SlideShare a Scribd company logo

Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115

James Bryce Clark
James Bryce Clark

Shared with permission from author. Analysis from individual members of OASIS, presented at a recent meeting of the OASIS Cyber Threat Intelligence TC (the development platform for STIX/TAXII). Extracted from a broader set posted to: https://lists.oasis-open.org/archives/cti/201601/msg00000/_cybersecurity_act_reference-model_1.1.pptx This information is provided for information, but does not represent the output or official views of OASIS or its technical committees..

Internet
1 of 10
Download to read offline
Deconstructing the Cybersecurity Act of 2015: model, architecture, interfaces, expressions Tony Rutkowski, mailto:tony@yaanatech.com 15 Jan 2016 V1.0 Copyright © Yaana Technologies LLC 2016
[USA] Cybersecurity Act of 2015 15 Jan 2016 Title I: Basic purposes and requirements Title II.A: Sharing architecture around the National Cybersecurity and Communications Integration Center (NCCIC) instantiated by amending Homeland Security Act of 2002 as amended Title II.B: Steps to improve Federal agency cybersecurity Title III: Cybersecurity education Title IV: Miscellaneous 15 Jan 2016 2
[USA] Cybersecurity Act of 2015 Cirrus Word Cloud Display 15 Jan 2016 3
FEDERAL ENTITYFEDERAL ENTITY APPROPRIATE FEDERAL ENTITYAPPROPRIATE FEDERAL ENTITY Entity ontology of the Cybersecurity Act of 2015 15 Jan 2016 4 NON-FEDERAL ENTITYNON-FEDERAL ENTITY PRIVATE ENTITYPRIVATE ENTITY 103(a) ENTITIES103(a) ENTITIES DHS - DEPARTMENT OF HOMELAND SECURITY DNI – OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE DOD - DEPARTMENT OF DEFENSE DOJ - DEPARTMENT OF JUSTICE NSA – NATIONAL SECURITY AGENCY FOREIGN POWER Notes: 1 See 50 U.S. Code § 3003(4) * No definition ISAO -INFORMATION SHARING AND ANALYSIS ORGANIZATION COLLABORATES WITH STATE AND LOCAL GOVERNMENTS [SECTOR-SPECIFIC] ISAC - INFORMATION SHARING AND ANALYSIS CENTER SECTOR COORDINATING COUNCILS OWNERS AND OPERATORS OF CRITICAL INFORMATION SYSTEMS OTHER APPROPRIATE NON-FEDERAL PARTNERS VOLUNTARY INFORMATION SHARING RELATIONSHIP “ OTHER DETERMINED BY THE SECRETARY INTERNATIONAL PARTNERS STATE, TRIBAL, OR LOCAL GOVERNMENT INTELLIGENCE COMMUNITY 1 NCCIC - NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER DOE - DEPARTMENT OF ENERGY - DEPARTMENT OF TREASURY DOC - DEPARTMENT OF COMMERCE/NIST DOS - DEPARTMENT OF STATE OMB – OFFICE OF MANAGEMENT AND THE BUDGET HHT – DEPARTMENT OF HEALTH AND HUMAN SERVICES GAO – GOVERNMENT ACCOUNTING OFFICE
InternationalPartners5 Non-Federal entities4 Federal entities Cybersecurity Act architecture & interfaces NCCIC(NationalCybersecurityand CommunicationsIntegrationCenter HSA§227 [NCCIC] 1 to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system. CA §103 2 an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. CA §103 3 Includes removal of certain personal information filtering function per CA §104(d)(2). 4 Such as State, local, and tribal governments, ISAOs, ISACs including information sharing and analysis centers, owners and operators of critical information systems, and private entities. 5 Collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and enhance the security and resilience of global cybersecurity Partners. HAS §227(c)(8) •cyber threat indicators •defensive measures •cybersecurity risks •incidents pursuant to §103(a) Mediation andFiltering3 Monitor1 & defend2 information system + information that is stored on, processed by, or transiting the information system CA §103 Monitor1 & defend2 information system + information that is stored on, processed by, or transiting the information system CA §103 interfaces FE-NCCIC NFE-NCCIC IP-NCCIC Mediation andFiltering3 [NCCIC][NCCIC] 15 Jan 2016 5
Cybersecurity Act information exchange expressions cyber threat  indicator information that is necessary to describe or identify (A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical  information related to a cybersecurity threat or security vulnerability [malicious reconnaissance: a method for actively probing or passively monitoring an information system for the purpose of discerning security  vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.] (B) a method of defeating a security control or exploitation of a security vulnerability; (C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability; (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information  