What’s all the noise about the

Cyber Security Framework ?

ACR 2 Solutions Compliance Tools

The Cyber Security Framework

Airs Conference May 2017

About ACR 2 Solutions – your NIST experts

ACR2 is a developer of scalable real-time Risk Management and IT

Compliance Software Solutions

Tools to support information security regulatory laws and regulations as follows:

FISMA, GLBA, HIPAA, NAIC, NERC and PCI DSS and most recently the Cyber

Security Framework

Risk and Compliance solutions for public, private, and government

organizations.

Technical Implementation Partner for GA-HITREC

We are an HP Healthcare Alliance Partner and work with Premier HP Resellers

We currently work with 100’s of locations in Healthcare and Financial Services

Single sites, distributed enterprise and hospitals and their practices

Todays Agenda:

1) Introductions

2) History of the Cybersecurity Framework (CSF)

3) Why do we need the CSF?

4) Terminology and Acronyms

5) What does the future of the CSF look like?

6) Will it remain optional?

7) The CyberSecurity Framework

8) How it can be utilized for My organization?

9) Questions and answers – As time allows

Getting to know you.

1. Works for a company that uses the HIPAA Privacy, Security and Breach rules?

2. Has mandated Security and Privacy Awareness trainings for all employees?

3. Has Read the Cybersecurity Framework Vers. 1? Draft 1.1

4. Read or know what “Omnibus rule” is?

5. Has anyone ever been asked for a “Business Associate Agreement” or requires them from contractors or partners.

6. Lastly know what the NIST stands for?

The History of the CSF

What is the Framework, and what is it

designed to accomplish?

The Framework is voluntary guidance, based on existing

standards, guidelines, and practices, for critical

infrastructure organizations to better manage and reduce

cybersecurity risk.

In addition to helping organizations manage and reduce

risks, it was designed to foster risk and cybersecurity

management communications amongst both internal and

external organizational stakeholders.

Cyber Security Objective

“[i]t is the Policy of the United States to

enhance the security and resilience

of the Nation’s critical infrastructure

and to maintain a cyber environment

that encourages efficiency, innovation,

and economic prosperity...”

Executive order 13636

February 12, 2013

Executive Order 13636

The Cybersecurity Framework was published in February 2014

following a collaborative process involving industry, academia and

government agencies.

More that 1000 individuals had input into the current revision.

The original goal was to develop a voluntary framework to help

organizations manage cybersecurity risk in the nation’s critical

infrastructure.

The framework has been widely adopted by many types of

organizations across the country and around the world.

The 16 Critical Infrastructure Industries

▪ Chemical Sector

▪ Commercial Facilities Sector

▪ Communications Sector

▪ Critical Manufacturing Sector

▪ Defense Industrial Base Sector

▪ Dams Sector

▪ Emergency Services Sector

▪ Energy Sector

Financial Services Sector

Food and Agriculture Sector

Government Facilities Sector

Healthcare and Public Health Sector

Information Technology Sector

Nuclear Reactors, Materials, and Waste

Transportation Systems Sector

Water and Wastewater Systems

Executive Summary

The national and economic security of the United States

depends on the reliable functioning of critical

infrastructure.

Cybersecurity threats exploit the increased complexity

and connectivity of critical infrastructure systems, placing

the Nation’s security, economy, and public safety and

health at risk.

Acronyms and Regulations

CCS - Council on CyberSecurity

COBIT - Control Objectives for

Information and Related

Technology

DCS - Distributed Control

System

DHS - Department of Homeland

Security

NIST - National Institute of

Standards and Technology

OMB – Office of Management and

Budget

ISO - International Organization

for Standardization

ISO 27001/2

HIPAA

FISMA – Federal Information

Security Management ACT

GLBA – Graham Leach Bliley

ACT

PCI – Payment Card In

Cybersecurity Framework

EO – Executive Order

Why do we need the CSF?

