The Framework is divided into three components:
- Framework Core; “a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.” It is further divided into four elements: functions, categories, subcategories, and informative references.
- Framework Implementation Tiers (“Tiers”); of which there are four (Partial, Risk Informed, Repeatable, Adaptive). The Framework does not consider these as maturity levels, however, progression from Partial (Tier 1) to Adaptive (Tier 4) would demonstrate a more complete implementation of the Framework.
- Framework Profile (“Profile”); the understanding of the current organizational posture (“as is” and roadmap towards the target state (“to be”).
On December 5th 2017, Draft 2 of Framework Version 1.1 was published for review and comment. The accompanying Roadmap document is also being reviewed for comment. The final versions of these documents are expected to be released later in 2018.
Anomali welcomes the call for public review and comment of the Framework and Roadmap. The updates made thus far recognise the shifting nature of the landscape. Cyber threats continue to evolve and impact all organizations. A fundamental part of better attack detection and breach mitigation is to collect, productionise and share cyber threat intelligence. This has been recognised within the updated Identify – Risk Assessment (ID.RA-2) function of the Framework:
“Cyber threat intelligence is received from information sharing forums and sources.”
There is further encouragement with the inclusion of the Cyber-Attack Lifecycle item in the draft Roadmap (1.1) publication for development.
“Cybersecurity is closely linked to the threats an organization faces from those that would seek to exploit a vulnerability or weakness. Therefore, it is important to approach cybersecurity from the perspective of the cyber-attack lifecycle by identifying threat sources, threat events, and vulnerabilities that predispose an environment to attack. To improve risk management capabilities, it is important that cyber threat information be readily available to support decision-making. Timely communication and actionable information are critical to counter threat and address vulnerability. This includes a near-real time exchange of automated threat and vulnerability indicators between organizations and information sharing communities such as Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), industry peers, and supply chain partners and exchanges with security service providers. Sharing indicators based on information that is discovered prior to and during incident response activities enables other organizations to deploy measures to detect, mitigate, and possibly prevent attacks as they occur.”
Ultimately, the latest Framework draft aligns more to today’s challenges. The inherent two-way collaboration in updating the Framework ensures relevance for all. Although the CSF was originally produced to improve cybersecurity risk management in critical infrastructure, there is now greater emphasis for broad adoption across all industry sectors and enterprise. We look forward to the release of the final version in 2018.