identity and authentication research complemented by the production of NIST Special Publications that support improved authentication practices.
- Private sector standards owners, consortia and others in industry-led, consensus-driven international standards organizations to fill current standards gaps based on well-defined use cases and requirements.
- Private and public sector stakeholders to ensure that adequate implementation and common practice guidance is available regarding the generation, use, and sharing of indicator data.
- Benchmarking and measurement of some of the fundamental scientific elements of big data (algorithms, machine learning, topology, graph theory, etc.) through means such as research, community evaluations, datasets, and challenge problems;
- Support and participation in big data standards activities such as international standards bodies and production of community reference architectures and roadmaps;
- Production of NIST Special Publications on the secure application of big data analytic techniques in such areas as access control, continuous monitoring, attack warning and indicators, and security automation.
- Identify areas of alignment between existing Federal Information Processing Standards (FIPS), guidelines, frameworks, and other programs (e.g., Continuous Diagnostics and Mitigation) and the Cybersecurity Framework;
- Identify and prioritize gaps where additional guidance may improve an agency’s ability to manage cybersecurity risk, and demonstrate greater alignment with the Cybersecurity Framework;
- Leverage the Cybersecurity Framework to elevate the use and amplify the
effectiveness of new and emerging Federal standards, guidelines, and
- Engaging foreign governments and entities directly to explain the Framework and seek alignment of approaches when possible;
- Coordinating with federal agency partners to ensure full awareness with their stakeholder community;
- Working with industry stakeholders to support their international engagement;
- Exchanging information and working with standards developing organizations, industry, and sectors to ensure the Cybersecurity Framework remains aligned and compatible with existing and developing standards and practices.
- Encourage broad industry engagement and leadership in supply chain risk management discussions and activities;
- Promote the mapping of existing supply chain risk management standards, practices and guidelines to the Framework Core;
- Identify challenges in Framework adoption and determine appropriate support to enable effective supply chain risk management;
- Determine the key challenges to supply chain risk management (e.g.identifying and understanding mission critical functions, their dependencies, and conducting and validating prioritization) to enable more effective Framework implementation.
To address these gaps and challenges, NIST will first host a privacy workshop in the second quarter of 2014. The workshop will focus on the advancement of privacy engineering as a foundation for the identification of technical standards and best practices that could be developed to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties. Modeled after security engineering, privacy engineering may call for the development of a privacy risk management model, privacy requirements and system design and development. Future NIST activities will build upon the outcomes of the workshop, and NIST will work with private and public sector entities to support improvements in the protection of individuals’
privacy and civil liberties while securing critical infrastructure