Building on stakeholder inputs from a July workshop in San Diego, the National Institute of Standards and Technology (NIST) last week released the latest iteration of a draft Cybersecurity Framework that fills in an earlier outline, maps out how organizations can mitigate cyber threats and speaks directly to senior business executives about cyber risks and how the framework can help protect their companies.
The emerging framework, which was directed in an Executive Order by President Barack Obama in February, is meant to provide a voluntary guide to owners and operators of the nation’s critical infrastructures of known standards, best practices and methods for strengthening their enterprises against cyber threats. The administration is also crafting a series of potential incentives to encourage industry to adopt these standards and practices.
The 36-page discussion draft framework, up from three pages in July, contains three parts: a Core, Implementation Tiers, and a Profile. The core still consists of five functions, although it switches out “know” for “identify” as the first while retaining protect, detect, respond and recover to “provide a high-level, strategic view of an organization’s management of cybersecurity risk,” the draft says.
Like the earlier draft, each core contains a number of categories and subcategories as well as references to common standards and practices. This time, the draft adds far more detail to each, all of which is contained in one of several appendixes.
The categories subdivide the functions into activities such as asset management and detection processes while the subcategories provide “high-level tactical activities to support technical implementation,” the draft says. The informative references also “illustrate a method to accomplish the activities within each subcategory,” it says.
The previous draft also outlined for each function implementation levels, basically senior executives, business managers and operations managers. The new iteration changes these levels to tiers and provides a more in-depth description of them, saying they demonstrate a progression of each stage in the implementation of the framework profile and an organization’s risk management process.
For example, Tier 0 indicates an organization has not implemented a formal threat-awareness risk management process to help prioritize cyber security activities while Tier 3 indicates that it is updating its profile based on predictive indicators of cyber activities and allows it to adapt to emerging and evolving threats.
The profile, a new element to the framework, establishes a “roadmap” to show the current status of an organization’s ability to accomplish each function and a target state of cyber security activities. The profile would help in “revealing gaps that should be addressed to meet cybersecurity risk management objectives,” the draft says.
The draft framework also contains a subsection on how it can be used to identify gaps where additional references would help in addressing emerging threats and a section on areas of improvement for the framework itself. These areas of improvement, which are not final, include authentication, automated indicator sharing, conformity assessment, data analytics, supply chains and interdependencies, international aspects, impacts and alignment, and privacy.
The framework contains an entire appendix on a methodology for protecting privacy and civil liberties.
The new details in the framework came out of the last workshop on the framework hosted by NIST in San Diego in July. Further changes could be in store following the next workshop in Dallas, Texas, in September.
“This is all for discussion,” Adam Sedgewick, senior information technology policy adviser at NIST, told Defense Daily on Aug. 29. “We’ll go into Dallas and we could hear feedback that we’re completely off-track on any one of these areas.
In addition to the new draft framework, NIST released a separate two-page draft overview to senior executives that provides a high-level discussion of the cyber threat and how the emerging framework can help provide ways to manage risks and develop security programs. The agency also released a 17-page draft discussion of “illustrative exmples” of how various threats such as cyber intrusions and malware work from an adversary’s perspective and how an organization can combat these.
The point of the “illustrative examples” is “we wanted to show how the framework could be put into practice,” Sedgewick said. He said that NIST will work with various critical infrastructure sectors on sector specific mapping with the informative references, which will be part of the work in Dallas.
The next draft of the framework will be completed in October and the final version of the guide is supposed to be ready next February. However, the Executive Order calls for the framework to be a living document so it will be continuously updated.