Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by Tom.Conkle

  1. Tom.Conkle

    Demystifying the NIST CSF: CSF 101

    Ken, Thanks for sharing the webinar. Sessions like these are helping to spread the word regarding the Framework and helping the community understand how they can use the Framework. On March 1, 2017, NIST hosted two additional webinars. They are presented by Matt Barrett the NIST Cybersecurity Framework PM. The first session is a Framework overview and the second reviews the proposed changes in the Version 1.1. update. The webinars are available at: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events Tom
  2. On January 10, 2017, NIST released a draft update to the "Framework for Improving Critical Infrastructure Cybersecurity". Per NIST, the draft update was created to refine, clarify, and enhance version 1.0. The update is not intended to disrupt any organizations currently using the Framework. The updates should align with their current business process relating to the Framework and help add clarity for those implementing the Framework for the first time. NIST created the update based on comments received from the community through the December 2015 RFI and April 2016 workshop. Additionally, the update addresses several of the items listed for further analysis in the Framework companion document ("NIST Roadmap for Improving Critical Infrastructure Cybersecurity"). The refinements, clarification, and enhancements include a new section on cybersecurity measurements, a strong emphasis on supply chain risk management, refinements in the access control category, and to provide a better explanation of the relationship between the Implementation Tiers and Profiles. NIST is seeking public comment on the draft to improve the update before it goes final and to determine if the updates could impact an organization currently implementing the Framework. NIST intents to convene a workshop after reviewing public comments to further refine the update before the final update is published - currently planned for fall of 2017. Cybersecurity Framework version 1.1 is located on the NIST website at https://www.nist.gov/cyberframework/draft-version-11. What are you thoughts on the updates?
  3. As G2's engineers help to implement the Cybersecurity Framework around the world, we often find that clients are using (or plan to use) the ISO/IEC 27000 family of standards to help establish, implement, maintain, and continually improve their Information Security Management Systems. These organization currently receive recognition for their work in implementing ISO; however, their use of the Framework is not acknowledged or readily recognizable by other organizations. If a Framework "certification" was established, would companies use and/or trust the “certification”? The very use of and model for Framework is voluntary, and Framework isn’t set up to be a conformance standard, yet it’s well-structured and interchangeable. Many Framework users are already working toward formal assessment of their conformance to ISO/IEC 27001 procedures and controls. If an accredited assessor is already assessing the implementation of those ISO procedures and controls (which align with many of the Framework outcomes), would it be valuable to assess the reasonableness of how the organization has implemented the Framework itself? It might be – that’s what we’re looking to find out. BSI has released an RFI to determine if such a "certification" would provide value to the community and how organizations could leverage the "certification" to help them make business decisions. The RFI is available at BSI via this link – pro or con, we’d welcome your input at http://pages.bsigroup.com/l/73472/2016-08-11/61k6wf.
  4. Tom.Conkle

    Cybersecurity Framework Workshop 2016

    NIST is hosting the next Cybersecurity Framework at their main campus in Gaithersburg, MD. The conference is scheduled for April 6 - 7, 2016. The registration page is open. The workshop draft agenda includes a readout on the responses to the December 2015 RFI and working sessions on Roadmap items, Governance of the Framework, Framework Update, and several special topics. Topics are expected to include: ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for long-term governance of the Framework. There is an optional seminar on April 5 that will provide an overview of the Framework's development, basic components, uses cases, and resources. The optional seminar will provide a 101 type session to help attendees understand how the Framework was developed and is being used today. I hope to see you there.
  5. Tom.Conkle

    UoC Framework Use Case



    This paper describes how the University of Chicago implemented the Cybersecurity Framework. This use case also describes how the University leveraged the Framework Profiles to measure and track improvements within their cybersecurity program.
  6. Tom.Conkle

    Cybersecurity Framework Workshop 2016

    NIST is hosting the next Cybersecurity Framework at their main campus in Gaithersburg, MD. The conference is scheduled for April 6 - 7, 2016. The registration page is open. The workshop draft agenda includes a readout on the responses to the December 2015 RFI and working sessions on Roadmap items, Governance of the Framework, Framework Update, and several special topics. Topics are expected to include: ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for long-term governance of the Framework. There is an optional seminar on April 5 that will provide an overview of the Framework's development, basic components, uses cases, and resources. The optional seminar will provide a 101 type session to help attendees understand how the Framework was developed and is being used today. I hope to see you there.
  7. Tom.Conkle

    framework that is most demand?

