Professional Documents
Culture Documents
[NCCIC ]
2 an action, device, procedure,
Mediation
measure applied to an information
+
FE-NCCIC
system or information that is stored
on, processed by, or transiting an information that is stored on,
International Partners 5
information system that detects, processed by, or transiting
prevents, or mitigates a known or the information system CA
suspected cybersecurity threat or §103 • cyber threat indicators
[NCCIC ]
HSA §227
security vulnerability. CA §103 • defensive measures
3 Includes removal of certain personal • cybersecurity risks
information filtering function per CA • incidents
§104(d)(2).
4 Such as State, local, and tribal
Non-Federal entities4 pursuant to §103(a)
and Filtering 3
information sharing and analysis
information system
Mediation
centers, owners and operators of
+ NFE-NCCIC
critical information systems, and
private entities. information that is stored on,
[NCCIC ]
5 Collaborate on cyber threat processed by, or transiting
indicators, defensive measures, and the information system CA
information related to cybersecurity §103 interfaces
risks and incidents; and enhance the
security and resilience of global
cybersecurity Partners. HAS
§227(c)(8)
01 Jan 2016 3
Cybersecurity Act information exchange expressions
cyber threat information that is necessary to describe or identify
indicator (A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical
information related to a cybersecurity threat or security vulnerability
[malicious reconnaissance: a method for actively probing or passively monitoring an information system for the purpose of discerning security
vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.]
(B) a method of defeating a security control or exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information
system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
(E) malicious cyber command and control
[a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or
transiting an information system.]
(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
(H) any combination thereof.
[Cybersecurity threat: an action,...on or through an information system that may result in an unauthorized effort to adversely impact the security,
availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.]
defensive an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or
measure transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
[Defensive measure does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information
system or information stored on, processed by, or transiting such information system not owned by (i) the private entity operating the measure; or (ii)
another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.]
cybersecurity threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use,
risk disclosure, degradation, disruption, modification, or destruction of such information or information systems
[Includes related consequences caused by an act of terrorism]
incident an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an
information system, or actually or imminently jeopardizes, without lawful authority, an information system
01 Jan 2016 4
Cybersecurity Act of 2015 Timeline – first year actions
Pursuant to 2 USC Sec. 394, FRCP Rule 26. N.B., 6
months treated as 180 days, 9 months as 270 days, 18
months as 548 days, 1 year and annual as 365 days
DHS(3), DNI, DNI+OMB, Federal
CIO, NIST(2), OMB, DOJ+DHS(2)
DHS(2), DNI, DOJ+DHS(3),
DHS(7), DOS(1), Federal
Judicial
Federal agencies (5), HHS, OMB(4)
DHS(4), agencies
DOS, HHS
NIST
Enacted, 18 Dec 2015
DHS(5), DHS+DOJ, DHS+ NIST(2), Additional ad hoc reporting requirements exist for DHS (Sec. 105
Federal agencies, DOS, GAO, NIST, & 223), DHS+NIST (Sec. 229), HHS (Sec. 405), NIST (Sec. 303),
OMB and OMB (Sec. 226)
01 Jan 2016 7
Meeting the challenge: questions and options
• What information exchange requirements exist at the three identified NCCIC interfaces?
– Federal-Entity
– Non-Federal Entity
– International Partner
• What assumptions should be made about the capabilities and architectures within these
three domains?
• Are other interfaces needed?
• Are there sector-specific interface sub-types and what are they?
• What are the required information sharing expressions and other capabilities at these
interfaces, and to what extent can existing specifications be mapped to these
requirements?
• What are the algorithms for the “personal information of a specific individual or
information that identifies a specific individual” filter function?
• Is it feasible to create an ad-hoc TC CTI or OASIS group to assist in the Act’s
implementation similar to other compliance obligations?
