1

Improving Critical Infrastructure Cybersecurity Executive Order 13636

Preliminary Cybersecurity Framework



Preliminary Cybersecurity Framework

2 Note to Reviewers 3 The Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity is 4 now available for review. The Preliminary Cybersecurity Framework is provided by the National 5 Institute of Standards and Technology (NIST). 6 If the Cybersecurity Framework is to be effective in helping to reduce cybersecurity risk to the 7 Nation’s critical infrastructure, it must be able to assist organizations in addressing a variety of 8 cybersecurity challenges. The National Institute of Standards and Technology (NIST) requests 9 that reviewers consider the following questions: 10 Does the Preliminary Framework: 11

• adequately define outcomes that strengthen cybersecurity and support business 12 objectives? 13

• enable cost-effective implementation? 14

• appropriately integrate cybersecurity risk into business risk? 15

• provide the tools for senior executives and boards of directors to understand risks and 16 mitigations at the appropriate level of detail? 17

• provide sufficient guidance and resources to aid businesses of all sizes while maintaining 18 flexibility? 19

• provide the right level of specificity and guidance for mitigating the impact of 20 cybersecurity measures on privacy and civil liberties? 21

• express existing practices in a manner that allows for effective use? 22 23 Will the Preliminary Framework, as presented: 24

• be inclusive of, and not disruptive to, effective cybersecurity practices in use today, 25 including widely-used voluntary consensus standards that are not yet final? 26

• enable organizations to incorporate threat information? 27 28 Is the Preliminary Framework: 29

• presented at the right level of specificity? 30

• sufficiently clear on how the privacy and civil liberties methodology is integrated with 31 the Framework Core? 32 Disclaimer 33 Any mention of commercial products is for information only; it does not imply NIST 34 recommendation or endorsement, nor does it imply that the products mentioned are necessarily 35

the best available for the purpose. i



Preliminary Cybersecurity Framework

36 Table of Contents 37 1.0 Framework Introduction .......................................................................................................1 38 2.0 Framework Basics .................................................................................................................5 39 3.0 How to Use the Framework ................................................................................................11 40 Appendix A: Framework Core .......................................................................................................13 41 Appendix B: Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program .28 42 Appendix C: Areas for Improvement for the Cybersecurity Framework ......................................36 43 Appendix D: Framework Development Methodology ..................................................................40 44 Appendix E: Glossary ....................................................................................................................42 45 Appendix F: Acronyms ..................................................................................................................44 46

47

48 List of Figures 49 Figure 1: Framework Core Structure .............................................................................................. 5 50 Figure 2: Profile Comparisons ........................................................................................................ 8 51 Figure 3: Notional Information and Decision Flows within an Organization ................................ 9 52 53 54 55 56 List of Tables 57 Table 1: Framework Core ............................................................................................................. 13 58 Table 2: Function and Category Unique Identifiers ..................................................................... 27 59 Table 3: Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program ....... 28 60 61 62

ii



Preliminary Cybersecurity Framework

63 1.0 Framework Introduction 64 The national and economic security of the United States depends on the reliable functioning of 65 critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued 66 Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity” on February 12, 67 2013.1 This Executive Order calls for the development of a voluntary Cybersecurity Framework 68 (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost- 69 effective approach” for assisting organizations responsible for critical infrastructure services to 70 manage cybersecurity risk. 71 Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so 72 vital to the United States that the incapacity or destruction of such systems and assets would have 73 a debilitating impact on security, national economic security, national public health or safety, or 74 any combination of those matters.” Due to the increasing pressures from external threats, 75 organizations responsible for critical infrastructure need to have a consistent and iterative 76 approach to identifying, assessing, and managing cybersecurity risk. 77 The critical infrastructure community includes public and private owners and operators, and 78 other supporting entities that play a role in securing the Nation’s infrastructure. Each sector 79 performs critical functions that are supported by information technology (IT), industrial control 80

systems (ICS) and, in many cases, both IT and ICS.