    From my experience, most organization use Frameworks as they align to their sector. For example, retailers are concerned with PCI whereas individuals in the Energy sector are more interested with CIP and other sector specific regulations. These regulation tend to drive security frameworks for their organization. However, this approach tends to lend itself to compliance for the sake of complying with a regulation vice compliance to provide security. The Cybersecurity Framework when used as a Framework is becoming more of a translator from good security practices to regulatory requirements. Organization that use the Cybersecurity Framework to develop a risk informed cybersecurity program can use the Framework to demonstrate how they are complying with a multitude of regulations without having to implement a separate security program.
  8. NIST has announced a new Request for Information (RFI). The RFI is expected to be released today (12/11/2015) to seek information from industry on the ways in which the Framework is being used; how best practices are being shared; the value of the different parts of the Framework; whether or not an update is needed; and the long-term management of the Framework. Responses are due on February 9, 2016. NIST will use the information received from the RFI to develop the agenda for the next Framework workshop planned for April 6 & 7 in Gaithersburg, MD. The RFI is available at: https://www.federalregister.gov/articles/2015/12/11/2015-31217/views-on-the-framework-for-improving-critical-infrastructure-cybersecurity
  9. On October 1, 2015, NIST initiated a two day workshop on Cyber Supply Chain Risk Management. The workshop provided an opportunity for industry, acedemia, and government to discuss challenges and best practices in cyber SCRM. The first day featured two panels that initiated the discussion on cyber SCRM that led to breakout sessions that allowed participants to collaborate on the topics. The first panel provided an overview on how cyber suply chain risk are managed within the panelists' organizations: Johnson & Johnson, Northor Gruman, Verizon, and Intel Corp. Each panelist provided an overview of how cyber SCRM is addressed in their organizatin and techiques they have implemented to inform executives of cyber supply chain risks. The second panel discussed Organiational Strategies to SCRM. This panel featured panelist from organziations that have robust, but different approaches for addressing Cyber SCRM within their organizations. The panelists from Cisco Systems, John Deere, Johnson & Johnson, and Schweitzer Engineering Laboratories (SEL) described their approaches for communicating cybersecurity concerns within the supply chain to their executives as well as their approach for monitoring their suppliers. Many panelists expressed the requirement to audit suppliers to ensrue they are operating with similiar cybersecurity protections as they expect for their own organization. Deere specificially addreesed a need to protect their brand name by ensuring they understand the value chain of their suppliers. This understanding is developed through continuous auditing for suppliers production, quality,and cybersecurity capabilities. After the two panels, workshop attendees were provided and opportunity to discuss these topics in breakout sessions. The breakout sessions provided attendees an opportunity to comment on their organizations approach to SCRM, identify additional best practices, and confirm current gaps in SCRM. The breakout sessions idenified several gaps within SCRM. The gaps included a general lack of education and awareness of SCRM risks within their organization, the perception that cyber is a IT risk and not a supply chain risk, and a general lack of participation at the executive and board level of organizations. NIST also identified several SCRM case studies that they completed. The case studies are available at the NIST SCRM site at: http://www.nist.gov/itl/csd/best-practices-in-cyber-supply-chain-risk-management-october-1-2-2015.cfm. The case studies identify the current SCRM practices within ~20 leading companies. They provide organizations an understanding of what others are doing and provide a sample for how SCRM can be implemented within their organization. NIST will also provide a summary of the workshop and additional guidance to industry based on the information obtained during the workshop to further help organizations get started or improve their SCRM processes. What are your thoughts from the workshop?
  10. Tom.Conkle

