Overview of the Critical Infrastructure Cyber Community (C

Overview of the Critical Infrastructure Cyber Community Voluntary Program
The Department of Homeland Security (DHS) has established a Critical Infrastructure
Cyber Community Voluntary Program (C3VP) to be the coordination point within the
Federal Government to leverage and enhance existing capabilities and resources to
promote the adoption of the National Institute for Science and Technology (NIST) Cyber
Security Framework (Framework). The goals of C3VP are to increase awareness and use
of the Framework, support industry and State and Territorial governments in using the
Framework to increase cybersecurity resiliency. The goal is for all States and Territories
to initiate Framework adoption by the end of 2014.
The Center for Internet Security (CIS)/Multi-State Information Sharing and Analysis
Center (MS-ISAC), through its Cooperative Agreement with DHS, has been designated
as a key mechanism to assist the States and Territories through this process by providing
guidance and services that aid in the adoption.
Recognizing that there are many important components of a strong cybersecurity
program, the goal of this initiative is to take the Framework and convert it into
implementable actions addressing the most critical areas that State and Territorial
governments should prioritize. The adoption is an initiative that will continue to evolve
over time. It is a process that once implemented, will set in place a structured approach
that is critical to address the dynamic cybersecurity environment.
Part of that process includes State and Territorial participation in Managed Security
Services (MSS) funded by DHS and provided by CIS. These services – which include
Intrusion Detection, Intrusion Prevention, Netflow Analysis and Firewall Monitoring –
will be available to States and Territories to speed their adoption of the Framework and
improve their cybersecurity posture. These services directly apply to the “Protect” and
“Detect” areas of the Framework. Additional DHS funded services available through
CIS include incident response; cyber threat notification, advisories, reports and briefings;
vulnerability assessment, cybersecurity education and awareness; and cross-state sharing
of best practices, policies and lessons learned. In order to take advantage of the MSS
offering, States and Territories will commit to adopting the Framework by taking part in
the implementable actions outlined by DHS and CIS. This effort will be used to further
integrate States and Territories into the Department’s larger and more comprehensive
C3VP approach.
Some States and one Territory already receive MSS, funded by DHS and provided by
CIS. As the Department prepares to execute the 2014 funding of the Cooperative
Agreement, DHS will direct CIS to revise and “reboot” MSS to advance Framework
implementation.
In 2014, DHS will call upon all 56 States and Territories to adopt the principles and seek
to mature their implementation of the Framework. The recent completion of the
Nationwide Cybersecurity Review by all 50 States represents the first phase of this
process, and aligns to the first key area of the Framework: Identify. As CIS, on behalf of
DHS, solicits interest from the States and Territories to adopt the Framework, they will
receive the checklist provided below. This checklist highlights steps for States and
Territories to focus on in 2014 to increase cyber maturity and begin or continue to receive
the DHS funded MSS.
As States and Territories elect to participate in C3VP and begin the “intake” process to be
a part of the 2014 MSS effort, they will commit to increasing their maturity in accordance
with this checklist. To support their maturity and address gaps, CIS and DHS will seek
feedback and requirements from the States and Territories and tailor technical assistance
and best practice documents to meet their needs. In addition to existing products and
services that C3VP has collected to map to each of these key areas, CIS and DHS will
develop tailored products as appropriate. For example, CIS has produced recommended
procurement language for vendors requiring adherence to the Framework and DHS is
promoting tailored products for States and Territories on how to leverage the federal
investments in Continuous Diagnostics and Mitigation. Recognizing that the Framework
will be dynamic, DHS and CIS will work together to update and evolve products and
guidance over time.
To gain buy-in and launch the 2014 program, DHS will work with CIS and other State,
Local, Tribal and Territorial partners and associations, creating a cadre of “validators”
and supporters of the initiative. DHS and CIS will host a webinar for all State CIOs and
CISOs to announce the initiative and outline the paths to participation and adoption. In
addition, DHS and CIS will send a letter explaining the initiative to all State CIOs and
CISOs. DHS will also send a letter to the HSAs and Governors to give further
explanation of the initiative. All of these activities will take place in close coordination
with DHS Intergovernmental Affairs.
The five key areas of the NIST Framework are: Identify, Protect, Detect, Respond and
Recovery.
The following checklist identifies an initial set of actionable items that meet the
Framework’s requirements:
Identify:
• Inventory
o Agree to, and participate annually in, the National Cyber Security Review
 State participation in the 2013 NCSR provides a baseline
inventory. Future iterations of the NCSR will include explicitly
link to and reference the Framework.
•
Training
o Implement a security awareness program which incorporates social
engineering training as well as threat briefings, table top exercises and
information on general security best practices.
Protect:
• Control Access Management System in place
o Control access to systems and data to only those who need it and protect
those access credentials.
o Actively manage the use of administrative privileges.
o Employ least privilege rule.
•
Password Management System in place
o Implement a strong password management program.
o Passwords should be a minimum of 9-12 characters.
o Require use of upper and lower case characters as well as numbers and
special characters.
o Passwords should be changed every 45 days.
o Use different passwords for different accounts so that one password
compromise does not compromise all of your accounts.
o Implement two-factor authentication.
•
Continuous vulnerability assessment
•
Securely configure hardware and software
o Utilize and continuously update Anti-Virus/Anti-Malware software.
o Patch operating systems and other applications such as browsers, or
commonly installed third party products such as Adobe and Java.
Detect:
• Monitor access to critical systems and sensitive data for identifying unauthorized
access attempts and anomalies.
• Continuously monitor logs of boundary devices and other critical systems.
• Implement managed security services such as the CIS/MS-ISAC’s IDS/IPS and
netflow services.
• Report suspected or confirmed incidents to CIS/MS-ISAC.
Respond:
• Response plan is developed, reviewed, and updated annually and exercised
regularly.
• Events are reported consistent with established criteria.
• Implement lessons learned after an exercise or real event.
• Implement remediation for known vulnerabilities --- tackling the most critical
first.
•
Train personnel in their roles and responsibilities of operations when a response is
needed.
Recover:
• Inventory your critical vendors.
• Pre-establish contractual relationships that might be needed to recover from
incident.
• Develop recovery plans - review old Y2K plans for purposes of reuse.

Download Report