Cybersecurity - framework and voluntary program
Log in to view your state's edition
You are not logged in
Free Special Reports
Get Your FREE Special Report. Download Any One Of These FREE Special Reports, Instantly!
Featured Special Report
Claim Your Free Copy of 2018 EHS Salary Guide

This report will help you evaluate if you are being paid a fair amount for the responsibilities you are shouldering.

In addition, EHS managers can find the information to keep their departments competitive and efficient—an easy way to guarantee you are paying the right amount to retain hard-to-fill positions but not overpaying on others.

Download Now!
Bookmark and Share
March 06, 2014
Cybersecurity - framework and voluntary program

Two recent actions by the federal government address concerns about the vulnerability of the nation’s critical infrastructure to cyber attacks.

As an EHS professional, it’s hard to tell if you are being paid competitively, and as an employer, it’s hard to tell if you are offering salaries that are competitive and efficient. For a Limited Time we’re offering a FREE copy of the 2018 EHS Salary Guide! Download Now

First, the National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity.  Shortly afterward, the Department of Homeland Security (DHS) launched its Critical Infrastructure Cyber Community C3 (pronounced “C cubed”) Voluntary Program.  The C3 Program is intended to promote and expedite the use of the framework and generally urge organizations to manage cybersecurity as part of a hazards approach to enterprise risk management. 

The DHS has identified 16 infrastructure sectors as critical—chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

Executive Order

In 2003, President Obama issued Executive Order 13636:  Improving Critical Infrastructure Cybersecurity, which included a directive to the NIST to develop the framework.  According to the NIST, the framework—labeled Version 1.0 and described as a "living" document—“provides a consensus description of what's needed for a comprehensive cybersecurity program.” 

The framework

The three main elements described in the framework document are the framework core, tiers, and profiles.  The core presents five functions—identify, protect, detect, respond, and recover—that, taken together, allow any organization to understand and shape its cybersecurity program.  The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed."  The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs. 

The NIST also released a roadmap document to accompany the framework.  It lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment, and collaboration.  It describes NIST’s intention to continue to serve as a convener and coordinator to work with industry and other government agencies to help organizations understand, use, and improve the framework.  This will include leading discussions of models for future governance of the framework, such as potential transfer to a nongovernment organization.

C3 Program

DHS’s C³ voluntary program focuses on three major activities:

  • Supporting use—Assist stakeholders with understanding the use of the framework and other cyber risk management efforts, and support development of general and sector-specific guidance for framework implementation.  The voluntary program will also work with the 16 critical infrastructure sectors to develop sector-specific guidance, as needed, for using the framework.
  • Outreach and communications—The voluntary program will serve as a point of contact and customer relationship manager to assist organizations with framework use and guide interested organizations and sectors to the DHS and other public and private sector resources to support the use of the framework.
  • Feedback—The program encourages feedback from stakeholder organizations about their experiences using program resources to implement the framework.  Feedback about the framework will be shared with the NIST to help guide the development of the next version of the framework and similar efforts.

Framework for Improving Critical Infrastructure Cybersecurity

NIST roadmap

Information on DHS’s C3 voluntary program

Featured Special Report:
2018 EHS Salary Guide
Twitter   Facebook   Linked In
Follow Us