    RSA Joins CForum as Founding Member

    RSA Joins CForum as Founding Member Industry-led Organization Advances the Cybersecurity Framework through Collaboration RSA Conference USA 2015 April 15, 2015 01:15 PM Eastern Daylight Time ANNAPOLIS JUNCTION, Md.--(BUSINESS WIRE)--CForum, an industry-led forum focused on the evolution and use of the Cybersecurity Framework, announced that RSA, The Security Division of EMC (NYSE:EMC), has joined CForum as a founding member. CForum is a not-for-profit organization providing an open environment to share cybersecurity best practices and related topics important to anyone responsible for cybersecurity in their organization. CForum expands on the information sharing that occurred during the development of the Cybersecurity Framework, released by the National Institute of Standards and Technology (NIST), as requested in President Obama’s Executive Order 13636 on cybersecurity. Released on February 12, 2014, the Cybersecurity Framework was developed through industry and government collaboration, initiating a year-long open dialogue that is continued through CForum. The goal of CForum is to promote information sharing among organizations using or planning to improve their cybersecurity program. Discussions within CForum use the Cybersecurity Framework as the common language for describing components within a cybersecurity program.“CForum was established to foster continued cybersecurity collaboration, creating an environment for organizations to discuss how to best use the Cybersecurity Framework,” said Paul Green, founder of CForum. “RSA’s participation as a founding member underscores the role CForum will have on advancing the cybersecurity framework and we are proud to have such a well-respected industry leader join our growing community of cybersecurity contributors.” “The Framework is a great start for any organization seeking to develop or accelerate an effective cyber defense and resilience capability,” said Mike Brown, Rear Admiral, USN (Ret) and vice president and general manager of RSA’s Global Public Sector practice. “CForum provides an environment that brings together an insightful community of participants, focused on answering questions, sharing best practices and offering new ideas related to the framework. We look forward to playing a role in expanding the CForum ecosystem, while positively impacting the future of cybersecurity.” During the 2015 State of the Union address, President Obama said “If we do [act on cybersecurity], we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.” CForum is one way in which organizations and individuals can collaborate and share information on cyberthreats, cyberattacks, and how to best prepare an organization to defend against them. CForum to Present at RSA Conference 2015 in San Francisco On April 23, Greg Witte and Tom Conkle will be presenting an overview session on CForum. For more on the session, “CForum: A Community-Driven Solution to Cybersecurity Challenges,” visit the RSA Conference 2015 site.
  11. NIST-Stanford hosted an Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy on February 12, 2015. The workshop was conducted in coordination with the President's Cybersecurity Summit held at Stanford University on February 13, 2015 (today). Per the NIST's website, "This workshop will convene a community of business leaders to discuss ways to realize cybersecurity best practices in real-world conditions. The workshop hosts hope these discussions will prioritize the community’s efforts to develop strong cybersecurity and privacy programs, and inform projects undertaken at NIST, Stanford, and the National Cybersecurity Center of Excellence that will accelerate the deployment and use of secure, standards-based technologies in consumer-facing sectors." This workshop was not the "7th workshop", as I understand it. It's my understanding NIST is still providing 'run time' for the Cybersecurity Framework before scheduling the next Framework workshop. During the 6th workshop it was made clear that industry wanted more time to use the Framework. A 7th workshop likely won't be planned until enough community feedback is received to warrant one, but that's only my opinion. While no workshop is planned at the moment, organizations and NIST are still working to share information regarding the Framework. Two examples include: Recently, Intel released their use case explaining how they used the Framework and providing others with examples for how the Framework can be used in their organization. It offers a good perspective for how a large company was able to benefit from the Framework. The Use Case is available at: https://blogs.mcafee.com/executive-perspectives/tried-nist-framework-works-2 Also, in conjunction with the anniversary of the Framework NIST posted a Frequently Asked Questions (FAQ) list on their website. The FAQs are another source of information for organizations to ranging from understanding the Framework basics to using the Framework. The FAQ is located at: http://www.nist.gov/cyberframework/cybersecurity-framework-faqs.cfm
  12. NIST announced the 6th cybersecurity Framework Workshop. The official announcement is located here. It is scheduled for Oct 29 - 30 in Tampa, FL. This workshop will "gather input to help NIST understand stakeholder awareness of, and initial experiences with, the framework and related activities to support its use." NIST is also preparing to issue an RFI soliciting feedback in these areas. The RFI responses will inform the workshop. What information do you hope to hear about at the workshop? Are there any specific tracks you would like to see hosted at the workshop?
  13. Tom.Conkle

