Introduction to the Framework

Roadmap
July 2018

cyberframework@nist.gov
The Framework Roadmap
• Highlights areas of development
relevant to the Framework and of
broader interest
• Describes anticipated future activities
related to the Framework
• NIST collaborates with stakeholders
to identify challenges, solicit input,
and develop and execute action plans
for addressing roadmap areas
• Continues to evolve based on
advancements in technology and the
evolving cybersecurity landscape
Draft Roadmap v1.1 (Dec 5, 2017)
Confidence Mechanisms
Cyber Attack Lifecycle
Cybersecurity Workforce
Cyber Supply Chain Risk Management
Federal Agency Cybersecurity Alignment
Governance and Enterprise Risk
Management
Identity Management
International Aspects, Impacts, and Alignment
Measuring Cybersecurity
Privacy Engineering
Referencing Techniques
Small Business Awareness and Resources
3
Roadmap Areas

Confidence • Can be used to enhance an organization’s

understanding of its implementation of a
Mechanisms Framework profile

• Understanding the Tactics, Techniques and

Cyber Attack Procedures (TTP) an attacker may employ
Lifecycle and the vulnerabilities an attacker may
exploit are critical to effective cyber defense

Cybersecurity • A skilled cybersecurity workforce is needed to

meet the unique cybersecurity needs of
Workforce critical infrastructure
4
Roadmap Areas

Cyber Supply • Organizations are dependent upon product

and service supply chains. Supply chain risk
Chain Risk should be included in organizational risk
Management management programs.

Federal Agency • NIST is updating SP 800-37 (RMF), to

incorporate key Cybersecurity Framework,
Cybersecurity privacy risk management and systems
Alignment security engineering concepts.

Governance
and Enterprise • Participants involved in developing the
Framework stressed that leadership buy-in
Risk to the approach was crucial to improving the
Management nation’s cybersecurity.
5
Roadmap Areas

• Identity management needs to become more

Identity risk-aligned, adaptive, and contextual with
Management guidance capable of supporting flexibility,
modularity, and agility

International • Diverse requirements can impede

Aspects, interoperability, result in duplication, harm
cybersecurity, and hamper innovation,
Impacts, and hindering the ability of organizations to operate
globally while effectively manage risks.
Alignment
• More accurate and quantifiable projected cost
Measuring and estimated risk reduction associated with
cybersecurity investments requires an aligned,
Cybersecurity modular, and systemic approach to
cybersecurity measurement.
6
Roadmap Areas

• A key challenge has been determining how

Privacy to design information technologies that
Engineering protect individuals’ privacy and civil liberties
in an increasingly connected world.

• To handle evolving cybersecurity

Referencing standards, sector specific recommended
Techniques practices, etc., the Informative References
must adapt.

Small Business • It is important that small business leaders

understand and have effective approaches
Awareness to manage risks to their information,
and Resources systems and networks.
7
Resources
Where to Learn More and Stay Current

Framework Roadmap and related efforts:

https://www.nist.gov/cyberframework/related-effor
ts-roadmap
Framework for Improving Critical Infrastructure
Cybersecurity and related news, information:
www.nist.gov/cyberframework
Additional cybersecurity resources:
http://csrc.nist.gov/
Questions, comments, ideas:
cyberframework@nist.gov