The national and economic security of the United States depends

on the reliable functioning of our critical infrastructure.

To strengthen the resilience of this infrastructure, President

Obama issued Executive Order 13636 (EO), “Improving Critical

Infrastructure Cybersecurity” on February 12, 66 2013.1

This Executive Order calls for the development of a voluntary

Cybersecurity Framework (“Framework”)

To assist organizations responsible for critical infrastructure

services to manage cybersecurity risk.

Cybersecurity Framework Overview

The Cybersecurity Framework – intention or design criteria

Includes a set of standards, methodologies, procedures, and

processes that align policy, business and technological

approaches to address cyber risks.

Provides a prioritized, flexible, repeatable, performance-based

and cost-effective approach.

This includes information security methods and controls to help

owners and operators of critical infrastructure identify, assess,

and manage cyber risk.

Cybersecurity Framework Overview

The Cybersecurity Framework

Identifies areas for improvement to be addressed through

future collaboration with particular sectors and standards-

developing organizations.

Is consistent with voluntary international standards.

NAIC CYBERSECURITY TASK FORCE ADOPTSREGULATORY PRINCIPLES

National Association of Insurance Commissioners (NAIC) • NAIC is the U.S. standard-setting and regulatory support organization created and

governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight.

• http://www.naic.org/state_web_map.htm

Governor of New York Letter sent to all

registered Financial Services March 2015

Cybersecurity Executive Order

Cybersecurity Executive Order

NIST Risk Management Framework (RMF)

now mandatory for all federal agencies.

Agencies have 90 days to file implementation

plans with OMB.

“Agency heads will be held accountable by

the President for implementing risk

management measures”…

More about the NIST (From 1901 to 1988 called the Bureau of Standards)

• NIST publications, many of which are required for federal agencies, can serve as voluntary guidelines and best practices for state, local, and tribal governments and the private sector.

• NIST security standards and guidelines include:• Federal Information Processing Standards [FIPS], • Special Publications which can be used to support the requirements of both HIPAA and

FISMA and GLBA.• May be used by organizations to help provide a structured, yet flexible framework for

selecting, specifying, employing, and evaluating the security controls in information systems.

• Most importantly, it’ what the auditors know and are required to use internally!

The Future of the CSF

A New Update is coming…

What changes are included in the proposed revision?

The draft revision (Version 1.1):

Clarifies use of Implementation Tiers and their relationship to

Profiles,

Enhances guidance for applying the Framework for supply chain

risk management,

Provides guidance on metrics and measurements using the

Framework,

Adds the concept of identity proofing and expands authorization,

and

Updates FAQs to support understanding and use of Framework.

If I adopt it, how will it impact my…Resources, Cost, and time..

And how much new work will it create?

• Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF),

• If you implement HIPAA using the NIST SP 800-66 you will have 52% of the CSF requirements addressed.

• If you implement CSF you will have 68% of the HIPAA requirements covered.“

Should we use the CSF?

• If I adopt it, how will it impact my…Resources, Cost, and time..And how much new work will it create?

• Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF),

• If you implement HIPAA using the NIST SP 800-66 you will have 52% of the CSF requirements addressed.

• If you implement CSF you will have 68% of the HIPAA requirements covered.“

Future Opportunity!

Why use NIST Security Controls ?

There are official mappings between:The NIST controls and

ISO 27001/2

HIPAA

PCI

GLBA

Cybersecurity Framework

COBIT

Not necessarily State Requirements

PCI

ISO 27001/2COBIT

HIPAA Security

StatesCybersecurity Framework/

NAIC

GLBA

Not to scale.

We typically works on 3 regulations and the local state issues – most notably Breach Related

• Our Most Common Engagements are:• HIPAA Security

• Risk Assessment

• Security Awareness Training

• Develop and Review Policies and Procedures

• Add Cybersecurity Framework Ctrls.

• Add State Specific Requirements• Especially for Disclosure/Breach regulations

• Your Organization may be different!