    List of Existing Mappings and Add-Ons?

    Appendix A of the Energy Sector Cybersecurity Framework Implementation Guidance contains the mapping from C2M2 to the Cybersecurity Framework. The document is located here. There are several articles referencing additional mappings. The recent UTC Journal, 4th Quarter 2014 edition, contains an article, "NIST Cybersecurity Framework Grows Up" from Nadya Bartol that references mappings from the North American Energy Reliability Corporation (NERC) Critical Infrastructure Sector (CIP) Version 3 and Version 5 to the Cybersecurity Framework. The HITRUST Alliance stated they completed a mapping between the Common Security Framework (CSF) and HIPAA to the Cybersecurity Framework per Dr. Cline; see "CSF Support for HIPAA and NIST Implementation and Compliance." I've also seen articles referencing SOC II and PCI mappings to the Framework, but I haven't been able to locate the actual mappings. I agree this would be a great thread to include and track mappings as they are made available to the public and/or a reference list of the POCs that maintain the mappings if the mappings are controlled.
  14. On Dec 5, 2014, NIST released an "Update on the Cybersecurity Framework". The full update is available at http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf. The update provides a high-level summary of comments received through the Request For Information (RFI) released on Aug 26, 2014 and during the Tampa, FL workshop held Oct 29 & 30, 2014. The update in eight pages summarizes responses received on topics such as: How General Awareness of the Framework is being shared and received, Initial Experiences organizations have in using the Framework, Current thoughts on Framework Updates, The use of the Framework in Small/Medium-Sized Businesses, Regulation and Regulatory Concerns, Guidance for using the Framework, and International Aspects, Impacts, and Alignment of the Framework. The update also provided a summary on activities identified in the Framework Roadmap that NIST released in conjunction to the Framework. The update provides status updates on specific Roadmap areas including: Authentication Automated Indicator Sharing Supply Chain and Conformity Assessment Cybersecurity Workforce Standards Supporting the Framework Privacy Methodologies Finally, the update provides an overview of Next Steps NIST is considering to help address comments received during the workshop and RFI process. The first key next step is for NIST to continue increasing efforts to raise awareness of the Framework. Another NIST priority identified in the update was to develop and disseminate information and training materials to help organization use advance the use of the Framework. In addition to the training material NIST will explore options for providing publically-available Framework reference material. NIST also identified a goal for developing material on aligning the Framework to business processes.
  15. The Framework1 defines Profiles as the representation of the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The informative references were provided in the Framework Core as a means for assisting organizations implementing the Framework in understanding 'how' the outcomes within the Core could be achieved. Organizations are not required, by the Framework, to implement the five informative reference sources to demonstrate alignment to the Core. However, organizations that have implemented one or more of the five proven practices listed (e.g. COBIT, ISO, etc) in the Core can demonstrate alignment to the Core simply by mapping their policies/practices currently in place as a result of implementing the proven practice back to the Core. 1The National Institute of Technology and Standards (NIST) “Framework for Improving Critical Infrastructure Cybersecurity version 1.0”, February 12, 2014, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
  16. ADM Brown and I were able to address a lot of questions submitted by attendees; however, we couldn't get to all of them. I will post some of the question we weren't able to address during the webinar on this thread as well as some of the questions that were addressed. Feel free to provide additional comments and your thoughts on the questions and their responses. The true value of this forum is through this open dialogue. When creating a current Profile, do you assess at the subcategory level, by aligning to each informative resource? What type of organizations will be required to adopt the framework? What hope is there for small and mid-size businesses that may work in critical areas but lack the resources for a full-time IT staff? What value proposition can I make to my board, investors or employees to free up resources and change processes/culture?
  17. Thank you to everyone that was able to attend the session. A recording of the webinar is located at https://www.emc.com/events/rsa/08-21-14-CyberSec_Framework.htm.
  18. NIST Released the Cybersecurity Framework RFI today. It is titled "Experience With the Framework for Improving Critical Infrastructure Cybersecurity" and posted here on the Federal Register. The comment period is for 45 days and ends on October 10, 2014. NIST will make the responses publically available on their site. As responses are posted feel free to bring the discussion regarding the responses here to CForum.
  19. Tom.Conkle

