One of the more interesting developments in the compliance world is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework is a result of Executive Order (EO) 13636, “Improving Critical Infrastructure Cyber Security,” which directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based cyber security framework that provides U.S. critical infrastructure organizations with a set of industry standards and best practices to better manage cyber security risks.
While the adoption of the Cybersecurity Framework is optional for now, it can be used by critical infrastructure industries and commercial organizations to build and strengthen their cyber security prevention, detection, response and improvement capabilities. The framework does not introduce new standards or concepts; it leverages and integrates industry leading cyber security practices that were developed by organizations, including NIST and the International Organization for Standardization (ISO). This is exciting news for our clients since many of the standards and best practices we support are referenced within the framework.
The framework provides an assessment mechanism that enables organizations to determine their current cyber security capabilities, set individual goals for a target state and establish a plan for improving and maintaining cyber security programs. The framework compliments, not replaces, an organization’s risk management process and cyber security program. It includes three main components: framework core, framework implementation tiers and framework profiles.
Components of the Cybersecurity Framework:
The framework core is a set of cyber security activities, outcomes and informative references that are common across critical infrastructure sectors, organized into five concurrent and continuous functions, that provide a strategic view of how your organization’s manages cyber security risk:
- Identify: Develop your organizational understanding on how to manage cyber security risks to systems, assets, data and capabilities.
- Protect: Develop and implement the appropriate safeguards necessary to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cyber security event through continuous monitoring.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cyber security event through incident response.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.
Each of the core functions is further divided into categories tied to programmatic needs and particular activities. The outcomes of activities point to informative references, which are specific sections of standards, guidelines and practices that illustrate a method to achieve the outcomes associated with each subcategory.
The framework implementation tiers describe the level of sophistication and rigor your organization employs in applying its cyber security practices, and provide a context for applying the core functions. The four tier levels describe approaches to cyber security risk management that range from informal/reactive response to adaptive/real-time response:
- Tier 1 (Partial): Your organization’s cyber risk management profiles are not formalized, and are managed on an ad hoc basis. There is a limited awareness of your organization’s cyber security risk at the enterprise level, and an enterprise-wide approach to managing cyber security risk has not been established.
- Tier 2 (Risk Informed): Your organization has established a cyber risk management policy that is directly approved by senior management — though not yet on an enterprise-wide basis. There is some effort by senior management to establish risk management objectives related to cyber security, to understand your organization’s threat environment and to implement cyber security procedures with adequate resources.
- Tier 3 (Repeatable): Your organization is operating with formal cyber security procedures, which are regularly updated based on changes in risk management processes, business requirements and the changing threat and technology landscape. Cyber personnel are well-trained and can adequately perform their duties. Your organization also understands its dependencies and business partners, and receives information from them, which allows for collaboration and risk-based management decisions.
- Tier 4 (Adaptive): Your organization adapts its cyber security practices in real time based on lessons learned and predicative indicators derived from current and past cyber security activities.
With continuous improvement incorporating advanced cyber security technologies, real time collaboration with partners and continuous monitoring of activities on their systems, your organization’s cyber security practices can rapidly respond to sophisticated threats.
The framework profile is a tool that provides your organization with a method for describing your cyber security program. Profiles enable your organization to align and improve cyber security practices based on your individual business needs, tolerance for risk and available resources. Utilizing the core and the implementation tiers, profiles can be developed describing the current “as-is” state (i.e. current profile) and the future “to-be” state (i.e. target profile). Once completed, a comparison of the current and target profiles identifies gaps that should be filled to enhance cyber security and provides the basis for a prioritized roadmap to help achieve these improvements.
Why should I be an early adopter of the Cybersecurity Framework?
The framework provides organization and structure to today’s many approaches to cyber security by assembling standards, guidelines and practices that are working effectively in industry. Regardless of whether you have a cyber security program in place, there may be unmitigated risks that can be discovered through application of the framework, leading to a more resilient cyber security program.
All too often, business cases for cyber initiatives are rejected as they fail to communicate the real benefit to an organization — largely due to the unfamiliar language used to convince targeted stakeholders. The framework solves this dilemma by providing a standardized approach for addressing cyber security goals through the creation of profiles. These profiles enable organizations to align and improve cyber security practices based on their individual business needs, tolerance for risk and resources.
By adopting the framework, your organization can collaborate with others through programs such as the online Cyber Security Forum (CForum) to share lessons learned, post questions about cyber security challenges and maintain the conversation to continually improve cyber security capabilities and standards.
While it’s not mandatory, it’s likely that the framework will eventually become the de facto standard for cyber security and privacy regulation. It may also impact legal definitions and enforcement guidelines for cyber security. Organizations that adopt the framework now may be better positioned to comply with future cyber security and privacy regulations.
By choosing to implement the framework now, organizations can potentially avoid accusations of cyber security negligence if a breach occurs. Organizations using the framework can demonstrate their due diligence in the event of a cyber attack by providing key stakeholders with information regarding their cyber security program via their established profile.
The framework provides organization and structure to today’s numerous approaches to cyber security by assembling multiple standards, guidelines and practices into one standardized format. If the framework is eventually regulated across multiple industries, this would enable auditors to evaluate cyber security programs and controls in one standard format — eliminating the need for multiple security compliance documents.
Organizations purchasing IT equipment or services can request a framework profile, providing the buying organization an opportunity to determine whether or not the supplier’s security measures align with their organizational security policies. In addition, the organization can provide a profile to the supplier or vendor to define mandatory protections that must be implemented as a condition of procurement.
The presidential directive that established the NIST Framework calls for the Department of Homeland Security to establish incentives to promote adoption of the framework. While incentives have not yet been established, there has been some discussion on cyber insurance, government grants, technical assistance and regulatory streamlining for those companies that adopt the framework.
Cybersecurity Framework Gap Analysis (Current Profile):
This is perfect for organizations that want to get started with the Cybersecurity Framework. 38North uses the framework to compare your organization’s current security activities with those outlined in the framework core. We create your current profile and measure how well your organization is achieving the outcomes described in the core categories and subcategories, aligned with the five high-level functions: identify, protect, detect, respond and recover. We’ll also provide a cost estimate to align your organization with the Cyber Security Framework, identify the risks and challenges, and point out the most critical action items.
Cybersecurity Framework Risk Assessment:
We conduct a detailed risk assessment based on your current profile to determine the likelihood of cyber security events, and the impact such events could have on your organization. We then present you with a detailed roadmap with prioritized recommendations on how to remediate weaknesses with existing or new management, operational and/or technical countermeasures.
Cybersecurity Framework Implementation Support (Target Profile and Action Plan):
Now that the risks have been identified based on your current profile, you need to develop your target profile. The target profile will document all applicable framework categories and subcategories in the context of your organization’s desired cyber security outcomes. 38North will develop an action plan based on the delta between your current and target profiles. And existing process, resources, infrastructure, systems and investments will be re-used if possible before new protective measures are considered.