States Specific Issues

Cybersecurity Framework/

NAIC

HIPAA Compliance & Security

GLBA

Critical Infrastructure Support

“It is the policy of the executive branch to use its authorities

and capabilities to support the cybersecurity risk

management efforts of the owners and operators of the

Nation's critical infrastructure”

“Reasonable Security” Becomes Reasonably Clear

If cybersecurity risks appear to be ubiquitous, some comfort may be taken in the fact that reasonable

defenses are well known. The Report emphasizes a finding that has been made regularly in Verizon’s

annual Data Breach Investigations Reports: 99.9 percent of exploited vulnerabilities were compromised

more than a year after the fix for the vulnerability had been made publicly available.

Defining a Reasonable Security Standard

California law requires organizations to implement “reasonable security procedures and practices . . .

to protect personal information from unauthorized, access, destruction, use, modification, or

disclosure.” The Report, drawing on a rich dataset of reported breaches, for the first time sets forth

the California Attorney General’s expectations, providing additional meaning to the “reasonable

security” requirement.

Organization of the Cybersecurity

Framework

Overview of the Framework

The Framework complements, and does not replace, an

organization’s risk management process and

cybersecurity program.

1) Describe the current cybersecurity posture;

2) Describe their target state for cybersecurity;

3) Identify and prioritize opportunities for improvement within

the context of a continuous and repeatable process;

4) Assess progress toward the target statej;

5) Communicate among internal and external stakeholders

about cybersecurity risk.

Overview of the Framework

The Framework is a risk-based approach to managing

cybersecurity risk, and is composed of three parts:

the Framework Core,

the Framework Profile, and

the Framework Implementation Tiers.

The Framework Core

A set of cybersecurity activities, desired outcomes, and

applicable references that are common across critical

infrastructure sectors.

The Core presents industry standards, guidelines, and

practices in a manner that allows for communication of

cybersecurity activities and outcomes across the

organization

The Framework Profile

A Framework Profile (“Profile”) represents the outcomes

based on business needs that an organization has

selected from the Framework Categories and

Subcategories.

The Profile can be characterized as the alignment of

standards, guidelines, and practices to the Framework

Core in a particular implementation scenario.

The Framework Implementation Tiers.

Provide the context on how an organization views

cybersecurity risk and the processes in place to manage

that risk.

Tiers describe the degree to which an organization’s

cybersecurity risk management practices exhibit the

characteristics defined in the Framework.

Risk and Threat Awareness:

Partial, Risk Informed, Repeatable and Adaptable

Implementation Overview

Framework 7-Step Process

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a current Profile

Conduct a Risk Assessment

Create a Target Profile

Determine, Analyze and

Prioritize Gaps

Implement Action Plan

Define the previous slide points

Implementation Tiers

By the way…

There are co$ts associated with implementation

In order to be a 4 in a key area, you may choose to be a 2 in

That Cost Benefit analysis tells you where you can focus

The Core is designed to translate the highly technical that is

Cybersecurity to the other disciplines.

Cybersecurity works when the whole organization is in synch.

The Core

The five Framework core

Functions

Identify – Develop the organizational

understanding to manage cybersecurity risk

to systems, assets, data, and capabilities.

Protect – Develop and implement the

appropriate safeguards to ensure delivery of

critical infrastructure services.

Detect – Develop and implement the

appropriate activities to identify the

occurrence of a cybersecurity event.

Respond – Develop and implement the

appropriate activities to take action regarding

a detected cybersecurity event.

Recover – Develop and implement the

appropriate activities to maintain plans for

resilience and to restore any capabilities or

services that were impaired due to a

cybersecurity event.

The Five Cyber Security Framework Core Functions

The Core and Categories

“The Core 5 and the next 22

Categories are simple, but not

all groups will define the terms

the same…

The terminology are purposely

selected, to be generally

available.

