Strengthening Federal Cybersecurity Networks
Revisiting the NIST Framework to Understand New Executive Order
By: Sean B. Hoar and Griffen J. Thorne
On May 11, 2017, President Donald Trump issued an Executive Order entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The order received attention for its stated policy goals regarding cyber risk management and the allocation of resources to protect critical infrastructure. One of the most important aspects of the order, however, is that it directs each federal agency to use the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk.
President Trump’s direction to use the framework builds upon an earlier order by President Barack Obama. On February 12, 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” President Obama’s order recognized that a secure digital infrastructure is critical to the economic and national security of the United States, and directed NIST to work with public and private sector stakeholders to develop a voluntary framework — based on existing standards, guidelines, and practices — for reducing cyber risks to critical infrastructure.
One year later, on February 12, 2014, NIST released the first version of the framework. The framework is a risk management tool to assist organizations in assessing cybersecurity risks, protecting against attacks, and detecting intrusions as they occur. The framework uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs, without imposing additional regulatory burdens.
The Background of the Framework
The framework was developed for critical infrastructure organizations, i.e., chemical, defense, energy, healthcare, information technology, transportation, etc. The framework recognizes the reality of our digital infrastructure: it is the central nervous system of our society. A secure digital infrastructure is critical to our economy, public health, and national security. Regardless of whether an organization involves critical or non-critical infrastructure, our information systems must remain stable, available, reliable, and secure. To that end, utilizing the framework — even for non-critical infrastructure organizations — may help organizations increase the stability and security of their networks.
The framework was intended to complement, not replace, existing organizational processes and cybersecurity protocols. This means that while an information technology team may have long ago established a robust information security regime, the outcomes can be measured against industry best practices as reflected in the framework. It can serve as one measure, and enable an organization to confirm that it meets or exceeds industry best practices. An organization without an existing cybersecurity program can use the framework as a reference to establish one — of course, in compliance with state information security standards.
The framework is technology neutral, which ensures extensibility and enables technological innovation. It relies on a variety of existing global standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. The standards, guidelines, and practices referred to in the framework have been developed, managed, and updated by various industries and allow geographic and technological scalability. Building upon this foundation, the framework provides a common vernacular and mechanism for organizations to identify their existing and desired security postures and to prioritize the allocation of resources to achieve and assess the achievement of their information security goals.
The framework consists of three parts: the framework core, the framework implementation tiers, and the framework profile. The framework core provides a set of cybersecurity activities to achieve desired outcomes, and makes reference to examples as guidance to achieve those outcomes. The framework implementation tiers provide context on organizational cybersecurity risk and processes to manage the risk. The framework profile represents selected organizational outcomes, based on business needs, which an organization has identified from elements of the framework.
The Framework Core
The framework core identifies cybersecurity activities and guidance to achieve desired outcomes. It presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across organizational platforms, from operations to the executive level. The core is composed of four elements: functions, categories, subcategories, and informative references.
Functions organize cybersecurity actions at their highest level. Categories are subdivisions of a function, which are outcomes tied closely to program needs and activities. Subcategories are further divisions of a category and identify more specific outcome. The informative references are specific standards, guidelines, and practices that illustrate methodologies for achieving the outcomes specified in each category. The framework core also provides referential resources for each function, such as existing standards, guidelines, and practices.
The framework core consists of the following five functions:
- Identification of cybersecurity risk, assets, data and capabilities;
- Protection of those assets;
- Development and implementation of a system to detect cybersecurity events;
- Development and implementation of a plan to respond to cybersecurity events; and
- Development and implementation of a plan to restore system capabilities after cyber events.
The information drawn from these functions provides a strategic view of the lifecycle of organizational management of cybersecurity risk.
The Framework Implementation Tiers
The framework implementation tiers provide context regarding an organization’s perception of cybersecurity risk and the processes to manage the risk. The tiers describe the degree to which organizational risk management practices exhibit desired characteristics defined in the framework. They reflect a progression from informal, reactive responses to adaptive, risk-informed approaches. The tiers provide an organizational risk-management selection process, drawing from threat environments, legal and regulatory requirements, business/mission objectives, and organizational constraints.
The framework implementation tiers are defined as follows:
Tier 1 — Partial: The organizational cybersecurity risk management practices are not formalized. There is limited organizational awareness of cybersecurity risk, and an organizational cyber risk management program has not been developed. As a consequence, the organization cannot coordinate or collaborate with other entities on the management of cyber risk.
Tier 2 — Risk Informed: Organizational risk-management practices are approved by management but may not be formally established as enterprise-wide policy. There is an organizational awareness of cybersecurity risk but an organizational cyber risk-management program has not been developed. Although the organization is aware of its role in the larger cyber ecosystem, it is not yet prepared to interact and share information externally.
Tier 3 — Repeatable: Organizational risk-management practices are formally approved by management and expressed as enterprise-wide policy. There is an organizational approach to cybersecurity risk management. The organization understands its dependency on other organizations and receives information from those organizations that enables collaboration and informed risk management decisions.
Tier 4 — Adaptive: Organizational risk-management practices adapt based on experiential learning. The organizational approach to cybersecurity risk management uses risk-informed policies, processes, and procedures. The organization actively manages risk and shares information with organizations to ensure that accurate, current information is being used to improve cybersecurity before a cybersecurity event occurs.
