The purpose of this instruction is to facilitate the implementation of a security program for a business, municipality, or organization, henceforth referred to as the “agency.” This program is based on the NIST Cybersecurity Framework. It is based on many different NIST publications.
- Executive Order 13636 identifies critical sectors that need to be secured and protected. Each sector likely has its own business/mission objectives and these need to be identified to ensure they are properly addressed.
- This instruction covers the first step identified by the NIST Cybersecurity Framework, specifically Prioritize and Scope.
- This instruction will be looking at the agency’s most important assets and systems. These will need to be identified so that the agency not only knows what they are protecting but that they start with the most important assets first. This process should continue to include lower priority missions/assets as higher priority ones are completed until all missions/assets are covered under the security program.
IMPORTANT: These determinations for critical missions and systems are to be considered for the AGENCY, not individual departments.
Determining the priorities can be a simple matter of knowing what systems and assets are required to accomplish the mission or it could be as complicated as having to decide which functions are critical to the mission first and determining what the non-essential systems will be and the rest are the agency’s critical systems. If this has already been identified please move on to Defining Scope. Often times the agency’s mission assets and systems will connect or depend on each other, just as their missions likely interconnect. In fact, it is likely that most of the agency’s systems will interconnect through their primary network.
After determining what critical areas are required to complete the mission, the agency also has to determine what assets and systems support that critical mission. For example, in an IT Sector, the mission might be to provide a secure connection for a financial or payroll database to the financial department. In this case, all hardware, infrastructure, and services that support that database and its functioning for those individuals would be considered critical to the mission. A user’s email or access to an unrelated file server would not be considered critical thus fall lower on the priorities. Note: most IT sectors support more than one system and/or user.
Now that the agency has the critical missions and critical systems identified the issue of priorities should be pretty obvious. The agency will want to prioritize those systems that are most critical as highest. These priorities identified at this step go hand-in-hand with the NIST framework specifically most of the Business Environment category in the Identify function. The priorities will be utilized in areas of the restoral plans, contingency plans, etc.
Now that the agency knows what their priorities are, they need to determine what the scope of the assets and systems that support those priorities are. This was touched on a little bit, earlier, now though everything needs to be taken into account; keyboard to database, server to server, from the power to the network cables. NOTE: The intent here is NOT to take an inventory of those assets exactly. The purpose is to identify the assets and individuals. The complete list of items comes later on (Step 2: Orient).
EXAMPLE: if the agency needs a back end server running financial information then those systems, servers, and even line routes between the two need to be identified. This scope will be used in the same places as priorities to help build the different plans.
Multiple Priorities and Larger Scope
Priorities and scope are defined for all critical assets and systems that are required to complete all missions for the agency. This means that the agency may have to repeat this process several times to identify every critical system and the asset to their missions.
The steps in this document are included in several of the core functions of the NIST Cybersecurity Framework. This means that if the agency has completed steps of the framework, this might help alleviate some of the tasks throughout this process. See the chart for the steps and correlating documentation to refer to.
Identify: Business Environment (ID.BE):
|ID.BE-2||Critical Infrastructure||NIST SP 800-53 Rev 4. (Pg. 395); HSPD 7; National Infrastructure Protection Plan||Critical Infrastructure Plan|
|ID.BE-3||Priorities (Mission, etc.)||NIST SP 800-53 Rev 4. (Pg. 396); FIPS Pub 199; NIST SP 800-60||Mission Business Process Definition|
|ID.BE-4||Dependencies and Critical Functions||NIST SP 800-53 Rev 4. (Pg. 241, 289, 290, 395, 330); NIST SP 800-34; National Communications Systems Directive 3-10; HSPD 7; National Infrastructure Protection Plan||Telecommunication Services, Power Cabling & Equipment, Emergency Power, Critical Analysis|
|ID.BE-5||Resilience Requirements||NIST SP 800-53 Rev 4. (Pg. 234, 244, 330); Federal Continuity Directive 1; NIST SP 800-34||Contingency Plan, Alternate Communications Protocols|