Jump to content


  • Content Count

  • Joined

  • Last visited

About mattsmith

  • Rank

Profile Information

  • Gender
    Not Telling
  1. mattsmith

    Feedback from C-Suites?

    What about the CIO? I think it would make most sense for the CIO to be the belly button.
  2. mattsmith

    MQTT and the Framework

    Today MQTT released a document which provides guidance for organizations wishing to deploy MQTT in a way consistent with the NIST Framework for Improving Critical Infrastructure cybersecurity. The document aligns MQTT and the Framework through both a Profile and high level target goals in the language of the Framework. http://docs.oasis-open.org/mqtt/mqtt-nist-cybersecurity/v1.0/cn01/mqtt-nist-cybersecurity-v1.0-cn01.html Do you think the document addresses the critical parts of the Framework in enough depth to be implementable?
  3. mattsmith

    Welcome to CForum

    Welcome to CForum, the information hub for the cybersecurity framework! As you may be aware, the framework was set into motion by Executive Order 13636 in February 2013. This order directed the Department of Commerce to direct the National Institute of Standards and Technology (NIST) to convene industry and come up with a common framework for identifying, assessing, and managing cybersecurity risk. Through a consultative process with critical infrastructure, industry, and government partners, NIST utilized a Request for Information, 5 national workshops, and a final Request for Comments to build the framework. A key component of that process was the dialogue that happened at the workshops between industry members and the government. This dialogue was critical to the success of the NIST process and the subsequent framework. Now that the framework has been published, the dialogue needs to move toward framework alignment and best practices. This type of discussion is ongoing and dynamic and needs to be focused in one place; therefore, a different method of communication is needed. These forums serve as that central location and include topics such as: Framework 101; sector based adoption; next steps for the Framework; and many more topics being defined by the community. These forums include topics from a 101 section, a sector adoption section, and a board to discuss the next steps of the framework. CForum is the foundation upon which industry can build a better cybersecurity risk management platform. To build that platform, there are many topics surrounding the framework that need to be addressed by the community. To that end, please engage with your industry partners in meaningful dialogue around the implementation of the framework at your organizations. Only by gathering lessons learned and best practices can we truly raise the cybersecurity bar. CForum represents an opportunity for each organization to make its voice heard and to contribute to the evolution of the framework. We look forward to continuing the discussion! CForum Team
  4. Whether a well-established company or one just getting started with cybersecurity risk management programs, those in the industry often can use a little help navigating the cumbersome and technical systems. This snapshot features pointers to clarify existing guidance and help organizations manage cybersecurity risk. The National Institute of Standards and Technology (NIST) was chartered to lead the creation of a “prioritized, flexible, repeatable, performance-based and cost-effective” Cybersecurity Framework. To accomplish this goal, NIST convened a series of industry-led workshops across the country and posted a request for information and a subsequent request for comments. From the data received, NIST published iterative versions of the framework before releasing the final publication [PDF] on Feb. 12. Under Executive Order 13636 [PDF] “Improving Critical Infrastructure Cybersecurity,” NIST outlines the framework, which is made up of these three components: Framework Core, Framework Implementation Tiers and Framework Profiles. The Framework Core is a set of high-level cybersecurity activities (functions) coupled with categories and subcategories of security outcomes and examples of informative references to achieve them. Tiers provide an organization the ability to make a statement regarding its overall approach to cybersecurity risk management. Profiles provide a method to communicate, to internal and external stakeholders, either a current cybersecurity state or a desired (target) posture . While all of these components work independently, some might wonder how they fit together. The framework offers a few suggestions in Section 3: How to Use. This section describes four primary framework uses, from performing a basic review of cybersecurity practices to establishing or improving a cybersecurity program, communicating cybersecurity requirements with stakeholders and identifying opportunities for new or revised informative references. Little guidance exists, however, on how to fit the components into an organization’s cybersecurity risk management process. So here are some suggestions on how to determine where your organization might utilize the framework to lower your cybersecurity risk. The steps outlined in Section 3 provide a high-level overview of a risk management approach tailored for cybersecurity using components of the framework. By translating cybersecurity activities to risk, an organization can manage the cybersecurity threat in terms commensurate with brand risk and financial risk. The steps also support a continuous monitoring program. Profiles could be used to communicate the state of a cybersecurity program. In the acquisition phase of production, a profile could be used to set high-level cybersecurity requirements for the supplier. While not a stand-alone service level agreement, a profile could be used to identify cybersecurity concerns quickly and drive action plans for remediation. The use case is just one of many that could be modeled by the use of profiles. While the framework is a living document, organizations will need to respond in real-time to a changing threat environment. To accommodate the adaptive nature of cybersecurity, the framework was built with the flexibility to add new categories and subcategories as new requirements arise. The framework is just that—a framework; the individual components are extendable. If a new threat emerges requiring a new technique, just plug the new category/subcategory into the framework and continue managing the risk. The current version of the framework provides many good concepts to work with. The steps to creating your cybersecurity program are based on the risks companies face, the mission served and the resources available. The framework gives users a toolbox; it is the next challenge to build and/or improve a cybersecurity program that meets needs and improves the nation’s cybersecurity posture. This process can be used by organizations just getting started with cybersecurity to begin their knowledge acquisition of cybersecurity activities. On the other end of the spectrum, large organizations can utilize this process to see where their activities and the framework’s activities overlap. An organization may be aligned with the framework by its current cybersecurity activities.