2 To manage cybersecurity risks, a clear 81 understanding of the security challenges and considerations specific to IT and ICS is required. 82 Because each organization’s risk is unique, along with its use of IT and ICS, the implementation 83 of the Framework will vary. 84 The Framework, developed in collaboration with industry, provides guidance to an organization 85 on managing cybersecurity risk. A key objective of the Framework is to encourage organizations 86 to consider cybersecurity risk as a priority similar to financial, safety, and operational risk while 87 factoring in larger systemic risks inherent to critical infrastructure. 88 The Framework relies on existing standards, guidance, and best practices to achieve outcomes 89 that can assist organizations in managing their cybersecurity risk. By relying on those practices 90 developed, managed, and updated by industry, the Framework will evolve with technological 91 advances and business requirements. The use of standards will enable economies of scale to 92 drive innovation and development of effective products and services that meet identified market 93 needs. Market competition also promotes faster diffusion of these technologies and realization of 94 many benefits by the stakeholders in these sectors. 95 Building off those standards, guidelines, and practices, the Framework provides a common 96 language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) 97 describe their target state for cybersecurity; 3) identify and prioritize opportunities for 98 improvement within the context of risk management; 4) assess progress toward the target state; 99

5) foster communications among internal and external stakeholders. 1

78 FR 11737 2

The DHS CIKR program provides a listing of the sectors and their associated critical functions and value chains. http://www.dhs.gov/critical-infrastructure

1



Preliminary Cybersecurity Framework

100 The Framework complements, and does not replace, an organization’s existing business or 101 cybersecurity risk management process and cybersecurity program. Rather, the organization can 102 use its current processes and leverage the Framework to identify opportunities to improve an 103 organization’s management of cybersecurity risk. Alternatively, an organization without an 104 existing cybersecurity program can use the Framework as a reference to establish one. 105 The goal of the open process in developing the Preliminary Framework was to develop a robust 106 technical basis to allow organizations to align this guidance with their organizational practices. 107 This Preliminary Framework is being issued for public comment for stakeholders to inform the 108 next version of the Framework that will be completed in February 2014, as required in EO 109 13636. 110 1.1 Overview of the Framework 111 The Framework is a risk-based approach composed of three parts: the Framework Core, the 112 Framework Profile, and the Framework Implementation Tiers. These components are detailed 113 below. 114

• The Framework Core is a set of cybersecurity activities and references that are common 115 across critical infrastructure sectors organized around particular outcomes. The Core 116 presents standards and best practices in a manner that allows for communication of 117 cybersecurity risk across the organization from the senior executive level to the 118 implementation/operations level. The Framework Core consists of five Functions— 119 Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic 120 view of an organization’s management of cybersecurity risk. The Framework Core then 121 identifies underlying key Categories and Subcategories for each of these Functions, and 122 matches them with example Informative References such as existing standards, 123 guidelines, and practices for each Subcategory. This structure ties the high level strategic 124 view, outcomes and standards based actions together for a cross-organization view of 125 cybersecurity activities. For instance, for the “Protect” Function, categories include: Data 126 Security; Access Control; Awareness and Training; and Protective Technology. ISO/IEC 127 27001 Control A.10.8.3 is an informative reference which supports the “Data during 128 transportation/transmission is protected to achieve confidentiality, integrity, and 129 availability goals” Subcategory of the “Data Security” Category in the “Protect” 130 Function. 131 Appendix B contains a methodology to protect privacy and civil liberties for a 132 cybersecurity program as required under the Executive Order. Organizations may already 133 have processes for addressing privacy risks such as a process for conducting privacy 134 impact assessments. The privacy methodology is designed to complement such processes 135 by highlighting privacy considerations and risks that organizations should be aware of 136 when using cybersecurity measures or controls. As organizations review and select 137 relevant categories from the Framework Core, they should review the corresponding 138 category section in the privacy methodology. These considerations provide organizations 139 with flexibility in determining how to manage privacy risk. 140

• A Framework Profile (“Profile”) represents the outcomes that a particular system or 141 organization has achieved or is expected to achieve as specified in the Framework 142 Categories and Subcategories. The Profile can be characterized as the alignment of 2



Preliminary Cybersecurity Framework

143 industry standards and best practices to the Framework Core in a particular 144 implementation scenario. Profiles are also used to identify opportunities for improving 145 cybersecurity by comparing a “Current” Profile with a “Target” Profile. The Profile can 146 then be used to support prioritization and measurement of progress toward the Target 147 Profile, while factoring in other business needs including cost-effectiveness and 148 innovation. In this sense, Profiles can be used to conduct self-assessments and 149 communicate within an organization or between organizations. 150

