Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the...

HomelandSecurity

Office of Cybersecurity and Communications

1

CYBER RESILIENCE REVIEW:CAPABILITY MATURITY EVALUATION METHOD FOR CRITICAL

INFRASTRUCTURE

Sean McCloskey October 2014

Program Manager, Cybersecurity Evaluation ProgramOffice of Cybersecurity and Communications (CS&C)U.S. Department of Homeland Security (DHS)

HomelandSecurity


2

Overview

What is the Cyber Resilience Review (CRR)?

• A voluntary assessment

• A method that examines cybersecurity practices in critical infrastructure

organizations

• Evaluates the operational resilience of a specific critical service

• Measures the execution of key practices and the institutionalization of

processes

• Provides participants with a detailed report containing options for

consideration

• Utilizes the goals and practices found in the CERT Resilience

Management Model (CERT-RMM)

• Available in two versions:

- A self-assessment kit

- A facilitated workshop conducted in one day (typically 6–8 hours)

[data gathered on-site is protected under the DHS PCII] Program]

HomelandSecurity


3

Cyber Resilience Value Proposition: What’s in It for Me?

Resilience management provides support to simplify the management of

complex cybersecurity challenges.

Efficiency: not too much and not too little; resilience equilibrium

• balancing risk and cost

• getting the most bang for your buck

• achieving compliance as a by-product of resilience management

Roadmap: what to do to manage cybersecurity; flexibility and scalability

• using an overarching approach - which standard is best

• deciding what versus how to manage cybersecurity risk

Cybersecurity ecosystem: addressing the interconnectedness challenge

• managing dependencies

• addressing both internal and external organizational challenges and silos

HomelandSecurity


4

CRR Data Analysis: Selected Highlights

Summary Findings (115 organizations, 43 states, 12 sectors)

Asset Management: More than 70% of organizations identify critical services; however,

less than 50% of organizations assessed have identified the assets that support critical

services.

Vulnerability Management: More than 55% of organizations have not developed a

strategy to guide their vulnerability management efforts.

Incident Management: 65% of organizations lack a process to escalate and resolve

incidents.

External Dependencies Management: More than 80% of the organizations assessed

identify external dependencies that are vital to the delivery of critical services.

Risk Management: 70% of organizations do not have a documented risk management

plan.

Situational Awareness: 86% of organizations do not have a plan for performing situational

awareness activities.

HomelandSecurity


5

Cyber Resilience Review and the Framework

Relationship between DHS’ Cyber Resilience Review and the NIST Cybersecurity

Framework [CRR to NIST CSF crosswalk available]

Identify

Services

Create Asset

Inventory

Protect

& Sustain

Assets

Disruption

Management

Cyber

Exercise

Identify and

prioritize

services

Identify assets,

align assets to

services, and

inventory assets

Establish risk

management,

resilience

requirements,

control objectives,

and controls

Establish

continuity

requirements

for assets

and develop

service

continuity

plans

Define objectives

for cyber exercise,

perform

exercises, and

evaluate results

Process Management and Improvement

HomelandSecurity


6

What Is Cyber Resilience?

“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”

- Presidential Policy Directive – PPD 21

February 12, 2013

Protect (Security) Sustain (Continuity)

Perform (Capability) Repeat (Maturity)

HomelandSecurity


7

Operational Resilience Defined

Resilience: The physical property of

a material when it can return to its

original shape or position after

deformation that does not exceed

its elastic limit [wordnet.princeton.edu]

Operational resilience: The emergent

property of an organization that can

continue to carry out its mission after

disruption that does not exceed its

operational limit [CERT-RMM]

Where does the disruption come from? Realized risk.

HomelandSecurity


8

Establishing a Critical Service Focus

Service

MissionService

Mission

people information technology facilities

Service

Mission

Organization

Mission

HomelandSecurity


9

Ten Domains of Cybersecurity Capability

CRR Domains

AM Asset Management

CCMConfiguration and Change Management

RM Risk Management

CTRL Controls Management

VM Vulnerability Management

IM Incident Management

SCM Service Continuity Management

EXDExternal Dependencies Management

TA Training and Awareness

SA Situational Awareness

The ten domains in CRR v2

represent important areas

that contribute to the cyber

resilience of an

organization.

The domains focus on

practices an organization

should have in place to

assure the protection and

sustainment of its critical

service.

