This is an introduction to the National Institute of Standards and Technology Cybersecurity Framework, also known as the CSF. This program is designed to provide you an understanding of the NIST Cybersecurity Framework and how to implement it. Before we jump into the CSF, let's continue with some cybersecurity basics. In this course, we will focus on legal and governmental guidelines you will need to understand. These are some of the federal laws covering cyber security you should be familiar with. We'll discuss them all, over the next few screens. We'll talk about Cybersecurity Enhancement Act, The Executive Order 13636, Executive Order 13800, The Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the FISMA 2002 and 2014, as well as the Privacy Act. The Cybersecurity Enhancement Act passed in December 18th, 2014, amended the National Institute of Standards and Technologies Act to say, on an ongoing basis, facilitate and support the development of a voluntary consensus based industry led set of standards, guidelines and best practices, methodologies, procedures, as well as processes to cost effectively reduce cyber risks to critical infrastructure. It instructed NIST to develop a voluntary industry led consensus based set of cybersecurity standards and best practices for critical infrastructure. With the stipulation that federal, state, and local governments are forbidden from using information shared by private entities to develop such standards for the purposes of regulating that entity. Executive Order 13636, improving critical infrastructure cybersecurity, signed February 2013 by President Obama, directed NIST to work with stakeholders to develop the voluntary framework based on existing standards, guidelines and practices for reducing cyber risks to critical infrastructure. It directs the executive branch to develop a technology neutral, voluntary cybersecurity framework, promote and incentivize the adoption of cybersecurity practices, increase the volume, timelines and quality of cyber threat information sharing, incorporate strong privacy and civil liberties protections into the initiative to secure our critical infrastructure and explore the use of existing regulations to promote cybersecurity. Executive order 13636 says the cybersecurity framework must include a set of standards, methodologies, procedures, and processes that align policies, businesses, and technology approaches to address cyber risks. The cybersecurity framework will provide a prioritize flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The cybersecurity framework provides a common taxonomy for organizations to describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement within the context of a continuous and repeatable process, assess progress towards that target state, and communicate amongst internal and external stakeholders about cybersecurity risks. The cybersecurity framework is composed of three parts. The framework core, the framework implementation tiers, and the framework profiles, which we'll discuss more in detail later in this course. In February 2014, NIST released its framework for improving critical infrastructure cybersecurity, pursuant to presidential executive order 13636, for improving critical infrastructure cybersecurity. The framework can be used by organizations regardless of size or sector. It was designed with critical infrastructure in mind, but it is extremely versatile and can be easily used by non-critical Infrastructure organizations, codified into law in the Cybersecurity Enhancement Act in December 2014 using the framework is voluntary. It provides value to mature programs or can be used by organizations seeking to create a cybersecurity program. The framework compliments and does not replace an organization's risk management process and cybersecurity program, it can be used to leverage current processes and to identify opportunities to strengthen and communicate its management of cybersecurity risks while aligning with industry practices. The framework is no longer voluntary for federal agencies as a result of Executive Order 13800, current revisions of the cybersecurity framework is version 1.1, which was released in April 2018. It has five functions and 23 categories which organizations can use to manage their cybersecurity risks in critical industries. We're going to break these down for you later in this course. The Department of Homeland Security has defined 16 critical infrastructure industries that collectively cover virtually every US business. They list them as chemical sector , commercial facilities sector, communication sector, critical manufacturing sector, dams sector, defense industry based sector, emergency services sector, energy sector, financial services sector, food and agricultural sector, government facility sector, health care and public health sector, information technology sector, nuclear reactors, materials and waste sector, transportation systems sector, and water and wastewater systems sector. The Cybersecurity Framework aims to, among other things, provide a common plain English language guide for stakeholders to discuss cybersecurity and standardize the approach for addressing cybersecurity concern. This screen lists key changes to categories and subcategories in the NIST Cybersecurity Framework, version 1.1 from version 1.0. The major changes here are, one new category in the identity function area. There are 10 new subcategories in the identity, protect and respond function areas, and then 26 subcategories which had been rewarded from version 1.0. The changes include improved grammar, added details, remove the extraneous information, and then greater use of cybersecurity versus information security. Finally, version 1.0 is still compatible with version 1.1. All of the items in version 1.0 are still in version 1.1. I've included here on the screen a picture which depicts the changes from NIST 1.0 to NIST CSF 1.1. Executive order 13800, strengthening the cybersecurity of federal networks and critical infrastructure, released May 2017 by President Trump was issued to improve the nation's cybersecurity posture and capabilities in the face of intensifying cybersecurity threats to its digital and physical security. the executive order is broadly divided into three sections. Section 1, cybersecurity of federal networks,.Section 2, cybersecurity of critical infrastructure, and Section 3, cyber security for the nation. The executive order initiates actions on four fronts. It secures the federal networks that operate on behalf of the American people. It encourages collaboration with industry to protect critical infrastructure that maintains the American way of life. It strengthens the deterrence posture of the United States and builds international coalitions. Finally, it places much needed focus on building a stronger cybersecurity workforce which is critical for the nation's long-term ability to strengthen its cybersecurity