NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protec'ngtheNa'on’sCri'calAssetsWhenCyberHygieneIsNotEnough
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Pushingcomputerstotheedge.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
242
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Kine'cspace.Cyberspace.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
CyberRisk.Func%on(threat,vulnerability,impact,likelihood)
Defense
Energy
Transporta%on
Manufacturing
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Theadversariesarerelentless.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Cyberadversaries…
Na'onstates.Terroristgroups.
Criminalenterprises.Disgruntledindividuals.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Hos'leac'ons…
Exfiltrateinforma'on.Preposi'onmaliciouscode.
Disruptorbringdowncapability.Createdecep'on.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Complexity.
AMacksurface.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
§ Resilient Military Systems and the Advanced Cyber Threat
§ Cyber Supply Chain
§ Cyber Deterrence
Defense Science Board Reports
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Protec'ngcri'calsystemsandassetsandmakingthemcyberresilient—Thehighestpriorityforthena8onalandeconomicsecurityinterestsoftheUnitedStates.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Defendingcyberspacein2020andbeyond.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
CyberResiliency.
Theabilitytoan'cipate,withstand,recoverfrom,andadapttoadversecondi'ons,
stresses,aMacks,orcompromisesonsystemsthatuseorareenabledbycyberresources.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
§ Iden'fyanddevelopsharedservices(enterprise-wide).§ Transi'ontocloudservicesandsolu'ons(public/private).
§ Isolateandstrengthenprotec'onforhighvalueassets.
§ Reduceandmanagethecomplexity.
§ Engineertrustworthy,secure,andresilientsolu'ons.
§ Transi'ontoamul'dimensionalprotec'onstrategy.
Moderniza%onStrategyforAchievingCyberResiliency
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Achievingcyberresiliencyrequiresamul'dimensionalprotec'onstrategy.
SystemHardenthe
target
FirstDimension
Limitdamagetothetarget
SecondDimension
MakethetargetcyberresilientThirdDimension
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
NEXTGENERATIONSTANDARDSANDGUIDELINES
CYBERRESILIENCYENGINEERING
PROTECTION.DAMAGELIMITATION.RESILIENCY.
§ RiskManagementFramework§ SystemsSecurityEngineering§ EnhancedProtec'onofCUI§ SecurityandPrivacyControls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
NISTSpecialPublica'on800-171,Revision2Protec7ngControlledUnclassifiedInforma7oninNonfederalSystems
andOrganiza7ons
Ini%alPublicDraIPublicCommentPeriod
June19throughJuly19,2019
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
NISTSpecialPublica'on800-171BProtec7ngControlledUnclassifiedInforma7oninNonfederalSystems
andOrganiza7onsEnhancedSecurityRequirementsforCri7calProgramsandHighValueAssets
Ini%alPublicDraI
PublicCommentPeriod
June19throughJuly19,2019
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
RiskManagementFramework(RMF2.0)
CATEGORIZE
ASSESS
AUTHORIZE
MONITOR
PREPARE
IMPLEMENT
SELECT
CyberResiliencyControlsfromNISTSP800-53
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Aunifiedframeworkformanagingsecurity,privacy,andsupplychainrisks.
RMF2.0
SecurityRiskManagement
PrivacyRiskManagement
SupplyChainRiskManagement
Communica%onbetweenC-SuiteandImplementersandOperators
AlignmentwithNISTCybersecurityFramework
AlignmentwithSecurityEngineeringProcesses
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
NISTSpecialPublica'on800-160,Volume2CyberResiliencyConsidera7onsfortheEngineering
ofTrustworthySecureSystems
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
CyberResiliencyEngineeringFramework
TECHNIQUES APPROACHES STRUCTURALDESIGN
PRINCIPLES
STRATEGICDESIGNPRINCIPLES
Why
OBJECTIVES • Understand • Prevent/Avoid • Prepare • Con'nue • Constrain • Recons'tute • Transform • Re-architect
What
GOALS • An'cipate • Withstand • Recover • Adapt
RISKMANAGEMENT
STRATEGY
How
Informselec%onandpriori%za%on
Informselec%onandpriori%za%on
Informselec%onandpriori%za%on Informselec%onandpriori%za%on
Informselec%onandpriori%za%on
Informselec%on
priori%za%on
Informselec%on
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
§ Business or mission analysis § Stakeholder needs and requirements definition § System requirements definition § Architecture definition § Design definition § System analysis § Implementation § Integration
§ Verification § Transition
§ Validation § Operation
§ Maintenance § Disposal
ISO/IEC/IEEE15288:2015SystemsandsoSwareengineering—Systemlifecycleprocesses
NISTSP800-160
CyberResiliencyConstructsinSystemLifeCycle.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
NISTSpecialPublica'on800-53,Revision5SecurityandPrivacyControlsfor
Informa7onSystemsandOrganiza7ons
ComingSoon
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Somefinalthoughts.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Simplify.Innovate.Automate.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Security.Privacy.Freedom.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930
Email Mobile [email protected] 301.651.5083
LinkedIn Twi_er www.linkedin.com/in/ronross-cybersecurity @ronrossecure
Web Comments csrc.nist.gov [email protected]
ContactInforma'onFISMAIMPLEMENTATIONPROJECT
SIMPLIFY.INNOVATE.AUTOMATE.