8
01 Jan 2016
Key Monitoring and
Defense Platforms
Implicated
01 Jan 2016 9
Mapping: STIX intelligence model and expressions
Observables Encoding and communicating standardized high-fidelity information about cyber observables, whether dynamic events or stateful
measures properties that are observable in the operational cyber domain (including those measured in an operational context as well as
more abstract patterns for potential observables that may be targets for observation and analysis a priori)
Indicators Specific Observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a
cyber security context (consisting of one or more Observable patterns potentially mapped to a related TTP context and adorned with other
relevant metadata)
Incidents Discrete instances of Indicators along with information discovered or decided during an incident response investigation
Campaigns Instances of Actors pursuing an intent, as observed through sets of Incidents and/or TTP
Actors Characterizations of malicious actors (or adversaries) representing a attack threat including presumed intent and historically observed
behavior
ExploitTargets Vulnerabilities or weaknesses in software, systems, networks or configurations that are targeted for exploitation by the TTP of a
ThreatActor
CoursesOfAction Specific measures to be taken to address threat whether they are corrective or preventative to address ExploitTargets, or responsive to
counter or mitigate the potential impacts of Incidents.
Data Markings Ability to represent markings of the data to specify things like handling restrictions given the potentially sensitive nature of many forms of
information
01 Jan 2016 11
Mapping: The CIS Critical Security Controls for Effective Cyber Defense
01 Jan 2016 12
Cybersecurity Act of 2015
Key Reference Model Sections
01 Jan 2016 13
Basic requirements (Cybersecurity Act § 103)
CATEGORY RAPIDITY ATTRIBUTES INFORMATION TYPES WHERE WITH WHOM MODIFIERS
(1) the timely of classified cyber threat indicators and defensive in the possession of with representatives of that have appropriate
sharing measures the Federal relevant Federal entities security clearances
Government and non-Federal entities
(2) the timely that may be cyber threat indicators, defensive in the possession of with relevant Federal
sharing declassified and measures, and information relating to the Federal entities and non-Federal
shared at an cybersecurity threats or authorized Government entities
unclassified level uses under this title
(3) the timely of unclassified, cyber threat indicators and defensive in the possession of with relevant Federal or the public if
sharing including controlled measures the Federal entities and non-Federal appropriate
unclassified Government entities
(4) the timely of information relating about cybersecurity threats to such in the possession of with Federal entities and if appropriate
sharing to cybersecurity entities to prevent or mitigate the Federal non-Federal entities
threats or authorized adverse effects from such Government
uses under this title cybersecurity threats
(5) the periodic of cybersecurity best cyber threat indicators, defensive in the possession of through publication and with attention to
sharing practices that are measures, and information relating to the Federal targeted outreach accessibility and
developed based on cybersecurity threats or authorized Government implementation
ongoing analyses of uses under this title challenges faced by small
business concerns
01 Jan 2016 14
Private action authorized (Cybersecurity Act § 104)
monitor/defend what monitor where (a) defend where (b) sharing (c) filtering (d)
an information system of such private entity; such private entity in order to protect the rights
or property of the private entity;
an information system of another non-Federal entity, upon another non-Federal entity upon written
the authorization and written consent of such entity for operation of such
consent of such other entity; defensive measure to protect the rights or
property of such entity; and
an information system of a Federal entity, upon the a Federal entity upon written consent of an
authorization and written consent authorized representative of such Federal entity
of an authorized representative of for operation of such defensive measure to
the Federal entity; and protect the rights or property of the Federal
Government.
information that is stored on, processed by, or
transiting an information system
monitored by the private entity
under this paragraph.
share with or receive any information not directly
from any other non- related to a cybersecurity
Federal entity or the threat that the non-Federal
Federal Government a entity knows at the time of
cyber threat indicator or sharing to be personal
defensive measure... information of a specific
individual or information
that identifies a specific
individual
01 Jan 2016 15
Sharing policies and procedures (Cybersecurity Act § 105)
• Not later than [16 Feb 2016], the Attorney General and the Secretary of Homeland
Security shall
– in consultation with the heads of the appropriate Federal entities, jointly develop and submit to
Congress interim policies and procedures relating to the receipt of cyber threat indicators and
defensive measures by the Federal Government
– jointly develop and make publicly available guidance to assist entities and promote sharing of
cyber threat indicators with Federal entities
• Not later than [15 Jun 2016], the Attorney General and the Secretary of Homeland
Security shall, in consultation with the heads of the appropriate Federal entities,
jointly issue and make publicly available final policies and procedures relating to the
receipt of cyber threat indicators and defensive measures by the Federal
Government
16
01 Jan 2016
Filtering: removal of certain personal information
SEC. 103. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT SEC. 105. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH THE
FEDERAL GOVERNMENT.