The Core and Categories with ID’s

The Matra “Identify, Protect,

Detect, Respond and Recover”

The Core 5 and the next 22

Categories are simple, but not

all groups will define the terms

the same…

The terminology are purposely

selected, to be generally

available and understood by

many.

The Core to the Granular Usable Guidence

Cybersecurity Framework

Cybersecurity

Framework

Using The Cybersecurity Framework

Building a Profile in 3 steps.

A profile can be thought of:

Mission Objects

Cybersecurity Requirements

Legislation

Regulations

Internal & External Policies

Best Practice

Operating Methodologies.

Conceptual Profile

Comply once report many

HIPAA, FISMA, Sarbanes Oxley

Their can be hundreds of distinct

profiles

Resource and Budgeting…

Why aren’t you addressing the

activities in regards to Priority

Why aren’t you doing subdcat 1?

The priorities smaller

The Gaps were smaller

The costs were greater

Than the Category 2 and 3.

You end up with a defensible plan!

Creating or editing a profile.

HHS and HIPAA Security Rule

to Cybersecurity Mappings

Profiles are there..

Efficiency is there..

3 – 2 hour meetings.

Step 1 - Prioritize and

Scope Program, i.e. What Assets

to Protect?

At least Annually, Start Cyber

Security Risk Mgt. Program

Small Organization Cyber Security Compliance

Step 2 – Orient , i.e. Locate

Assets at Risk

Step 5 – Create Target Profile

Showing Desired Risk Levels

Step 4 – Select Compliance Option and

Conduct Risk Assessment. NIST Recommended for

US Sites, ISO Internationally

Step 3 – Create Current Profile,

i.e. How are Assets Currently

Protected

Step 6 –Gap Analysis – What is Required to

Achieve Desired Risk Levels?

Step 7 – Action Plan –

Implement Changes to

Achieve Desired Risk Levels

Office of Civil Rights (OCR)

Risk Assessment Steps

• Step 1 System Characterization

• Step 2 Threat Identification

• Step 3 Vulnerability Identification

• Step 4 Control Analysis

• Step 5 Likelihood Determination

• Step 6 Impact Analysis

• Step 7 Risk Determination

• Step 8 Control Recommendations

• Step 9 Results Documentation

NIST Risk Management

Framework

3.1 RMF STEP 1 – CATEGORIZE INFO. SYSTEM

3.2 RMF STEP 2 – SELECT SECURITY CONTROLS

3.3 RMF STEP 3 – IMPLEMENT CONTROLS

3.4 RMF STEP 4 – ASSESS SECURITY CONTROLS

3.5 RMF STEP 5 – AUTHORIZE INFO. SYSTEM

3.6 RMF STEP 6 – MONITOR SECURITY CONTROLS

NIST Risk Management Framework

3.1 RMF STEP 1 – CATEGORIZE INFO. SYSTEM

TASK 1-1: Categorize the information system and

document the results…

References: FIPS Publication 199; NIST Special

Publications 800-30, 800-39, 800-59, 800-60;

CNSS Instruction 1253

TASK 1-2: Describe the information system…

References: None

TASK 1-3: Register the information system…

References: None.

Safeguard Inventory Input

NIST Risk Management

Framework3.2 RMF STEP 2 – SELECT SECURITY CONTROLS

TASK 2-1:Identify…and document the controls in a

security plan…References: FIPS 199, 200; NIST

800-30, 800-53; CNSS 1253.

TASK 2-2: Select the security controls…References:

FIPS199, 200; 800-30, 800-53; CNSS 1253.

TASK 2-3: Develop a strategy for the continuous

monitoring...References: NIST 800-30, 800-39, 800-

53; 800-53A; CNSS 1253.

TASK 2-4: Review and approve the security plan.

References: NIST 800-30, 800-53; CNSS 1253.

