Introduction to the Framework Roadmap July 2018 cyberframeworknist

Introduction to the Framework Roadmap July 2018 cyberframework@nist. gov

The Framework Roadmap • Highlights areas of development relevant to the Framework and of broader interest • Describes anticipated future activities related to the Framework • NIST collaborates with stakeholders to identify challenges, solicit input, and develop and execute action plans for addressing roadmap areas • Continues to evolve based on advancements in technology and the evolving cybersecurity landscape Draft Roadmap v 1. 1 (Dec 5, 2017) Confidence Mechanisms Cyber Attack Lifecycle Cybersecurity Workforce Cyber Supply Chain Risk Management Federal Agency Cybersecurity Alignment Governance and Enterprise Risk Management Identity Management International Aspects, Impacts, and Alignment Measuring Cybersecurity Privacy Engineering Referencing Techniques Small Business Awareness and Resources

Roadmap Areas Confidence Mechanisms • Can be used to enhance an organization’s understanding of its implementation of a Framework profile Cyber Attack Lifecycle • Understanding the Tactics, Techniques and Procedures (TTP) an attacker may employ and the vulnerabilities an attacker may exploit are critical to effective cyber defense Cybersecurity Workforce • A skilled cybersecurity workforce is needed to meet the unique cybersecurity needs of critical infrastructure

Roadmap Areas Cyber Supply Chain Risk Management • Organizations are dependent upon product and service supply chains. Supply chain risk should be included in organizational risk management programs. Federal Agency Cybersecurity Alignment • NIST is updating SP 800 -37 (RMF), to incorporate key Cybersecurity Framework, privacy risk management and systems security engineering concepts. Governance and Enterprise Risk Management • Participants involved in developing the Framework stressed that leadership buy-in to the approach was crucial to improving the nation’s cybersecurity.

Roadmap Areas Identity Management • Identity management needs to become more risk-aligned, adaptive, and contextual with guidance capable of supporting flexibility, modularity, and agility International Aspects, Impacts, and Alignment • Diverse requirements can impede interoperability, result in duplication, harm cybersecurity, and hamper innovation, hindering the ability of organizations to operate globally while effectively manage risks. Measuring Cybersecurity • More accurate and quantifiable projected cost and estimated risk reduction associated with cybersecurity investments requires an aligned, modular, and systemic approach to cybersecurity measurement.

Roadmap Areas Privacy Engineering • A key challenge has been determining how to design information technologies that protect individuals’ privacy and civil liberties in an increasingly connected world. Referencing Techniques • To handle evolving cybersecurity standards, sector specific recommended practices, etc. , the Informative References must adapt. Small Business Awareness and Resources • It is important that small business leaders understand have effective approaches to manage risks to their information, systems and networks.

Resources Where to Learn More and Stay Current Framework Roadmap and related efforts: https: //www. nist. gov/cyberframework/relatedefforts-roadmap Framework for Improving Critical Infrastructure Cybersecurity and related news, information: www. nist. gov/cyberframework Additional cybersecurity resources: http: //csrc. nist. gov/ Questions, comments, ideas: cyberframework@nist. gov 8