protections and capability. The cybersecurity framework is no longer voluntary for federal agencies. Section 1 subsection C(i) of Executive Order 13800 states that effective immediately, each agency heads shall use the framework for improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technologies, or any successor document, to manage the agency's cybersecurity risks. The Computer Fraud and Abuse Act of 1986 was intended to reduce cracking of computer systems and to address federal computer related offenses. It governs cases with a compelling federal Interests where computers of the federal government or certain financial institutions are involved, where the crime itself is an interstate in nature, or where computers are used in interstate or foreign commerce. The only computers in theory covered by the CFAA are defined as protected computers which are further defined to mean a computer exclusively for the use of financial institutions or the United States government or any computer when the conduct constituting the offense affects the computers used by or for the financial institutions or the government. It's also defined to mean computers which are used in or affecting interstate or foreign commerce or communications including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce communications of the United States. However, in practice and through multiple court cases over the past 25-30 years, any ordinary computer has come under the jurisdictions of this law, including cell phones, due to the interstate nature of most internet communications. The Electronic Communications Privacy Act of 1986 known as the ECPA, electronic communications means any transfer of signal, sine, writing, images, sound, data, or intelligence of any nature transmitted in whole or in part by a wire, a radio, an electric magnetic, photoelectric, or photo optical system that affects interstate or foreign commerce, but excludes wire or oral communications. Communications made through a tone only paging device, communications from a tracking device and electronic funds transfer information stored by a financial institution in communication systems used for the electronic storage and transfer of funds. Title I of the Electronic Communications Privacy Act protects wire, oral, and electronic communications while in transit. It sets down requirements for search warrants that are more stringent than in other settings. Title 2, the Stored Communications Act protects communications held in electronic storage. Most notably, messages stored on computers. Its protections are weaker than those of title 1, however, and do not impose heightened standards for warrants. Finally, title 3, which prohibits the use of pen register or trap and trace devices to record dialing, routing, addressing, and signaling information used in the process of transmitting wire or electronic communications without a court order. The Federal Information Security Management Act, title 3 of the e-government Act of 2002, which is also known as Public Law 107-347, superseded the Computer Security Act of 1987. OMB, the Office of Management and Budget has oversight over e-government, federal government organizations, and inspector generals must report information assurance status to OMB annually and quarterly. OMB provides reports to Congress annually, congressional cybersecurity grades are then assigned. It requires agencies to inventory computer systems, identify and provide appropriate security protections, and develop, document, and implement agency-wide information security programs. The Federal Information Security Modernization Act of 2014, also known as FISMA, adds the requirements for continuous monitoring. It passed in December 2014. It mandates automated security tools to continuously diagnose and improve security. It sets DHS, the Department of Homeland Security, to oversee the government-wide cybersecurity operations and it required an update to OMB A130 circular. The Privacy Act of 1974 balances the governments need to maintain information about individuals with the rights of the individuals. That act focuses on four basic policy objectives. Restrict disclosure, increase rights of access to agency records, grant individuals the right to seek amendments, and establish a code of fair information practices. It was originally passed as a response to the Watergate scandal in the early 1970s and now covers Personally Identifiable Information, also known as PII, that the US government utilizes and retains in the normal course of actions and activities. Management of cybersecurity risks includes understanding the organizational, legal, and regulatory requirements regarding cybersecurity risk management and managing the privacy and civil liberty obligations against potential risk responses. For example, some cybersecurity activities can result in the over collection or over retention of personal information, or there may be some disclosure or use of personal information unrelated to cybersecurity activities, and some cybersecurity mitigation activities could result in a denial of service, shutting down an application or a service, for example, or include some type of incident detection or monitoring activity that may inhibit freedom of expression or association based on a predefined criteria. Elements listed on this screen, governance, for example, is having a process in place to support compliance of cybersecurity activities with applicable privacy laws, regulations, and constitutional requirements. Access are the steps taken to identify and address the privacy implications of identity management and access control measures to the extent that they involve collection disclosure, or use of personal information. Awareness and training is associated with employees and non-employees to make sure that they are informed and trained on the applicable organizational privacy policies as part of the annual cybersecurity training and awareness activities, anomalous activity detection is having a process in place to conduct a privacy review of an organization's anomalous activities, detection, and cybersecurity monitoring. Finally, response efforts, this is having a process in place to assess, review, and address whether, when, how, and the extent to which personal information is shared outside the organization as part of a cybersecurity information sharing activity or addressed as part of the cybersecurity mitigation efforts. In summary, in this course, we discussed regulatory and governance. We talked about the Cyber Enhancement Act, Executive Order 13636, Executive Order 13800, the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, the FISMA 2002 and FISMA 2014, as well as the Privacy Act. We introduce the NIST framework for improving critical infrastructure cybersecurity. We discussed the key changes to categories and subcategories in NIST, cybersecurity 1.1, and we also discussed privacy, civil liberties, and the Cybersecurity Framework.