The Framework Profile
The framework profile represents selected organizational outcomes based on business needs, which an organization has identified from the framework categories and subcategories. It can be characterized as the alignment of standards, guidelines, and practices to particular desired outcomes. A comparative profile can be used to identify the need for improving cybersecurity, such as a “current” profile versus a “target” profile. The distance between the two can be used to measure progress when conducting self-assessments.
The framework provides the following steps to illustrate how an organization can create a new cybersecurity program or improve an existing program. These steps should be repeated as necessary to continuously improve cybersecurity:
- Prioritize and Scope: Organizations should first identify business/mission objectives and organizational priorities. They can then use this information to make strategic decisions regarding implementation of a cybersecurity program. In doing so, they can determine the scope of systems and assets that support selected business lines or processes and adapt their cybersecurity program to support them. It is important to recognize that each business line or process may have different business needs and risk tolerances.
- Orient: Once the scope of the cybersecurity program has been determined for a business line or process, the organization should identify related systems and assets. It should also identify regulatory requirements pertaining to those systems and assets. It can then develop an overall risk-management approach. The organization should then identify threats to, and vulnerabilities of, those systems and assets.
- Create a Current Profile: The organization should identify its existing security posture — or current profile — by indicating which category and subcategory outcomes from the framework core are currently being achieved.
- Conduct a Risk Assessment: The organization should conduct a risk assessment that is guided by its overall risk-management process or previous risk-assessment activities. An analysis of the operational environment should be done to discern the likelihood of a cybersecurity event and the impact such an event could have on the organization. It is important that organizations incorporate data into the analysis about emerging risks, threats, and vulnerabilities, in order to achieve the best understanding of the likelihood and impact of cybersecurity events.
- Create a Target Profile: The organization should identify its desired security posture — or target profile — through an assessment of the framework categories and subcategories. This assessment should describe the organization’s desired cybersecurity outcomes. It is recommended that organizations consider influences and requirements of external stakeholders, such as customers, investors, and sector peers, when creating the target profile.
- Determine, Analyze, and Prioritize Gaps: The organization should compare the current profile and the target profile to identify gaps in its desired information security posture. It should then develop a prioritized action plan to address those gaps. This should draw upon a variety of information, including the organizational mission, a cost/benefit analysis of increased security or the lack thereof, and an understanding of emerging risks. This type of planning can enable the organization to make informed decisions about cybersecurity activities and deploy appropriate resources to address the gaps in its security posture.
- Implement Action Plan: The organization should determine which actions to take to address the gaps in its security posture. It should then continuously monitor its cybersecurity practices to determine whether they align with the target profile. This will allow the organization to constantly evolve to better manage the emerging risks.
The framework is about risk management, which is the ongoing process of identifying, assessing, and responding to risk. In order to adequately manage risk, organizations must have the capacity to understand the likelihood and measurable consequences of a cybersecurity event. In assessing the risk of a cybersecurity event, organizations can determine the allocation of resources to mitigate, transfer, avoid, or accept the risk, all of which may have dramatically different outcomes on the delivery of organizational services. The key is for an organization to use risk management processes to continuously inform, which will assist in allowing it to adapt to evolving circumstances and to allocate appropriate resources toward desired outcomes.
President Trump’s Order and the Framework
The order — like the framework — is all about risk management. One of the key findings of the order is that federal information technology systems are antiquated and that the federal government should play a more active role in creating, maintaining, and modernizing information technology.
The first portion of the order places the onus on federal agency heads to “implementrisk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.” To that end, agency heads are directed to employ the framework — which was the result of President Obama’s earlier order — to create risk-management assessments. This portion of the order focuses largely on information-technology security measures within the executive branch.
The second portion of the order — consistent with the framework — relates to cybersecurity of critical infrastructure. This portion of the order identifies a number of federal agencies, in partnership with certain critical-infrastructure entities, to identify areas to bolster risk-management and cybersecurity efforts.
The third portion of the order is broadly tailored to national cybersecurity. As with the prior portions of this order, this portion directs a number of federal agencies to draft reports on methods to be used for protecting national (and international) cybersecurity. Notably, this portion also directs certain federal agencies to assess cybersecurity workforce training efforts, and to plan for supporting and growing that workforce.
How Will the Order Affect Businesses?
Unless a business is in a critical-infrastructure industry, the order is likely to have little effect on its day-to-day operations in the near future. However, stronger cybersecurity measures within the federal infrastructure will inevitably benefit organizations which interact with that infrastructure. As explained above, the framework provides vital guidelines and practices for companies to assess risk, and these guidelines and practices can be employed by any business.
Cybersecurity risk management is not an easy process, and while the framework is an excellent model for developing and maintaining a cybersecurity risk-management program, it should be considered along with the myriad state information security standards and data breach response requirements (stay tuned to the Data Insights blog for Lewis Brisbois’ unveiling of its national interactive map of information security standards and breach response laws). It is therefore critical for organizations—especially those that collect or maintain consumer data—to consult with legal counsel knowledgeable of those requirements and standards, to ensure their protocols are legally compliant.