HomelandSecurity


10

Cyber Resilience Review by the Numbers

HomelandSecurity


11

CRR Domain Architecture

Focused Activity

Required

What to do to achieve

the capability

Expected

How to accomplish

the goal

Domain

Domain

Goals

Domain

Questions

Institutionalization Elements

MIL Goals

MIL

Questions

HomelandSecurity


12

Practices are performed

Process Institutionalization in the CRR

Processes are acculturated,

defined, measured,

and governed

Maturity indictor levels (MIL) are used in CRR v2 to measure process institutionalization

Practices are incomplete

Higher degrees of

institutionalization

translate to more

stable processes

that

• produce

consistent results

over time

• are retained

during times of

stressLevel 0-Incomplete

Level 1-Performed

Level 2-Planned

Level 3-Managed

Level 4-Measured

Level 5-Defined

HomelandSecurity


13

CRR Self-Assessment Kit

Released in February 2014 to complement the launch of the NIST CSF

The CRR Self-Assessment Kit allows organizations to conduct a review without outside facilitation.

Contains the same questions, scoring, and reporting as the facilitated assessment.

The kit contains the following resources:

Method Description and User Guide

Complete CRR Question Set with Guidance

Self-Assessment Package (automated toolset)

CRR to NIST CSF Crosswalk

CRR Self-Assessment Kit website:

http://www.us-cert.gov/ccubedvp/self-service-crr

http://www.us-cert.gov/ccubedvp/self-service-crr

HomelandSecurity


14

Cyber Resilience Review – Self Assessment Getting Started

• Review the CRR Method Description and User Guide

• Identify the scope of the CRR Self-Assessment

Identify critical services to the organization and identify which parts of the organization deliver those services

Choose a critical service that will be the focus of the self-assessment

Determine which assets (people, information, technology, and facilities) are required for the delivery of the service

• Identify key participants in the self-assessment

Managers and senior staff-members responsible for the areas of operations and service being assessed (i.e., CIO, CISO, Director of IT, Director of Ops., etc)

Other stakeholders that can provide answers that best represent the organization’s capabilities in a given CRR domain (i.e., office managers, senior owners and operators, subject matter experts, policy writers, etc.)

typically 7-10 participants

1

http://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf

HomelandSecurity


15

Cyber Resilience Review: Self Assessment

Conduct CRR Self-Assessment

• Download and open the CRR Self-Assessment Package

• Introduction from sponsor/ executive management, hand-off to facilitator

• Facilitator guides participants through the CRR

Reviews CRR domains, methodology, agenda and the agreed upon assessment scope with the participants

Directs questions to pre-identified participants and confirms with others

Encourages and maintains dialogue throughout the CRR

Manages time, breaks and the overall flow of the CRR

1

http://www.us-cert.gov/sites/default/files/c3vp/csc-crr-self-assessment-package.pdf

HomelandSecurity


16

Generate and Review Report

• Complete the CRR self-assessment and generate a CRR report

Click the “Generate Report” button at the bottom of page 37

Optionally, can print and save as PDF

• Distribute the CRR report to key personnel and interpret the results

• Identify gaps, prioritize and implement plans for improvement

1

Cyber Resilience Review: Self Assessment

HomelandSecurity


17

DHS PCII Program

• The information provided by the organization during the CRR is afforded protections

under the DHS Protected Critical Infrastructure Information (PCII) Program

• What does this mean for you?

• DHS cannot publicly disclose PCII, it is protected from:

• The Freedom of Information Act (FOIA)

• State and local disclosure laws

• Use in civil litigation

• DHS employees (and its contractors) who access PCII must be certified as PCII

Authorized Users

• DHS employees (and its contractors) may only access PCII in accordance with strict

safeguarding and handling requirements

• PCII cannot be used for regulatory purposes

• More information: http://www.dhs.gov/pcii

http://www.dhs.gov/pcii

HomelandSecurity


18

Questions?

P R O G R A M O V E R V I E W Welcome to the community.

“Repeated cyber intrusions into critical

infrastructure demonstrate the need for

improved cybersecurity.”

- The White House, Executive Order 13636

o NIST to develop a Cybersecurity Framework

o A voluntary program for critical infrastructure

cybersecurity to promote use of the Framework

o A whole of community approach to risk management,

security and resilience.

o Joint action by all levels of government and the owners and operators of critical infrastructure

SOLUTION PROPOSED BY EO 13636

The C3 Voluntary Program is the

coordination point within the Federal

Government for members of the

critical infrastructure community

interested in improving their cyber

resilience.

