Kiersten E. Todt President and Managing Partner Liberty Group Ventures, LLC (LGV) Kiersten Todt is the President and Managing Partner of Liberty Group Ventures, LLC (LGV). She develops risk and crisis management solutions for infrastructure, emergency management, cybersecurity, higher education, and homeland security clients in the public, private, and non-profit sectors. She has served in senior positions in both the executive and legislative branches of government. Ms. Todt has commented on homeland security and sport security issues in multiple media outlets, including MSNBC, NPR, Bloomberg, and The Wall Street Journal. Her work on sport security has been published in two editions of The International Centre for Sport Security Journal. Prior to LGV, Ms. Todt was a partner at Good Harbor Consulting and was responsible for the company's North America crisis management practice, which had a concentration in cyber security. Clients included states and quasi-public institutions, maritime entities, small and large businesses, and college and university systems. Before joining Good Harbor, she worked for Business Executives for National Security (BENS) and was responsible for integrating the private sector into state and local emergency management capabilities; she also developed and executed federal and regional port and cyber security projects. Prior to BENS, she was a consultant for Sandia National Laboratories and worked with the California Governor's Office and Bay Area Economic Forum to develop the homeland security preparedness plan for the Bay Area. Ms. Todt was also an adjunct lecturer at Stanford University. Ms. Todt served as a Professional Staff Member on the U.S. Senate Committee on Governmental Affairs (now the Committee on Homeland Security and Governmental Affairs); she worked for the Committee Chairman, Senator Joseph Lieberman, and was responsible for drafting the bioterror, infrastructure protection, emergency preparedness, and science and technology directorates of the legislation that created the Department of Homeland Security. She also served as Senator Lieberman's Appropriations Director and managed his drug policy portfolio. Before working in the Senate, Ms. Todt served in Vice President Gore's domestic policy office and was responsible for coordinating federal resources with locally-defined needs, specifically focusing on energy challenges in California and housing issues. She was also the senior advisor on demand-reduction issues to Director Barry. R. McCaffrey at the Office of National Drug Control Policy (ONDCP). Ms. Todt graduated from Princeton University, with a degree in public policy from The Woodrow Wilson School of Public and International Affairs. She holds a master's degree in Public Policy from the John F. Kennedy School of Government at Harvard University and was selected to be a Presidential Management Fellow in 1999. She earned the Outstanding Service Award at ONDCP.

1. © 2012 Liberty Group Ventures. All rights reserved
NIST FRAMEWORK OVERVIEW
Presented by
Kiersten Todt
Roger Cressey
Liberty Group Ventures, LLC
1
Liberty Group Ventures, LLC Proprietary
and Business Confidential

2. © 2012 Liberty Group Ventures. All rights reserved
2
Framework Background
 Executive Order 13636
 Failure by Congress to pass cyber legislation
 Unprecedented cyber threat environment
 Role of NIST
 Develop voluntary framework
 Industry-led
 Process
 Ten months, five workshops, transparent process
 12,000 public comments adjudicated
 Collaboration between NIST, White House (NSC),
DHS, and private sector

3. © 2012 Liberty Group Ventures. All rights reserved
3
Framework Basics
 Core: Set of cybersecurity activities and informative
references common across CI
 Functions: Overview of organization’s management of
cyber risks
 Identify, Protect, Detect, Respond, Recover (IPDRR)
Tiers: Mechanism to view approach and processes for
managing cyber risk
1. Partial
2. Risk Informed
3. Repeatable
4. Adaptive
 Tier 4 is not the goal for every organization

4. © 2012 Liberty Group Ventures. All rights reserved
4
Framework Basics (continued)
 Profiles
 Alignment of IPDRR with business requirements, risk
tolerance, and resources of organization
 Current Profile
 Target Profile
 Profiles create gap analysis
Creating a profile helps a company understand its
dependencies with business partners, vendors, and
suppliers.

5. © 2012 Liberty Group Ventures. All rights reserved
5
What the Framework is Really About
 Creating a common language for cyber risk management
 Objective: Facilitate behavioral change in organizations
 Treat cyber risk as a mission equal in priority to other corporate risk
 Intended for critical infrastructure owners and operators…
but can be used by many others
 Applies market-driven approach to cyber risk management
 Product of industry, not government
 Not one size fits all…user experience will vary

6. © 2012 Liberty Group Ventures. All rights reserved
6
Implications of Framework
 Industry: Each Sector Will Define Adoption
 Identify metrics for success
 Facilitate information sharing within industry
 Defining cost-effectiveness
 Role for insurance….finally?
 Business
 Small (prioritize, develop risk management process)
 Medium (grow risk management process)
 Large (share best practices and lessons learned)

7. © 2012 Liberty Group Ventures. All rights reserved
7
Framework: The Way Ahead
 NIST’s Initial Areas for Further Work
 Authentication
 Automated Indicator Sharing
 Conformity Assessment
 Cybersecurity Workforce
 Data Analytics
 Federal Agency Cybersecurity Alignment
 Supply Chain Risk Management
 International Aspects, Impacts, and Alignment
 Technical Privacy Standards

8. © 2012 Liberty Group Ventures. All rights reserved
8
Framework: The Way Ahead
(continued)
 Government
 DHS role evolving
 Launch of Critical Infrastructure Cyber Community Voluntary
Program
 Providing managed security services to states, localities who
adopt framework - a good first step
 Work with Sector Specific Agencies in first year, expand to all CI
business in future
 Seeking input from small business on framework adoption
 More work on incentives is required
 International adoption…and overcoming Snowden
challenge
 Need for role of US business with global presence to engage
and facilitate

9. © 2012 Liberty Group Ventures. All rights reserved
9
Framework: The Way Ahead
(continued)
 Industry
 Participate in additional workshops on implementation
and areas for improvement
 Adopt Framework by mapping it to existing risk management
process and addressing gaps that are identified through profile
development
 Conduct training to “normalize” cyber risk behavior, including
simulations and exercises with corporate leadership
 Feedback to government: Lessons learned/what works/what
doesn’t/what’s missing
 Industry input will shape development of Framework 2.0
 Non-lifeline sector adoption
 Retail, Manufacturing, etc.

10. © 2012 Liberty Group Ventures. All rights reserved
9
Framework: The Way Ahead
(continued)
 Industry
 Participate in additional workshops on implementation
and areas for improvement
 Adopt Framework by mapping it to existing risk management
process and addressing gaps that are identified through profile
development
 Conduct training to “normalize” cyber risk behavior, including
simulations and exercises with corporate leadership
 Feedback to government: Lessons learned/what works/what
doesn’t/what’s missing
 Industry input will shape development of Framework 2.0
 Non-lifeline sector adoption
 Retail, Manufacturing, etc.