system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; (E) malicious cyber command and control [a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or  transiting an information system.] (F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat; (G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or (H) any combination thereof. [Cybersecurity threat: an action,...on or through an information system that may result in an unauthorized effort to adversely impact the security,  availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.] defensive  measure an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or  transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.  [Defensive measure does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information  system or information stored on, processed by, or transiting such information system not owned by (i) the private entity operating the measure; or (ii)  another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.] cybersecurity  risk threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use,  disclosure, degradation, disruption, modification, or destruction of such information or information systems  [Includes related consequences caused by an act of terrorism] incident an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an  information system, or actually or imminently jeopardizes, without lawful authority, an information system 15 Jan 2016 6
Cybersecurity Act of 2015 Timeline – first year actionsEnacted,18Dec2015 OneYear,18Dec2016 180days,15Jun2016 90days,17Mar2016 60days,16Feb2016 Pursuant to 2 USC Sec. 394, FRCP Rule 26. N.B., 6 months treated as 180 days, 9 months as 270 days, 18 months as 548 days, 1 year and annual as 365 days 240days,15Aug2016 9months,13Sep2016 DHS(2), DNI, DOJ+DHS(3), Judicial DHS(4), DOS, HHS DHS(3), DNI, DNI+OMB, Federal CIO, NIST(2), OMB, DOJ+DHS(2) Federal agencies NIST DHS(7), DOS(1), Federal agencies (5), HHS, OMB(4) 15 Jan 2016 7
Cybersecurity Act of 2015 Timeline – actions after the first year 2years,18Dec2017 DHS(5), DHS+DOJ, DHS+ NIST(2), Federal agencies, DOS, GAO, NIST, OMB 3years,18Dec2018 4years,18Dec2019 5years,18Dec2020 6years,20Dec2021 7years,19Dec2022 DHS(2), DHS+NIST, Federal agencies, GAO(3), OMB Additional ad hoc reporting requirements exist for DHS (Sec. 105 & 223), DHS+NIST (Sec. 229), HHS (Sec. 405), NIST (Sec. 303), and OMB (Sec. 226) DHS, Federal agencies DHS(3), DHS+NIST, DOS, Federal agencies, OMB 18months,19Jun2017 Federal CIO, NIST, OMB 15 Jan 2016 8
EU NIS (Network and Information Security) Directive • Tentative agreement on same date as Cybersecurity Act of 2015 – 18 Dec • Requires implementation by each of the 28 Member States • Creates a bifurcation – Applies to “operators of essential services and digital service providers” that are active in energy, transport, banking, financial services, healthcare and other critical industry segments – “Should…not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC” • Relies on a “cooperation group” composed of Member States´ representatives, the Commission and ENISA to support and facilitate strategic cooperation • Member States can “take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences” • All Member States should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks • A need for closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues; might be helpful to draft harmonised standards • Includes sharing information on risks and incidents,” especially including notification of personal data breaches 15 Jan 2016 9
Meeting the challenge: questions and options • What information exchange requirements exist at the three identified NCCIC interfaces? – Federal-Entity, Non-Federal Entity, International Partner • What assumptions should be made about the capabilities and architectures within these three domains? • Are other interfaces needed? • What are the sector-specific interface sub-types? • What are the required information sharing expressions and other capabilities at these interfaces, and to what extent can existing specifications be mapped to these requirements? • What are the algorithms for the “personal information of a specific individual or information that identifies a specific individual” filter function? • Can an ad-hoc TC CTI or OASIS group assist in the Act’s implementation? • How can the TC CTI standards also be applied to meet EU NIS Directive 15 Jan 2016 10

