“Modernizing is imperative for security. We can't promote innovation without first thinking through risk reduction.” - Tom Bossert, Homeland Security Advisor
With a preference for cloud services, the new order will change how the government addresses cybersecurity threats. Some main areas of focus are protecting networks and risk reduction framework. Watch the video here or read the transcript below:
Have you been reluctant to adopt cloud technology?
When results are paramount to your survival: Abacus Private Cloud
Couple of things positive to report today. The first is that President Trump, about an hour ago, signed an Executive Order on cyber security. That Executive Order, among other things, is going to keep his promise that he has made to the American people to keep America safe, including in cyber space. I'd like to do a few things. I'll promise you that we distribute the Executive Order, but if I could, I'll preview the Executive Order for you. Walk you through its three primary sections, some of its wave tops and then take your questions.
Among other things, at least as an observation for me, I think the trend is going in the wrong direction in cyber space and it's time to stop that trend and reverse it on behalf of the American people. We've seen increasing attacks from allies, adversaries, primarily nation states but also non-nation state actors, and sitting by and doing nothing is no longer an option. So President Trump's action today is a very heartening one.
There are three sections. They're in priority order, in a sense. The first priority for the President and for now, our federal government, is protecting our federal networks. I think it's important to start by explaining that we operate those federal networks on behalf of the American people and they often contain the American people's information and data. So not defending them is no longer an option. We've seen past hacks and past efforts that have succeeded and we need to do everything we can to prevent that from happening in the future.
So, a few things on federal networks. We have practiced one thing and preached another. It's time for us now and the President today has directed his departments and agencies to implement the NIST framework, a risk reduction framework. It is something that we have asked the private sector to implement and not forced upon ourselves. From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.
Second, I think of note point in protecting our federal networks, is that we spend a lot of time and inordinate money protecting antiquated and outdated systems. We saw that with the OPM hack and other things. From this point forward, The President has issued a preference from today forward in federal procurement on federal IT for shared services. We got to move to the cloud and try to protect ourselves instead of fracturing our security posture.
Third point I'd make is that the Executive Order directs all its departments and agency heads to continue its key roles, but it also centralizes risk so that we view our federal IT as one enterprise network. If we don't do so, we will not be able to adequately understand what risk exists and how to mitigate it. Number of thoughts on that. Among other things, that is going to be a very difficult task. So, modernizing is imperative for our security but modernizing is going to require a lot of hard good governance. Responsible for that today is the President's American Innovation ... Technology Council, I'm sorry, the President's American Technology Council is going to run that effort on behalf of the President here out of the White House, and we have great hope that there'll be efficiencies there, but also security.
I would probably note to you that other countries have taken two or three years to learn what we just came you with in two or three months, and that is that we can't promote innovation without first thinking through risk reduction. So doing that together is a message that we've learned but doing it together is a message we'd like to encourage private sector folks to adopt.
NIST Cybersecurity Framework Overview
The NIST CSF organizes its core material into five functions which are subdivided into a total of 22"categories. For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 98 subcategories in all. Here are the functions and categories, along with their unique identifiers and definitions, quoted straight from the category column of its spreadsheet view of the core of the standard.
Identify - Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
- Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Protect - Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
- Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
- Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
Detect - Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
- Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
Respond - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
- Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
- Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
- Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
- Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
Recover - Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
- Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
- Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.