(b) DEVELOPMENT OF PROCEDURES.— (a) REQUIREMENT FOR POLICIES AND PROCEDURES.—
(1) IN GENERAL.—The procedures developed under subsection (a) shall— (4) GUIDELINES FOR ENTITIES SHARING CYBER THREAT INDICATORS WITH FEDERAL
(E) include procedures that require a Federal entity, prior to the sharing of a cyber threat GOVERNMENT.—
indicator— (B) CONTENTS.—The guidelines developed and made publicly available under subparagraph (A) shall
include guidance on the following:
(i) to review such cyber threat indicator to assess whether such cyber threat indicator (i) Identification of types of information that would qualify as a cyber threat indicator under this title that
contains any information not directly related to a cybersecurity threat that such would be unlikely to include information that—
Federal entity knows at the time of sharing to be personal information of a specific (II) is personal information of a specific individual or information that identifies a specific individual.
individual or information that identifies a specific individual and remove such (b) PRIVACY AND CIVIL LIBERTIES.—
information; or (3) CONTENT.—The guidelines required by paragraphs (1) and (2) shall, consistent with the need to
(ii) to implement and utilize a technical capability configured to remove any information protect information systems from cybersecurity threats and mitigate cybersecurity threats—
not directly related to a cybersecurity threat that the Federal entity knows at the time (B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal
of sharing to be personal information of a specific individual or information that information of specific individuals or information that identifies specific individuals, including by
establishing—
identifies a specific individual; and (i) a process for the timely destruction of such information that is known not to be directly related to uses
(F) include procedures for notifying, in a timely manner, any United States person whose authorized under this title; and
personal information is known or determined to have been shared by a Federal entity (ii) specific limitations on the length of any period in which a cyber threat indicator may be retained;
in violation of this title. (C) include requirements to safeguard cyber threat indicators containing personal information of specific
individuals or information that identifies specific individuals from unauthorized access or acquisition,
including appropriate sanctions for activities by officers, employees, or agents of the Federal
SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND Government in contravention of such guidelines;
MITIGATING CYBERSECURITY THREATS. (F) protect the confidentiality of cyber threat indicators containing personal information of specific
individuals or information that identifies specific individuals to the greatest extent practicable and
(d) PROTECTION AND USE OF INFORMATION.— require recipients to be informed that such indicators may only be used for purposes authorized under
(2) REMOVAL OF CERTAIN PERSONAL INFORMATION.—A non-Federal entity sharing this title; and
a cyber threat indicator pursuant to this title shall, prior to such sharing— (d) INFORMATION SHARED WITH OR PROVIDED TO THE FEDERAL GOVERNMENT.—
(A) review such cyber threat indicator to assess whether such cyber threat indicator (5) DISCLOSURE, RETENTION, AND USE.—
contains any information not directly related to a cybersecurity threat that the non- (C) PRIVACY AND CIVIL LIBERTIES.— Cyber threat indicators and defensive measures provided to the
Federal Government under this title shall be retained, used, and disseminated by the Federal
Federal entity knows at the time of sharing to be personal information of a specific Government—
individual or information that identifies a specific individual and remove such (i) in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);
information; or (ii) in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may
(B) implement and utilize a technical capability configured to remove any information not contain—
directly related to a cybersecurity threat that the non-Federal entity knows at the time (I) personal information of a specific individual; or
of sharing to be personal information of a specific individual or information that (II) information that identifies a specific individual; and
identifies a specific individual. (iii) in a manner that protects the confidentiality of cyber threat indicators containing—
(I) personal information of a specific individual; or
(II) information that identifies a specific individual.