• Framework Implementation Tiers (“Tiers”) describe how cybersecurity risk is managed 151 by an organization. The Tier selection process considers an organization’s current risk 152 management practices, threat environment, legal and regulatory requirements, 153 business/mission objectives, and organizational constraints. Tiers describe the degree to 154 which an organization’s cybersecurity risk management practices exhibit the 155 characteristics (e.g., risk and threat aware, repeatable, and adaptive) defined in Section 156 2.3. The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) 157 to Adaptive (Tier 4), progressing from informal, reactive implementations to approaches 158 that are agile and risk-informed. 159 1.2 Risk Management and the Cybersecurity Framework 160 Risk management is the process of identifying, assessing, and responding to risk. Particularly 161 within critical infrastructure, organizations should understand the likelihood that a risk event will 162 occur and the resulting impact. With this information, organizations determine the acceptable 163 level of risk for IT and ICS assets and systems, expressed as their risk tolerance. 164 With an understanding of risk tolerance, organizations can prioritize systems that require 165 attention. This will enable organizations to optimize cybersecurity expenditures. Furthermore, 166 the implementation of risk management programs offers organizations the ability to quantify and 167 communicate changes to organizational cybersecurity. Risk is also a common language that can 168 be communicated to internal and external stakeholders. 169 While not a risk management process itself, the Framework uses risk management processes to 170 enable organizations to inform and prioritize decisions regarding cybersecurity. The Framework 171 utilizes risk assessment to help organizations select optimized target states for cybersecurity 172 activities. Thus, the Framework gives organizations the ability to dynamically select and direct 173 improvements in both IT and ICS cybersecurity risk management. 174 A comprehensive risk management approach provides the ability to identify, assess, respond to, 175 and monitor cybersecurity-related risks and provide organizations with the information to make 176 ongoing risk-based decisions. Examples of cybersecurity risk management processes include the 177 International Organization for Standardization (ISO) 31000, ISO 27005, NIST Special 178 Publication (SP) 800-39 and the Electricity Sector Cybersecurity Risk Management Process 179 (RMP) Guideline. 180 Within the critical infrastructure, organizations vary widely in their business models, resources, 181 risk tolerance, approaches to risk management, and effects on security, national economic 182 security, and national public health or safety. Because of these differences, the Framework is 183

risk-based to provide flexible implementation. 3



Preliminary Cybersecurity Framework

184 1.3 Document Overview 185 The remainder of this document contains the following sections and appendices: 186

• Section 2 describes the Framework components: the Framework Core, the Tiers, and the 187 Profiles. 188

• Section 3 presents examples of how the Framework can be used. 189

• Appendix A presents the Framework Core in a tabular format: the Functions, Categories, 190 Subcategories, and Informative References. 191

• Appendix B contains a methodology to protect privacy and civil liberties for a 192 cybersecurity program. 193

• Appendix C discusses areas for improvement in cybersecurity standards and practices 194 identified as a result of the Framework efforts to date. 195

• Appendix D describes the Framework development methodology. 196

• Appendix E contains a glossary of selected terms. 197

• Appendix F lists acronyms used in this document. 198

4



2.0 Framework Basics 199

The Framework provides a common language for expressing, understanding, and managing 200 cybersecurity risk, both internally and externally. The Framework can be used to help identify 201 and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, 202 and technological approaches to managing that risk. Different types of entities — including 203 sectors, organizations, and associations — can use the Framework for different means, including 204 the creation of common Profiles. 205

2.1 Framework Core 206 The Framework Core provides references to cybersecurity activities and Informative References. 207 The Framework Core is not a checklist of activities to perform; it presents key cybersecurity 208 outcomes that are aligned with activities known to manage cybersecurity risk. These activities 209 are mapped to a subset of commonly used standards and guidelines. The Framework Core 210 comprises four elements—Functions, Categories, Subcategories, and Informative References— 211 depicted in Figure 1: 212

213 Figure 1: Framework Core Structure 214

The Framework Core elements work together as follows: 215

• Functions organize basic cybersecurity activities at their highest level. These Functions 216 are: Identify, Protect, Detect, Respond, and Recover. The functions aid in communicating 217

Preliminary Cybersecurity Framework

5



Preliminary Cybersecurity Framework

218 the state of an organization’s cybersecurity activities by organizing information, enabling 219 risk management decisions, addressing threats, and improving by learning from previous 220 activities. The functions also align with existing methodologies for incident management, 221 and can be used to help show the impact of investments in cybersecurity. For example, 222 investments in planning and exercises support timely response and recovery actions, 223 resulting in reduced impact to delivery of services. 224

• Categories are the subdivisions of a Function into groups of cybersecurity outcomes, 225 closely tied to programmatic needs and particular activities. Examples of Categories 226 include “Asset Management,” “Access Control,” and “Detection Processes.” 227

• Subcategories further subdivide a Category into high-level outcomes, but are not 228 intended to be a comprehensive set of practices to support a category. Examples of 229 subcategories include “Physical devices and systems within the organization are 230 catalogued,” “Data-at-rest is protected,” and “Notifications from the detection system are 231 investigated.” 232

