By Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” President Barack Obama directed the development of a framework to reduce cybersecurity risks to critical infrastructure. The National Institute of Standards and Technology (NIST), in coordination with various federal agencies and market stakeholders, issued a preliminary Cybersecurity Framework in October 2013; the issuance of the final Cybersecurity Framework is anticipated next month.
The Cybersecurity Framework is a voluntary set of standards and best practices designed to apply to entities that “play a role in supporting the Nation’s [critical] infrastructure”. The executive order defines “critical infrastructure” to include virtual and physical assets and systems, “the incapacity or destruction [of which] would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters.”
The Cybersecurity Framework offers a system that relies on existing requirements, best practices, and standards for evaluating and addressing cybersecurity risks. The framework’s core is based on four elements: (1) functions; (2) categories; (3) subcategories; and (4) informative references.
The five functions of the core structure include:
- Identify: Identification of mission-critical data and systems, possible cybersecurity threats, and a definition of a risk-management strategy;
- Protect: Prioritization of threats and development and implementation of safeguards against identified threats;
- Detect: Development and implementation of monitoring and detection processes to identify threats, weaknesses, or breaches;
- Respond: Planning and implementation of processes to act upon detection of threat or breach; and
- Recover: Development and implementation of strategies to restore services and capabilities and mitigate risk.
These functions serve to organize cybersecurity activities at the highest level. Categories subdivide functions into groups of cybersecurity outcomes, and subcategories further subdivide such outcomes. Informative references include sets of common industry standards, practices, and guidelines to accomplish or address the subcategories.
The NIST Framework Core structure is diagrammed below:
Click here to view diagram.
The framework provides a methodology for mapping the functions to the categories, subcategories, and informative references. The content of the core is determined by the organization by reference to its individual activities and risks and by taking into account industry standards and best practices.
The profile is a tool to establish a roadmap for reducing cybersecurity risk in accordance with the priorities established using the core. Briefly, the profile provides for the development of current profiles (based in part on the “identify” function) and target profiles (based on desired risk-management outcomes).
The Profile is the alignment of the Functions, Categories, Subcategories and industry standards and best practices with the business requirements, risk tolerance, and resources of the organization. Identifying the gaps between the Current Profile and the Target Profile allows the creation of a prioritized roadmap that organizations will implement to reduce cybersecurity risk.
Click here to view diagram.
Identification of the gaps between the current and target profiles can be used, together with the core, to determine, analyze, and prioritize gaps and develop an action plan.
Framework Implementation Tiers
The tiers describe how an organization manages its cybersecurity risk from less to more rigorous: Tier 1, partial; Tier 2, risk informed; Tier 3, risk informed and repeatable; and Tier 4, adaptive. The framework defines each tier and explains the selection process as follows:
The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should determine the desired Tier, ensuring that the selected levels meet the organizational goals, reduce cybersecurity risk to critical infrastructure, and are feasible and cost effective to implement.
Use of the Cybersecurity Framework
Use of the framework by “critical infrastructure” participants is voluntary. Although designed to work with “incentives” for participation, no such incentives have yet been proposed. There are no penalties or civil liability associated with failure to implement all or any part of the framework.
The framework’s reliance on industry standards and best practices, however, may lead to increased focus by courts on such standards and practices in the evaluation of the reasonableness of a specific participant’s cyber risk management efforts.
Further, final implementation of the framework will not preclude the implementation of federal or state legislation or regulation of cyber risks.
An example of how this entire process is designed to work is set forth in Appendix A to the proposed framework, which may be found at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf. Copies of the executive order, the proposed Cybersecurity Framework, and the related NIST update may be found at http://www.nist.gov/cyberframework/index.cfm.
Cyber Risk Management, Generally
The implications of the issuance of the final Cybersecurity Framework are quite broad. The framework’s core structure, profiles, and tiers are adaptable to a variety of industries and cyber risk levels and may be used as a model to facilitate assessment and development of any business’ cybersecurity risk-management program. The framework is intended to be ancillary to—and referential of—a “critical infrastructure” organization’s regulatory and other obligations. It may, however, serve as a useful risk-management tool for any organization that engages in cyber activities.