Recommended

National Strategy to Secure 5G of the United States of America
National Strategy to Secure 5G of the United States of AmericaNational Strategy to Secure 5G of the United States of America
National Strategy to Secure 5G of the United States of America
Neil McDonnell
 
Final presentation cyber security submit copy
Final presentation cyber security submit copyFinal presentation cyber security submit copy
Final presentation cyber security submit copy
smita mitra
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
Kyle Brown
 
Security and Privacy in Pegulated Environments
Security and Privacy in Pegulated EnvironmentsSecurity and Privacy in Pegulated Environments
Security and Privacy in Pegulated Environments
Francis Amaning
 
Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18 Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18
David Sweigert
 
Integrating the prevention of cyber crime into the overall anti-crime strateg...
Integrating the prevention of cyber crime into the overall anti-crime strateg...Integrating the prevention of cyber crime into the overall anti-crime strateg...
Integrating the prevention of cyber crime into the overall anti-crime strateg...
Jacqueline Fick
 
Akolade data presentation by Paul O'Connor
Akolade data presentation by Paul O'ConnorAkolade data presentation by Paul O'Connor
Akolade data presentation by Paul O'Connor
Paul O'Connor
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulations
Brunswick Group
 

Recommended

National Strategy to Secure 5G of the United States of America
National Strategy to Secure 5G of the United States of AmericaNational Strategy to Secure 5G of the United States of America
National Strategy to Secure 5G of the United States of America
Neil McDonnell
 
Final presentation cyber security submit copy
Final presentation cyber security submit copyFinal presentation cyber security submit copy
Final presentation cyber security submit copy
smita mitra
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
Kyle Brown
 
Security and Privacy in Pegulated Environments
Security and Privacy in Pegulated EnvironmentsSecurity and Privacy in Pegulated Environments
Security and Privacy in Pegulated Environments
Francis Amaning
 
Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18 Michigan Cyber TTX response planning ESF 18
Michigan Cyber TTX response planning ESF 18
David Sweigert
 
Integrating the prevention of cyber crime into the overall anti-crime strateg...
Integrating the prevention of cyber crime into the overall anti-crime strateg...Integrating the prevention of cyber crime into the overall anti-crime strateg...
Integrating the prevention of cyber crime into the overall anti-crime strateg...
Jacqueline Fick
 
Akolade data presentation by Paul O'Connor
Akolade data presentation by Paul O'ConnorAkolade data presentation by Paul O'Connor
Akolade data presentation by Paul O'Connor
Paul O'Connor
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulations
Brunswick Group
 
Overview of national cybercrime strategies
Overview of national cybercrime strategiesOverview of national cybercrime strategies
Overview of national cybercrime strategies
Benjamin Ang
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
Settapong_CyberSecurity
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
Mon cirt khaltar
Mon cirt khaltarMon cirt khaltar
Mon cirt khaltar
Khaltar Togtuun
 
Government and Enterprise Collaboration in Cybersecurity
Government and Enterprise Collaboration in CybersecurityGovernment and Enterprise Collaboration in Cybersecurity
Government and Enterprise Collaboration in Cybersecurity
Charles Mok
 
National policy and strategy
National policy and strategyNational policy and strategy
National policy and strategy
Bright Boateng
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-model
Christos Laganas
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
isc2-hellenic
 
Gifec
GifecGifec
Gifec
Francis Amaning
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
isc2-hellenic
 
Curbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCA
Curbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCACurbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCA
Curbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCA
Francis Amaning
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI Report
Benjamin Ang
 
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Benjamin Ang
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)
Benjamin Ang
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015
Chinatu Uzuegbu
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...
Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...
Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...
Benjamin Ang
 
ICAANZ VPDSS presentation by Paul O'Connor
ICAANZ VPDSS presentation by Paul O'ConnorICAANZ VPDSS presentation by Paul O'Connor
ICAANZ VPDSS presentation by Paul O'Connor
Paul O'Connor
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Group
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Brian Honan
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
centralohioissa
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
at MicroFocus Italy ❖✔
 

More Related Content

What's hot

Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
ICAANZ VPDSS presentation by Paul O'Connor
ICAANZ VPDSS presentation by Paul O'ConnorICAANZ VPDSS presentation by Paul O'Connor
ICAANZ VPDSS presentation by Paul O'Connor
Paul O'Connor
 

