NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Protec'ngtheNa'on’sCri'calAssetsWhenCyberHygieneIsNotEnough

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Pushingcomputerstotheedge.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

242

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Kine'cspace.Cyberspace.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

CyberRisk.Func%on(threat,vulnerability,impact,likelihood)

Defense

Energy

Transporta%on

Manufacturing

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Theadversariesarerelentless.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Cyberadversaries…

Na'onstates.Terroristgroups.

Criminalenterprises.Disgruntledindividuals.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Hos'leac'ons…

Exfiltrateinforma'on.Preposi'onmaliciouscode.

Disruptorbringdowncapability.Createdecep'on.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Complexity.

AMacksurface.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

§  Resilient Military Systems and the Advanced Cyber Threat

§  Cyber Supply Chain

§  Cyber Deterrence

Defense Science Board Reports

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Protec'ngcri'calsystemsandassetsandmakingthemcyberresilient—Thehighestpriorityforthena8onalandeconomicsecurityinterestsoftheUnitedStates.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Defendingcyberspacein2020andbeyond.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

CyberResiliency.

Theabilitytoan'cipate,withstand,recoverfrom,andadapttoadversecondi'ons,

stresses,aMacks,orcompromisesonsystemsthatuseorareenabledbycyberresources.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

§  Iden'fyanddevelopsharedservices(enterprise-wide).§  Transi'ontocloudservicesandsolu'ons(public/private).

§  Isolateandstrengthenprotec'onforhighvalueassets.

§  Reduceandmanagethecomplexity.

§  Engineertrustworthy,secure,andresilientsolu'ons.

§  Transi'ontoamul'dimensionalprotec'onstrategy.

Moderniza%onStrategyforAchievingCyberResiliency

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Achievingcyberresiliencyrequiresamul'dimensionalprotec'onstrategy.

SystemHardenthe

target

FirstDimension

Limitdamagetothetarget

SecondDimension

MakethetargetcyberresilientThirdDimension

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

NEXTGENERATIONSTANDARDSANDGUIDELINES

CYBERRESILIENCYENGINEERING

PROTECTION.DAMAGELIMITATION.RESILIENCY.

§  RiskManagementFramework§  SystemsSecurityEngineering§  EnhancedProtec'onofCUI§  SecurityandPrivacyControls

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

NISTSpecialPublica'on800-171,Revision2Protec7ngControlledUnclassifiedInforma7oninNonfederalSystems

andOrganiza7ons

Ini%alPublicDraIPublicCommentPeriod

June19throughJuly19,2019

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

NISTSpecialPublica'on800-171BProtec7ngControlledUnclassifiedInforma7oninNonfederalSystems

andOrganiza7onsEnhancedSecurityRequirementsforCri7calProgramsandHighValueAssets

Ini%alPublicDraI

PublicCommentPeriod

June19throughJuly19,2019

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

RiskManagementFramework(RMF2.0)

CATEGORIZE

ASSESS

AUTHORIZE

MONITOR

PREPARE

IMPLEMENT

SELECT

CyberResiliencyControlsfromNISTSP800-53

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Aunifiedframeworkformanagingsecurity,privacy,andsupplychainrisks.

RMF2.0

SecurityRiskManagement

PrivacyRiskManagement

SupplyChainRiskManagement

Communica%onbetweenC-SuiteandImplementersandOperators

AlignmentwithNISTCybersecurityFramework

AlignmentwithSecurityEngineeringProcesses

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

NISTSpecialPublica'on800-160,Volume2CyberResiliencyConsidera7onsfortheEngineering

ofTrustworthySecureSystems

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

CyberResiliencyEngineeringFramework

TECHNIQUES APPROACHES STRUCTURALDESIGN

PRINCIPLES

STRATEGICDESIGNPRINCIPLES

Why

OBJECTIVES •  Understand •  Prevent/Avoid •  Prepare •  Con'nue •  Constrain •  Recons'tute •  Transform •  Re-architect

What

GOALS •  An'cipate • Withstand •  Recover •  Adapt

RISKMANAGEMENT

STRATEGY

How

Informselec%onandpriori%za%on

Informselec%onandpriori%za%on

Informselec%onandpriori%za%on Informselec%onandpriori%za%on

Informselec%onandpriori%za%on

Informselec%on

priori%za%on

Informselec%on

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

§  Business or mission analysis §  Stakeholder needs and requirements definition §  System requirements definition §  Architecture definition §  Design definition §  System analysis §  Implementation §  Integration

§  Verification §  Transition

§  Validation §  Operation

§  Maintenance §  Disposal

ISO/IEC/IEEE15288:2015SystemsandsoSwareengineering—Systemlifecycleprocesses

NISTSP800-160

CyberResiliencyConstructsinSystemLifeCycle.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

NISTSpecialPublica'on800-53,Revision5SecurityandPrivacyControlsfor

Informa7onSystemsandOrganiza7ons

ComingSoon

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

Somefinalthoughts.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

Simplify.Innovate.Automate.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Security.Privacy.Freedom.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930

Email Mobile ron.ross@nist.gov 301.651.5083

LinkedIn Twi_er www.linkedin.com/in/ronross-cybersecurity @ronrossecure

Web Comments csrc.nist.gov sec-cert@nist.gov

ContactInforma'onFISMAIMPLEMENTATIONPROJECT

SIMPLIFY.INNOVATE.AUTOMATE.