• Informative References are specific sections of standards, guidelines, and practices 233 common among critical infrastructure sectors and illustrate a method to accomplish the 234 activities within each Subcategory. The Subcategories are derived from the Informative 235 References. The Informative References presented in the Framework Core are not 236 exhaustive but are example sets, and organizations are free to implement other standards, 237 guidelines, and practices.3 238 See Appendix A for the complete Framework Core listing. In addition, Appendix B provides an 239 initial methodology to help organizations identify and mitigate impacts of the Cybersecurity 240 Framework and associated information security measures or controls on privacy and civil 241 liberties. 242 The five Framework Core Functions defined below apply to both IT and ICS. 243

• Identify – Develop the institutional understanding to manage cybersecurity risk to 244 organizational systems, assets, data, and capabilities. 245 The Identify Function includes the following categories of outcomes: Asset Management, 246 Business Environment, Governance, Risk Assessment, and Risk Management 247 Strategy. The activities in the Identify Function are foundational for effective 248 implementation of the Framework. Understanding the business context, resources that 249 support critical functions and the related cybersecurity risks enable an organization to 250 focus its efforts and resources. Defining a risk management strategy enables risk 251 decisions consistent with the business needs or the organization. 252

• Protect – Develop and implement the appropriate safeguards, prioritized through the 253 organization’s risk management process, to ensure delivery of critical infrastructure 254

services. 3

NIST developed a compendium of informative references gathered from the RFI input, Cybersecurity Framework workshops, and stakeholder engagement during the Framework development process includes standards, guidelines, and practices to assist with implementation. The Compendium is not intended to be an exhaustive list, but rather a starting point based on stakeholder input.

6



Preliminary Cybersecurity Framework

255 The Protect function includes the following categories of outcomes: Access Control, 256 Awareness and Training, Data Security, Information Protection Processes and 257 Procedures, and Protective Technology. The Protect activities are performed consistent 258 with the organization’s risk strategy defined in the Identify function. 259

• Detect – Develop and implement the appropriate activities to identify the occurrence of a 260 cybersecurity event. 261 The Detect function includes the following categories of outcomes: Anomalies and 262 Events, Security Continuous Monitoring, and Detection Processes. The Detect function 263 enables timely response and the potential to limit or contain the impact of potential cyber 264 incidents. 265

• Respond – Develop and implement the appropriate activities, prioritized through the 266 organization’s risk management process (including effective planning), to take action 267 regarding a detected cybersecurity event. 268 The Respond function includes the following categories of outcomes: Response Planning, 269 Analysis, Mitigation, and Improvements. The Respond function is performed consistent 270 with the business context and risk strategy defined in the Identify function. The activities 271 in the Respond function support the ability to contain the impact of a potential 272 cybersecurity event. 273

• Recover – Develop and implement the appropriate activities, prioritized through the 274 organization’s risk management process, to restore the capabilities or critical 275 infrastructure services that were impaired through a cybersecurity event. 276 The Recover function includes the following categories of outcomes: Recovery Planning, 277 Improvements, and Communications. The activities performed in the Recover function 278 are performed consistent with the business context and risk strategy defined in the 279 Identify function. The activities in the Recover function support timely recovery to 280 normal operations to reduce the impact from a cybersecurity event. 281 2.2 Framework Profile 282 A Framework Profile (“Profile”) is a tool to enable organizations to establish a roadmap for 283 reducing cybersecurity risk that is well aligned with organization and sector goals, considers 284 legal/regulatory requirements and industry best practices, and reflects risk management 285 priorities. A Framework Profile can be used to describe both the current state and the desired 286 target state of specific cybersecurity activities, thus revealing gaps that should be addressed to 287 meet cybersecurity risk management objectives. Figure 2 shows the two types of Profiles: 288 Current and Target. The Current Profile indicates the cybersecurity outcomes that are currently 289 being achieved. The Target Profile indicates the outcomes needed to achieve the desired 290 cybersecurity risk management goals. The Target Profile is built to support business/mission 291 requirements and aid in the communication of risk within and between organizations. 292 The Profile is the alignment of the Functions, Categories, Subcategories and industry standards 293 and best practices with the business requirements, risk tolerance, and resources of the 294 organization. Identifying the gaps between the Current Profile and the Target Profile allows the 295 creation of a prioritized roadmap that organizations will implement to reduce cybersecurity risk. 296

The prioritization of the gaps is driven by the organization’s Risk Management Processes and 7