The National Infrastructure Advisory Council (NIAC) published their draft report discussing ways to reduce the complex risks associated with cyber threats within critical infrastructure sectors. Cybersecurity risks or threats expose the complexity and connectivity of our critical infrastructure systems placing national security, economy, and public safety at risk. According to the NIAC report, “cyber destruction of computer systems that control vital infrastructure like power grids, dams, waterways, air traffic control, transportation and the financial sector is inevitable without immediate efforts by government and the private sector to substantially boost efforts to protect those systems. If they fail to do so, they will have missed a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack.”
The U.S. government has been working to bring some order to this crisis. In an effort to help government agencies and the private sector, NIST (National Institute of Standards and Technology) developed a risk-based Cybersecurity Framework to provide industry standards and best practices to help manage cybersecurity risks. In May 2017, the U.S. Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was signed, holding agencies accountable for managing cybersecurity risks.
Why Implement a Cybersecurity Framework?
With so many IT and security initiatives afoot, why is this specific Cybersecurity Framework a priority?
First, it’s no longer an optional, nice-to-have program to augment your cyber risk arsenal. The recent executive order makes NIST Cybersecurity Framework compulsory for all government agencies. Private sector organizations that are categorized as one of the sixteen critical infrastructure sectors are recommended to put the appropriate measures in place to improve the cybersecurity posture of their organization.
What’s required of those organizations? The framework sets out to help organizations:
- Identify the elements or desired outcomes for maturing a cybersecurity program;
- Provides a method to assess and measure against the desired state;
- Measure progress and address findings or gaps in the program; and
- Communicate the cybersecurity posture in a meaningful way to management
Second, the Cybersecurity Framework provides a common language with which both technical and non-technical personnel can come to an understanding on the organization’s cyber risk. Terminology like Identify, Protect, Detect, Respond and Recover formulate the tenants of categorization for the program which is usable across all industry segments as well as the government sectors. And best of all, the language, numeration, and progress is all focused on reducing RISK. The guidelines are not requiring specific technology or hardware to solve the problem.
Finally, the NIST guidelines set in place a continuous improvement process for reviewing, assessing and managing an organization’s cybersecurity program. Threats and technology change. Organizational priorities change. And therefore, our approach to handling cyber risk must adapt to those changes on a continuous basis.
Regardless of organizational size or cybersecurity sophistication, organizations can apply the NIST Cybersecurity Framework principles and best practices of risk management to improve cybersecurity and resiliency of their critical infrastructure
RSA Archer is here to help!
With the first release of the RSA Exchange on August 22, we introduced the RSA Archer Cybersecurity Framework Management App-Pack. This new offering provides government agencies and private sector businesses a method to assess and measure their cybersecurity posture, address gaps, and report on cybersecurity in a meaningful way that is understood by all stakeholders.
RSA Archer Cybersecurity Framework Management enables profile owners to catalog the current state, prioritize and scope profile elements, and define their desired or targeted state outcomes for their organization’s cybersecurity program. Assessors then evaluate these profiles against the NIST Cybersecurity Framework categories. Previous assessments can be archived for comparison with the current profile and measure progress. Reports and dashboards provide clear insight to the cybersecurity current state and progress being made toward the desired cybersecurity state.
Interested in learning more about the RSA Archer Cybersecurity Framework Management app-pack? Check out the video and implementation guide on the RSA Exchange. In addition, the RSA Exchange team will feature the RSA Archer Cybersecurity Framework Management app-pack at RSA Charge. Come visit us next week, October 17-19, at the RSA Exchange demo pod in the RSA Charge Innovation Zone to learn more about this offering!