Content Based

NIST 80-53 SafeguardsSymbol NIST Title CUI CSF HIPAA Privacy

AC-02 Account Management X X X

AC-03 Access Enforcement X X X X

AC-04 Information Flow Enforcement X X X

AC-05 Separation of Duties X X X X

AC-06 Least Privi lege X X X X

AC-07 Unsuccessful Logon Attempts X X

AC-08 System Use Noti fication X X

AC-11 Sess ion Lock X X X

AC-12 Sess ion Termination X X X

AC-17 Remote Access X X X X

AC-18 Wireless Access X X

AC-19 Access Control for Mobi le Devices X X X X

AC-20 Use of External Information Systems X X

AC-22 Publ icly Access ible Content X X

AT-02 Securi ty Awareness Tra ining X X X

AT-03 Role-Based Securi ty Tra ining X X X

AU-02 Auditable Events X X X X

AU-03 Content of Audit Records X X X

AU-06 Audit Review, Analys is , and Reporting X X X X

AU-07 Audit Reduction and Report Generation X X X

AU-12 Audit Generation X X

NIST Risk Management Framework

3.3 RMF STEP 3 – IMPLEMENT SECURITY

CONTROLS

TASK 3-1: Implement the security controls specified in

the security plan…References: FIPS 200; NIST 800-

30, 800-53, 800-53A; CNSS 1253; Web:SCAP.

NIST.GOV.

TASK 3-2: Document the security control implemen-

tation…References: NIST 800-53; CNSS 1253.

NIST Risk Management Framework

3.4 RMF STEP 4 – ASSESS SECURITY CONTROLS

TASK 4-1: Develop, review, and approve a plan to

assess the security controls.

References: NIST Special Publication 800-53A.

TASK 4-2: Assess the security controls…References:

NIST 800-53A.

TASK 4-3: Prepare the security assessment report…

References: NIST 800-53A.

TASK 4-4: Conduct initial remediation actions…

References: NIST 800-30, 800-53A.

NIST Risk Management Framework

3.5 RMF STEP 5 – AUTHORIZE INFO. SYSTEM

TASK 5-1: Prepare the plan of action and milestones..

References: OMB Memorandum 02-01; NIST

800-30, 800-53A.

TASK 5-2: Assemble the security authorization

package…References: None.

TASK 5-3: Determine the risk…References: NIST

800-30, 800-39.

TASK 5-4: Determine if the risk…is acceptable. Refer-

ences: NIST 800-39.

NIST Risk Management Framework

3.6 RMF STEP 6 – MONITOR SECURITY

CONTROLS

TASK 6-1: Determine the security impact... Refer-

ences: NIST 800-30, 800-53A.

TASK 6-2: Assess a selected subset of the…security

controls…References: NIST 800-53A.

TASK 6-3: Conduct remediation actions...References:

NIST 800-30, 800-53, 800-53A; CNSS1253.

NIST Risk Management Framework

3.6 RMF STEP 6 – MONITOR SECURITY

CONTROLS

TASK 6-4: Update the security plan…based on the

results of the continuous monitoring process.

References: NIST 800-53A.

TASK 6-5: Report the security status of the informa-

tion system… on an ongoing basis…References:

NIST 800-53A.

NIST Risk Management Framework

3.6 RMF STEP 6 – MONITOR SECURITY

CONTROLS

TASK 6-6: Review the reported security status of the

information system..to determine whether the

risk..remains acceptable. References: NIST 800-30,

800-39.

TASK 6-7: Implement an information system

decommissioning strategy...References: NIST 800-

30, 800-53A.

Monitoring Multiple Sites or

Network Segments

Example – EPA RFI, 3/17

RFQ-DC-17-00099

RMF compliance 48 networks/15,000 assets

Other Cybersecurity and Management Services

For More Information

Website – www.ACR2solutions.com

Contacts

Jack Kolk, Benicia CA, 707 742-4211 or

jack.k@acr2solutions.com

Robert Peterson, Lilburn GA, 770 381-9229 or

robert.p@acr2solutions.com