What's hot (20)

Overview of national cybercrime strategies
Overview of national cybercrime strategiesOverview of national cybercrime strategies
Overview of national cybercrime strategies
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
Mon cirt khaltar
Mon cirt khaltarMon cirt khaltar
Mon cirt khaltar
 
Government and Enterprise Collaboration in Cybersecurity
Government and Enterprise Collaboration in CybersecurityGovernment and Enterprise Collaboration in Cybersecurity
Government and Enterprise Collaboration in Cybersecurity
 
National policy and strategy
National policy and strategyNational policy and strategy
National policy and strategy
 
10 the-finstix-data-model
10 the-finstix-data-model10 the-finstix-data-model
10 the-finstix-data-model
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
 
Gifec
GifecGifec
Gifec
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
 
Curbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCA
Curbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCACurbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCA
Curbing Cyber Menace BY: Kenneth Adu Amanfoh Deputy Director IT,NCA
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI Report
 
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
 
Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...
Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...
Singapore Asean cyber conflict and cybersecurity strategy - for Columbia Univ...
 
ICAANZ VPDSS presentation by Paul O'Connor
ICAANZ VPDSS presentation by Paul O'ConnorICAANZ VPDSS presentation by Paul O'Connor
ICAANZ VPDSS presentation by Paul O'Connor
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
 

Viewers also liked

The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
at MicroFocus Italy ❖✔
 
Denning_Todd_Report
Denning_Todd_ReportDenning_Todd_Report
Denning_Todd_Report
Todd Denning
 
FINAL 15-RUMC-3020-Annual-Report-Final_web
FINAL 15-RUMC-3020-Annual-Report-Final_webFINAL 15-RUMC-3020-Annual-Report-Final_web
FINAL 15-RUMC-3020-Annual-Report-Final_web
William J Smith, MBA
 
Display_OneSheet
Display_OneSheetDisplay_OneSheet
Display_OneSheet
Sana Ahmed
 
Data-Ed Online: How Safe is Your Data? Data Security Webinar
Data-Ed Online: How Safe is Your Data? Data Security WebinarData-Ed Online: How Safe is Your Data? Data Security Webinar
Data-Ed Online: How Safe is Your Data? Data Security Webinar
Data Blueprint
 
Sustainable and organic F&B
Sustainable and organic F&BSustainable and organic F&B
Sustainable and organic F&B
garloyd
 
2014 PERE 50
2014 PERE 502014 PERE 50
2014 PERE 50
Erik Kolb
 

Viewers also liked (20)

Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
 
Denning_Todd_Report
Denning_Todd_ReportDenning_Todd_Report
Denning_Todd_Report
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...Data security risks and the cost of business continuity (slideshare) tmcs q...
Data security risks and the cost of business continuity (slideshare) tmcs q...
 
FINAL 15-RUMC-3020-Annual-Report-Final_web
FINAL 15-RUMC-3020-Annual-Report-Final_webFINAL 15-RUMC-3020-Annual-Report-Final_web
FINAL 15-RUMC-3020-Annual-Report-Final_web
 
Display_OneSheet
Display_OneSheetDisplay_OneSheet
Display_OneSheet
 
Edelman 11on11
Edelman 11on11Edelman 11on11
Edelman 11on11
 
The Foreign Investment Regulation Review, 3rd edition
The Foreign Investment Regulation Review, 3rd editionThe Foreign Investment Regulation Review, 3rd edition
The Foreign Investment Regulation Review, 3rd edition
 
Human Development Report 2013 and Ukraine Presentation [ENG]
Human Development Report 2013 and Ukraine Presentation [ENG]Human Development Report 2013 and Ukraine Presentation [ENG]
Human Development Report 2013 and Ukraine Presentation [ENG]
 
Authentic Leadership
Authentic LeadershipAuthentic Leadership
Authentic Leadership
 
Companies. - Free Online Library
Companies. - Free Online LibraryCompanies. - Free Online Library
Companies. - Free Online Library
 
BSHS LMC 2009 2010 Annual Report
BSHS LMC 2009 2010 Annual ReportBSHS LMC 2009 2010 Annual Report
BSHS LMC 2009 2010 Annual Report
 