R O L E O F T H E C R I T I C A L

I N F R A S T R U C T U R E C Y B E R

C O M M U N I T Y V O L U N T A R Y P R O G R A M

Administration Policies

Cybersecurity Framework

Critical Infrastructure

EO 13636 highlights the need for improved cybersecurity among critical infrastructure. PPD-21 calls for efforts to strengthen the physical and cyber security and resilience of our Nation’s critical infrastructure.

Ranging from emergency services and transportation systems to small and medium sized businesses, the U.S. critical infrastructure provides the essential services that underpin American society.

One of the major components of the EO is the development of the Framework by NIST to help critical infrastructure sectors and organizations reduce and manage their cyber risk as part of their approach to enterprise risk management.

• Framework implementation guidance

• Focal point for resources and tools

• Relationship management• Feedback collection

OUR ROLE

o Support increasing critical infrastructure cyber resilience

o Increase awareness and use of the Framework

o Encourage organizations to manage cybersecurity as part

of an all hazards approach to enterprise risk management

GOALS

o Converging critical infrastructure community resources to

support cybersecurity risk management and resilience

through use of the Framework;

o Connecting critical infrastructure stakeholders to the

national resilience effort through cybersecurity resilience

advocacy, engagement and awareness; and

o Coordinating critical infrastructure cross sector efforts to maximize national cybersecurity resilience.

CONVERGING

CONVERGINGC O N V E R G I N G

C O N N E C T I N G

C O O R D I N A T I N G

There are three key activities the program is

supporting, which we emphasize as the Three C’s:

• C3 Voluntary Program website offers an overview of the

program, downloadable tools, and outreach materials

• Links to the US-CERT C3 Voluntary Program gateway• Existing programs/resources have been aligned with the Framework

Core Function Areas (Identify, Protect, Detect, Respond, Recover)

• Broken out by stakeholder type

• Demonstrates offerings to support the Framework’s principles

• As they become available, cross sector, private sector, S/L

resources will be referenced

CONVERGING RESOURCES

• DHS will support use of the Cybersecurity Framework

primarily through the Cyber Resiliency Review (CRR). • No-cost, voluntary, non-technical assessment to evaluate an

organization’s information technology resilience.

• The CRR may be conducted as a self-assessment or in-person.

• To date, DHS has conducted more than 330 CRRs at the request of

critical infrastructure entities nationwide.

• The inherent principles and recommended practices within the CRR

align closely with the central tenets of the Cybersecurity Framework.

• Analyzes current practices and how they compare to the

principles of the Cybersecurity Framework.

CONVERGING RESOURCES, cont.

Government-to-Business

▶ Engage each of the sectors

through the CIPAC Framework

to establish sector-specific

approaches and guidance, utilizing established partnership

mechanisms, models, and

approaches

▶ Work directly with organizations

interested in receiving

information about the

Framework, resources, and

initiatives

Business-to-Business

▶ Encourage organizations to

develop use cases or to work

with their industry peers and

business partners to promote

the Framework (the

Framework)

Government-to-Government

▶ Federal – Work with Federal

departments and agencies to

understand use of the

Framework

▶ SLTT outreach – Work with state

and local governments to

promote government use of

the Framework and to reach

businesses in their localities

CONNECTING STAKEHOLDERS

•Contact us at [email protected]•Contact the C3 Voluntary Program to send feedback or for

any questions about what resources DHS is offering or how

to engage different programs

NEXT STEPS•Get engaged

•The C3 Voluntary Program will be supporting engagement during the coming

year

•The program will visit sector by sector events, potentially regional

events/workshops utilizing our CSAs, and will potentially look into RFIs for broad

public engagement

•Visit us at www.dhs.gov/ccubedvp, or www.us-

cert.gov/ccubedvp•Check out the website, download and use the messaging kit, and reach out

to the different programs for support

•Try out the CRR and reach out to CSEP if you have questions on the

methodology or need assistance

mailto:[email protected]

http://www.dhs.gov/ccubedvp

http://www.us-cert.gov/ccubedvp

#ccubedvpdhs.gov/ccubedvp

Welcome to the community.

Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the...

Government & Nonprofit

Transcript of Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the...