260 likes | 540 Views
Cybersecurity: Executive order 13636 and the nist framework. Telecommunications Industry Association. Topics. Part I – Executive Order 13636 Part II – Framework Development History and TIA Involvement Part III – The Framework Part IV – Issues and Next Steps.
E N D
Cybersecurity: Executive order 13636 and the nist framework Telecommunications Industry Association
Topics • Part I – Executive Order 13636 • Part II – Framework Development History and TIA Involvement • Part III – The Framework • Part IV – Issues and Next Steps
Executive Order 13636 • Issued on February 12, 2013 • Followed in wake of failure of comprehensive cyber legislation in the Senate (late 2012) • Required NIST to develop a voluntary Cybersecurity Framework • Agencies are supposed to review the Framework against their current regulations for gaps (Sec. 10) • DHS establishes voluntary critical infrastructure program • Notification to private sector owners & operators • Includes limited measures to improve information sharing
EO – InformationSharing (Sec. 4) • Requires agencies to produce timely, unclassified reports & that “identify a specific targeted entity” • Facilitates transmission of classified information to critical infrastructure entities that are “authorized to receive them” • Does nothing to improve sharing FROM the private sector • The government recognizes that legislation is still needed to improve real-time, bi-directional information sharing
EO – CriticalInfrastructure Definition • Definition (Sec. 3) • “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” • IT Limitation (Sec. 9a) • When designating critical infrastructure at greatest risk, DHS may not “identify any commercial information technology products or consumer information technology services” within the program
EO – CriticalInfrastructure Program • DHS Identification (Sec. 9) • Requires agency to use a “risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” • Incentives (Sec. 8c) • DHS must “coordinate establishment of a set of incentives designed to promote participation in the Program” • Not yet clear what these will be • Liability protection requires statutory authority
EO – Agency Adoptionof Framework • Review • “Agencies with responsibility for regulating the security of critical infrastructure shall … review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient….” • Action • “If current regulatory requirements are deemed to be insufficient … agencies … shall propose prioritized, risk-based, efficient, and coordinated actions … to mitigate cyber risk.” • Independent Agencies (FCC etc.) • “encouraged … to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities”
Development Process • Kick-started by EO (Sec. 7) in February • Series of workshops with industry • Preliminary Framework released by NIST on October 22, 2013 • Delayed two weeks from original due date to government shutdown • Final version released on February 12, 2014 • NIST will keep updating it after that
TIA Involvement • Written comments to NIST • Three meetings with NIST staff • Aug. 1 2013 • Aug. 27 2013 • Jan. 7 2014 • Participation of NIST staff in TIA events
TIA Input / Concerns • Maintaining the flexibility and ability to innovate • Deference to successful public-private partnerships • The necessity of international approaches and standards • What “adoption” means • Framework’s fixation on “advanced threats” rather than “cyber hygiene” • Framework’s problematic approach to privacy • NIST’s designation of “undeveloped” areas for future work, importantly including supply chain
TIA Evaluation ofFinal Framework • Many TIA concerns have been addressed • NIST has emphasized the voluntary nature of the Framework • Framework reflects the need to incorporate and rely on existing standards and best practices • Reflects TIA’s advocacy that flexibility and technology neutrality are critical • Reflects TIA’s advocacy that a business case is a key driver for increasing private-sector cyber resiliency • Framework embraces the concept that an international approach should not be country-specific
Components • Framework Core • Set of cybersecurity functions and references • Big table • Framework Profile • Tool to help organizations establish a roadmap for reducing cybersecurity risk • Framework Implementation Tiers • How well an organization manages its cyber risk
Framework Core • Five Functions • Identify, Protect, Detect, Respond,, Recover • Categories • Examples: “Asset Management,” “Access Control,” and “Detection Processes.” • Subcategories (high-level outcomes) • Examples: “Physical devices and systems within the organization are catalogued,” “Data-at-rest is protected,” and “Notifications from the detection system are investigated.” • Informative references (standards – ISO etc.)
Framework Profile • Alignment of two things: • Functions, Categories, Subcategories and industry standards and best practices, with • Business requirements, risk tolerance, and resources of the organization
Framework Tiers • Describe an “increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is integrated into an organization’s overall risk management practices” • Tier 1: Partial • Tier 2: Risk-Informed • Tier 3: Repeatable • Tier 4: Adaptive
ExampleTier 1: Partial • Risk Management Process • Organizational cybersecurity risk management practices are not formalized and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements. • Integrated Program • There is a limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurityrisk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization. • External Participation • An organization may not have the processes in place to participate in coordination or collaboration with other entities.
ExampleTier 4: Adaptive • Risk Management Process • The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous cybersecurityactivities. Through a process of continuous improvement, the organization actively adapts to a changing cybersecurity landscape and responds to emerging/evolving threats in a timely manner. • Integrated Program • There is an organization-wide approach to managing cybersecurityrisk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks. • External Participation • The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before an event occurs.
Potential Issues • Incentives for adoption • Cost is a factor • Regulation • How will agencies respond? • Liability • Does the Framework establish a “duty of care?” • Tier 4 implementation “or else”? • What will Congress do?
The Next Version:NIST Roadmap • Authentication • Automated Indicators • Conformity Assessment • Cybersecurity Workforce • Data Analysis • Federal Agency Cybersecurity Alignment • International Aspects, Impacts, and Alignment • Supply Chain Risk Management • Technical Privacy Standards • Bottom Line – More To Come in Future Versions
Cyber TopicsMissing from EO • Cybercrime • R&D efforts • Cyber hygiene & education • Data breach notification • FISMA reform • These things may require legislation
Conclusion / Contacts Dileep Srihari – dsrihari@tiaonline.org (703)-907-7715 Brian Scarpelli – bscarpelli@tiaonline.org (703)-907-7714 Telecommunications Industry Association