Data-Ed Online: How Safe is Your Data? Data Security Webinar
Data-Ed Online: How Safe is Your Data? Data Security WebinarData-Ed Online: How Safe is Your Data? Data Security Webinar
Data-Ed Online: How Safe is Your Data? Data Security Webinar
 
2015 Cyber Security Strategy
2015 Cyber Security Strategy 2015 Cyber Security Strategy
2015 Cyber Security Strategy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Sustainable and organic F&B
Sustainable and organic F&BSustainable and organic F&B
Sustainable and organic F&B
 
2014 PERE 50
2014 PERE 502014 PERE 50
2014 PERE 50
 
Accelerating government agility with cloud computing v1
Accelerating government agility with cloud computing v1Accelerating government agility with cloud computing v1
Accelerating government agility with cloud computing v1
 

Similar to Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115

2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
Scott Geye
 
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Leonardo ENERGY
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Cade Zvavanjanja
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
ijtsrd
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
Dr Lendy Spires
 

Similar to Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115 (20)

2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Prevention
 
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
Cybersecurity for Smart Grids: Vulnerabilities and Strategies to Provide Cybe...
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Report to congressional committees
Report to congressional committeesReport to congressional committees
Report to congressional committees
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean Cybersecuirty
 
Cyber security-in-india-present-status
Cyber security-in-india-present-statusCyber security-in-india-present-status
Cyber security-in-india-present-status
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy final
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdf
 
Robots in The Chemical Industry
Robots in The Chemical IndustryRobots in The Chemical Industry
Robots in The Chemical Industry
 
Cybersecurity for Chemical Industry
Cybersecurity for Chemical IndustryCybersecurity for Chemical Industry
Cybersecurity for Chemical Industry
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas
 
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
 
The Present and the Future ISAC in Taiwan
The Present and the Future ISAC in TaiwanThe Present and the Future ISAC in Taiwan
The Present and the Future ISAC in Taiwan
 
Cyber Insurance as Digital Strategy
Cyber Insurance as Digital StrategyCyber Insurance as Digital Strategy
Cyber Insurance as Digital Strategy
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
 

More from James Bryce Clark

More from James Bryce Clark (8)

NSTIC IDESG Baseline Requirements for Security, Privacy, UX and Interop
NSTIC IDESG Baseline Requirements for Security, Privacy, UX and InteropNSTIC IDESG Baseline Requirements for Security, Privacy, UX and Interop
NSTIC IDESG Baseline Requirements for Security, Privacy, UX and Interop
 
OASIS Open Stds and FOSS Nov 2019
OASIS Open Stds and FOSS Nov 2019OASIS Open Stds and FOSS Nov 2019
OASIS Open Stds and FOSS Nov 2019
 
OASIS at ITU/NGMN: Convergence, Collaboration and Smart Shopping in Open Stan...
OASIS at ITU/NGMN: Convergence, Collaboration and Smart Shopping in Open Stan...OASIS at ITU/NGMN: Convergence, Collaboration and Smart Shopping in Open Stan...
OASIS at ITU/NGMN: Convergence, Collaboration and Smart Shopping in Open Stan...
 
OASIS at ETSI on Open Standards and Open Source 2015
OASIS at ETSI on Open Standards and Open Source 2015OASIS at ETSI on Open Standards and Open Source 2015
OASIS at ETSI on Open Standards and Open Source 2015
 
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
Struse 2015 A funny thing happened on the way to OASIS: standarising STIX +...
 
NSTIC IDESG Functional Requirements status report from FMO
NSTIC IDESG Functional Requirements status report from FMONSTIC IDESG Functional Requirements status report from FMO
NSTIC IDESG Functional Requirements status report from FMO
 
OASIS PMRM overview and tools #EIC2014: Sabo and Janssen
OASIS PMRM overview and tools #EIC2014: Sabo and JanssenOASIS PMRM overview and tools #EIC2014: Sabo and Janssen
OASIS PMRM overview and tools #EIC2014: Sabo and Janssen
 
OASIS: How open source and open standards work together: the Internet of Things
OASIS: How open source and open standards work together: the Internet of ThingsOASIS: How open source and open standards work together: the Internet of Things
OASIS: How open source and open standards work together: the Internet of Things
 