    Are the tiers a maturity model?

    I agree. The Tiers are indicators that describe the maturity of an organization; however I also agree that more specific metrics are required to create a maturity model. Because the Framework does not provide specific - measurable - activities that can be used to determine where an organization falls into a maturity model, I don't see the Tiers as a maturity model. I do agree they can be seen as a precursor to defining a maturity model, but I'm not sure if a maturity model can be created that is appropriate for all 16 CI sectors. It may be more likely that specific sectors would create a maturity model that is implemented within their sector. We are already seeing indications of this with programs like the ES C2M2 (Energy Sectors - Cybersecurity Capability Maturity Model).
  20. Tom.Conkle

    Profile Design

    There has been a lot of discussion regarding the Cybersecurity Framework Profiles; what they mean; and how they should be represented. The Framework[1] document itself defines profiles as the mechanism for representing the outcomes of the selected Framework Core categories/subcategories. Therefore, organizations can use the Framework Core as a template for either recording their current cybersecurity state (e.g. Current-State Profile) or defining their intended cybersecurity posture (e.g. Target-State Profile). But how? While there are many thoughts for how a Framework Profile can be recorded, one of the prevailing thoughts is a simple matrix. The matrix should start from the Framework Core, capturing Functions as well as the categories and subcategories selected by the organization. To create a current-state profile, the matrix is extended to include additional columns of information such as: The organization’s current policy as it relates to the applicable category/subcategory, Technologies used to implement the policy Assignees for implementing and managing the capability The level of detail captured for each of these data points is relevant to the ‘type’ of profile being developed. For larger organizations using the Framework to provide enterprise level guidance, the ‘outcomes’ captured in the profile would be high-level making them applicable to the entire organization. Each sub-organization within the enterprise can then, in turn, use the enterprise profile to develop a profile for their organization that demonstrates how they are meeting the enterprise goals. For example PR.DS-1 (Protect.Data Security-1) at an enterprise level could state, all customer data will be encrypted at rest. The sales organization would use the guidance provided in the enterprise profile to identify the location within their organization where customer data is stored. The sales team would then update their profile for PR.DS-1 to state the customer data stored in the Contacts Database are encrypted at rest using AES encryption. This provides enterprises the ability to create a profile with the data required to define their cybersecurity program that can flow through all the sub-organizations. How is your organization developing profiles? [1] Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, Feb 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
  21. On June 20, 2014, The Energy Department released a public notice for stakeholder participation in the development of the "Energy Sector Framework Implementation Guidance." The DOE is inviting participation in bi-weekly conference calls being held jointly by the Electricity Subsector Coordinating Council (ESCC) and the Oil & Natural Gas (ONG) Subsector Coordinating Council (SCC). The bi-weekly calls provide opportunities for participants to comment on the Draft Framework Implementation Guidance document. Requests for participation and additional information can be directed to Cyber.Framework@hq.doe.gov. The full notice is located at https://www.federalregister.gov/articles/2014/06/20/2014-14453/energy-sector-framework-implementation-guidance. Tom Conkle