Re: > Scott, is this [NIST announcement] related at all w/ STIXX? Perhaps I should have sent my SWAT note to BizDev list. Here's the essential part: ======================================================================= Announcement from NIST [1] and NYT article [2] below. If we get closer to the STIX/TAXII cybersecurity standards work (DHS), it will probably repay efforts to stay close to NIST also. -rcc ================= [1] NIST announcement =================
http://www. nist .gov/itl/csd/launch-cybersecurity-framework-021214.cfm NIST Releases Cybersecurity Framework Version 1.0 For Immediate Release: February 12, 2014 * Powered by Translate Contact: Jennifer Huergo 301-975-6343 To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology ( NIST ) today released a Framework for Improving Critical Infrastructure Cybersecurity . The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs. In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for the development of a voluntary, risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses. "The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business." The framework allows organizations—regardless of size, degree of cyber risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program. While today's framework is the culmination of a year-long effort that brought together thousands of individuals and organizations from industry, academia and government, it is expected to be a first step in a continuous process to improve the nation's cybersecurity. The framework document is labeled "Version 1.0" and is described as a "living" document that will need to be updated to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use. According to the document, these updates will ensure the framework meets the needs of critical infrastructure owners and operators in a dynamic and challenging environment. The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover—that taken together allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs. "The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," said Gallagher. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel." NIST also released today a "Roadmap" document to accompany the framework. It lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration. It says NIST will continue to serve as a convener and coordinator to work with industry and other government agencies to help organizations understand, use and improve the framework. This will include leading discussions of models for future governance of the framework, such as potential transfer to a non-government organization. As a non-regulatory agency of the U.S. Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. To learn more about NIST , visit www. nist .gov . More information about the Cybersecurity Framework development process and all related documents can be found on the framework website . ================== [2] NYT ================== FEBRUARY 12, 2014, 5:02 PM White House Puts Out Critical Infrastructure Security Guide By NICOLE PERLROTH The Cybersecurity Framework, which offers companies a blueprint for how to deal with cyberattacks, is voluntary. E-MAIL FACEBOOK TWITTER SAVE MORE Updated: Industry reaction has been added to this post. Remember that cybersecurity bill that failed to pass two years ago? Not many people do. The bill failed largely because John McCain, the Republican senator from Arizona, the United States Chamber of Commerce and others opposed it on grounds that it would be too onerous for the private sector. The failed bill was intended to do two things. One, it would have provided for information-sharing about cyberthreats between the government and the private sector. Two, it would have set minimum security standards for the companies that oversee the nation’s critical infrastructure like dams, electrical grids, mobile towers and financial institutions. The bill ended in a Republican filibuster in August 2012, forcing the White House to issue a watered-down executive order last year . The order made it voluntary for companies that oversee critical infrastructure to join an experimental cyberthreat sharing program, and also set up recommendations — a far cry from mandatory standards — that companies can follow to prevent attacks. On Wednesday , The National Institute of Standards and Technology, the federal agency charged with recommending cybersecurity standards, introduced those guidelines in a Cybersecurity Framework . The framework essentially offers companies a blueprint for how to identify their risk to cyberattacks, protect against them and detect intrusions as they occur. It also offers guidance for how to respond and recover from an attack. But the framework is voluntary and the agency that released it Wednesday is under intense scrutiny from privacy activists, cryptographers and many in the security industry. Classified documents disclosed by Edward J. Snowden last summer made clear that N.I.S.T. issued an encryption standard in 2006 that included a backdoor for the National Security Agency . Security experts say the framework is not all that different from the checklists chief security officers regularly implement at their companies. “When I look at this framework with its beautifully colored boxes, my first thought is ‘Isn’t this obvious?’ ” said Vincent Berk, chief executive of FlowTraq, a network security firm. Because the framework is voluntary, security experts questioned whether critical infrastructure companies would implement the practices. “ The framework is a step in the right direction, but it’s unclear whether a document is really going to get people to do this,” Mr. Berk said. “You know what delivers the message really well? It’s a company saying we’ve been hacked and we’ve lost 40 million credit card numbers.” On Thu, Feb 13, 2014 at 8:45 AM, Chet Ensign <
chet.ensign@oasis-open.org > wrote: Scott, is this related at all w/ STIXX? My favorite line is the end of the article: "... it’s unclear whether a document is really going to get people to do this,” Mr. Berk said. “You know what delivers the message really well? It’s a company saying we’ve been hacked and we’ve lost 40 million credit card numbers.” Yeah. That gets people's attention... ---------- Forwarded message ---------- From: Geoff Brown <
geoff.brown@m2mi.com > Date: Wed, Feb 12, 2014 at 8:52 PM Subject: [mqtt-security] NIST Cyber Security published To:
mqtt-security@lists.oasis-open.org http://bits.blogs.nytimes.com/2014/02/12/white-house-puts-out-critical-infrastructure-security-guide/?_php=true&_type=blogs&_r=0 Geoff Brown CEO & Founder Machine-To-Machine Intelligence (M2Mi) Corporation NASA Research Park Building 19 Moffett Field, CA 94035 -------------------------------------------------------------------- THIS MESSAGE contains information that is CONFIDENTIAL and legally exempt from disclosure and that is intended only for the addressee of this message. If you are not the addressee or a person responsible for delivering this message to the addressee, then please do not deliver this message to anyone and delete all copies. Thank you. -- /chet ---------------- Chet Ensign Director of Standards Development and TC Administration OASIS: Advancing open standards for the information society
http://www.oasis-open.org Primary: +1 973-996-2298 Mobile: +1 201-341-1393 Check your work using the Support Request Submission Checklist at
http://www.oasis-open.org/committees/download.php/47248/tc-admin-submission-checklist.html TC Administration information and support is available at
http://www.oasis-open.org/resources/tcadmin Follow OASIS on: LinkedIn:
http://linkd.in/OASISopen Twitter:
http://twitter.com/OASISopen Facebook:
http://facebook.com/oasis.open -- Robin Cover OASIS, Director of Information Services Editor, Cover Pages and XML Daily Newslink Email:
robin@oasis-open.org Staff bio:
http://www.oasis-open.org/people/staff/robin-cover Cover Pages:
http://xml.coverpages.org/ Newsletter:
http://xml.coverpages.org/newsletterArchive.html Tel: +1 972-296-1783 Attachment: NIST-cybersecurity-framework-021214.pdf Description: Adobe PDF document Attachment: NIST-roadmap-021214.pdf Description: Adobe PDF document