Recently uploaded

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 

Recently uploaded (20)

Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 

Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115

  • 1. Deconstructing the Cybersecurity Act of 2015: model, architecture, interfaces, expressions Tony Rutkowski, mailto:tony@yaanatech.com 15 Jan 2016 V1.0 Copyright © Yaana Technologies LLC 2016
  • 2. [USA] Cybersecurity Act of 2015 15 Jan 2016 Title I: Basic purposes and requirements Title II.A: Sharing architecture around the National Cybersecurity and Communications Integration Center (NCCIC) instantiated by amending Homeland Security Act of 2002 as amended Title II.B: Steps to improve Federal agency cybersecurity Title III: Cybersecurity education Title IV: Miscellaneous 15 Jan 2016 2
  • 3. [USA] Cybersecurity Act of 2015 Cirrus Word Cloud Display 15 Jan 2016 3
  • 4. FEDERAL ENTITYFEDERAL ENTITY APPROPRIATE FEDERAL ENTITYAPPROPRIATE FEDERAL ENTITY Entity ontology of the Cybersecurity Act of 2015 15 Jan 2016 4 NON-FEDERAL ENTITYNON-FEDERAL ENTITY PRIVATE ENTITYPRIVATE ENTITY 103(a) ENTITIES103(a) ENTITIES DHS - DEPARTMENT OF HOMELAND SECURITY DNI – OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE DOD - DEPARTMENT OF DEFENSE DOJ - DEPARTMENT OF JUSTICE NSA – NATIONAL SECURITY AGENCY FOREIGN POWER Notes: 1 See 50 U.S. Code § 3003(4) * No definition ISAO -INFORMATION SHARING AND ANALYSIS ORGANIZATION COLLABORATES WITH STATE AND LOCAL GOVERNMENTS [SECTOR-SPECIFIC] ISAC - INFORMATION SHARING AND ANALYSIS CENTER SECTOR COORDINATING COUNCILS OWNERS AND OPERATORS OF CRITICAL INFORMATION SYSTEMS OTHER APPROPRIATE NON-FEDERAL PARTNERS VOLUNTARY INFORMATION SHARING RELATIONSHIP “ OTHER DETERMINED BY THE SECRETARY INTERNATIONAL PARTNERS STATE, TRIBAL, OR LOCAL GOVERNMENT INTELLIGENCE COMMUNITY 1 NCCIC - NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER DOE - DEPARTMENT OF ENERGY - DEPARTMENT OF TREASURY DOC - DEPARTMENT OF COMMERCE/NIST DOS - DEPARTMENT OF STATE OMB – OFFICE OF MANAGEMENT AND THE BUDGET HHT – DEPARTMENT OF HEALTH AND HUMAN SERVICES GAO – GOVERNMENT ACCOUNTING OFFICE
  • 5. InternationalPartners5 Non-Federal entities4 Federal entities Cybersecurity Act architecture & interfaces NCCIC(NationalCybersecurityand CommunicationsIntegrationCenter HSA§227 [NCCIC] 1 to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system. CA §103 2 an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. CA §103 3 Includes removal of certain personal information filtering function per CA §104(d)(2). 4 Such as State, local, and tribal governments, ISAOs, ISACs including information sharing and analysis centers, owners and operators of critical information systems, and private entities. 5 Collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents; and enhance the security and resilience of global cybersecurity Partners. HAS §227(c)(8) •cyber threat indicators •defensive measures •cybersecurity risks •incidents pursuant to §103(a) Mediation andFiltering3 Monitor1 & defend2 information system + information that is stored on, processed by, or transiting the information system CA §103 Monitor1 & defend2 information system + information that is stored on, processed by, or transiting the information system CA §103 interfaces FE-NCCIC NFE-NCCIC IP-NCCIC Mediation andFiltering3 [NCCIC][NCCIC] 15 Jan 2016 5
  • 6. Cybersecurity Act information exchange expressions cyber threat  indicator information that is necessary to describe or identify (A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical  information related to a cybersecurity threat or security vulnerability [malicious reconnaissance: a method for actively probing or passively monitoring an information system for the purpose of discerning security  vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.] (B) a method of defeating a security control or exploitation of a security vulnerability; (C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability; (D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information  system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; (E) malicious cyber command and control [a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or  transiting an information system.] (F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat; (G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or (H) any combination thereof. [Cybersecurity threat: an action,...on or through an information system that may result in an unauthorized effort to adversely impact the security,  availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.] defensive  measure an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or  transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.  [Defensive measure does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information  system or information stored on, processed by, or transiting such information system not owned by (i) the private entity operating the measure; or (ii)  another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.] cybersecurity  risk threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use,  disclosure, degradation, disruption, modification, or destruction of such information or information systems  [Includes related consequences caused by an act of terrorism] incident an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an  information system, or actually or imminently jeopardizes, without lawful authority, an information system 15 Jan 2016 6
  • 7. Cybersecurity Act of 2015 Timeline – first year actionsEnacted,18Dec2015 OneYear,18Dec2016 180days,15Jun2016 90days,17Mar2016 60days,16Feb2016 Pursuant to 2 USC Sec. 394, FRCP Rule 26. N.B., 6 months treated as 180 days, 9 months as 270 days, 18 months as 548 days, 1 year and annual as 365 days 240days,15Aug2016 9months,13Sep2016 DHS(2), DNI, DOJ+DHS(3), Judicial DHS(4), DOS, HHS DHS(3), DNI, DNI+OMB, Federal CIO, NIST(2), OMB, DOJ+DHS(2) Federal agencies NIST DHS(7), DOS(1), Federal agencies (5), HHS, OMB(4) 15 Jan 2016 7
  • 8. Cybersecurity Act of 2015 Timeline – actions after the first year 2years,18Dec2017 DHS(5), DHS+DOJ, DHS+ NIST(2), Federal agencies, DOS, GAO, NIST, OMB 3years,18Dec2018 4years,18Dec2019 5years,18Dec2020 6years,20Dec2021 7years,19Dec2022 DHS(2), DHS+NIST, Federal agencies, GAO(3), OMB Additional ad hoc reporting requirements exist for DHS (Sec. 105 & 223), DHS+NIST (Sec. 229), HHS (Sec. 405), NIST (Sec. 303), and OMB (Sec. 226) DHS, Federal agencies DHS(3), DHS+NIST, DOS, Federal agencies, OMB 18months,19Jun2017 Federal CIO, NIST, OMB 15 Jan 2016 8
  • 9. EU NIS (Network and Information Security) Directive • Tentative agreement on same date as Cybersecurity Act of 2015 – 18 Dec • Requires implementation by each of the 28 Member States • Creates a bifurcation – Applies to “operators of essential services and digital service providers” that are active in energy, transport, banking, financial services, healthcare and other critical industry segments – “Should…not apply to undertakings providing public communication networks or publicly available electronic communication services within the meaning of Directive 2002/21/EC” • Relies on a “cooperation group” composed of Member States´ representatives, the Commission and ENISA to support and facilitate strategic cooperation • Member States can “take the necessary measures to ensure the protection of its essential security interests, to safeguard public policy and public security, and to permit the investigation, detection and prosecution of criminal offences” • All Member States should be adequately equipped, both in terms of technical and organisational capabilities, to prevent, detect, respond to and mitigate network and information systems' incidents and risks • A need for closer international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues; might be helpful to draft harmonised standards • Includes sharing information on risks and incidents,” especially including notification of personal data breaches 15 Jan 2016 9
  • 10. Meeting the challenge: questions and options • What information exchange requirements exist at the three identified NCCIC interfaces? – Federal-Entity, Non-Federal Entity, International Partner • What assumptions should be made about the capabilities and architectures within these three domains? • Are other interfaces needed? • What are the sector-specific interface sub-types? • What are the required information sharing expressions and other capabilities at these interfaces, and to what extent can existing specifications be mapped to these requirements? • What are the algorithms for the “personal information of a specific individual or information that identifies a specific individual” filter function? • Can an ad-hoc TC CTI or OASIS group assist in the Act’s implementation? • How can the TC CTI standards also be applied to meet EU NIS Directive 15 Jan 2016 10