17
01 Jan 2016
NCCIC functions
(Homeland + Cybersecurity Acts § 227(c))
1) a Federal civilian interface for
– multi-directional and cross-sector sharing of information related to
– cyber threat indicators, defensive measures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities
– implementation of title I of the Cybersecurity Act of 2015
2) providing shared situational awareness to enable realtime, integrated, and operational actions across the Federal Government and
non-Federal entities to address cybersecurity risks and incidents to Federal and non-Federal entities
3) coordinating the sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents across
the Federal Government
4) facilitating cross-sector coordination to address cybersecurity risks and incidents, including cybersecurity risks and incidents that may
be related or could have consequential impacts across multiple sectors;
5) (A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures,
cybersecurity risks, and incidents; and (B) sharing the analysis with Federal and non-Federal entities
6) upon request, providing timely technical assistance, risk management support, and incident response capabilities to Federal and non-
Federal entities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents, which may include
attribution, mitigation, and remediation
7) providing information and recommendations on security and resilience measures to Federal and non-Federal entities, including
information and recommendations to—(A) facilitate information security; (B) strengthen information systems against cybersecurity
risks and incidents. (C) sharing cyber threat indicators and defensive measures
8) engaging with international partners, in consultation with other appropriate agencies
9) sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal
and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as
appropriate
10) participating, as appropriate, in national exercises run by the Department
11) assessing and evaluating consequence, vulnerability, and threat information regarding cyber incidents to public safety communications
to help facilitate continuous improvements to the security and resiliency of such communications
01 Jan 2016 18
NCCIC composition
(Homeland + Cybersecurity Acts § 227(d)(1))
A. Federal entities, such as sector-specific agencies, civilian and law enforcement
agencies, and intelligence community
B. Non-Federal entities, such as State, local, and tribal governments, ISAOs, ISACs
including information sharing and analysis centers, owners and operators of critical
information systems, and private entities
C. components within the Center that carry out cybersecurity and communications activities
D. a designated Federal official for operational coordination with and across each sector
E. an entity that collaborates with State and local governments on cybersecurity risks and
incidents and has entered into a voluntary information sharing relationship
F. other appropriate representatives or entities, as determined by the Secretary
(2) INCIDENTS.—In the event of an incident, during exigent circumstances the Secretary
may grant a Federal or non-Federal entity immediate temporary access to the Center.
01 Jan 2016 19
NCCIC principles
(Homeland + Cybersecurity Acts § 227(e))
A. timely, actionable, and relevant cyber threat indicators, defensive measures, and information
related to cybersecurity risks, incidents, and analysis is shared;
B. when appropriate, cyber threat indicators, defensive measures, and information related to
cybersecurity risks, incidents, and analysis is integrated with other relevant information and
tailored to the specific characteristics of a sector
C. activities are prioritized and conducted based on the level of risk
D. industry sector-specific, academic, and national laboratory expertise is sought and receives
appropriate consideration
E. continuous, collaborative, and inclusive coordination occurs: across sectors and with sector
coordinating councils, ISAOs, and other appropriate non-Federal partners
F. the Center works to develop and use mechanisms for sharing information related to cyber threat
indicators, defensive measures, cybersecurity risks, and incidents that are technology-neutral,
interoperable, real-time, cost-effective, and resilient
G. the Center works with other agencies to reduce unnecessarily duplicative sharing of information
related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents
H. the Center designates an agency contact for non-Federal entities;
(2) information related to cyber threat indicators, defensive measures, cybersecurity risks, and
incidents is appropriately safeguarded against unauthorized access or disclosure
01 Jan 2016 20
NCCIC automated information sharing
(Homeland + Cybersecurity Acts § 227(g))
A. Standards and best practices
in coordination with industry and other stakeholders, shall develop capabilities making use of existing information technology industry
standards and best practices, as appropriate, that support and rapidly advance the development, adoption, and implementation of
automated mechanisms for the sharing of cyber threat indicators and defensive measures in accordance with title I of the Cybersecurity Act
of 2015
01 Jan 2016 21