US DOT Logo
Intelligent Transportation Systems Joint Program Office (ITS JPO)

ITS Cybersecurity Research Program

General Cybersecurity References and Guides

The information, resources, and tools on this website are disseminated under the sponsorship of the U.S. Department of Transportation’s ITS Joint Program Office in the interest of information exchange and in a manner that promotes public understanding. The U.S. Government assumes no liability for the use of the information contained on this website and information does not constitute a standard, specification, regulation, policy nor does it represent an endorsement of any specific vendor, vendor product or service, or any specific process.

National Institute of Standards and Technology (NIST) Framework

NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to address current and future computer and information security challenges. Several standards, frameworks, and guidance documents that NIST developed can be used to support and shape ITS cybersecurity programs:

NIST Cybersecurity Framework (CSF) – The framework is voluntary guidance based on existing standards, guidelines, and practices for organizations to manage and reduce cybersecurity risk. The framework provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can help identify and prioritize actions to reduce cybersecurity risk, and provides a tool for aligning policy, business, and technological approaches to managing that risk. The framework core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.

The figure below shows the core functions that organize basic cybersecurity activities at their highest level—identify, protect, detect, respond, and recover. Listed below each function are categories and subcategories that are closely tied to programmatic needs and activities.

The Identify category includes the following sub-categories: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy The Protect category includes the following sub-categories: Access Control, Awareness Training, Information Protection and Procedures, Maintenance, Protective Strategy The Detect category includes the following sub-categories: Anomalies and Events, Security Continuous Monitoring, Detection Process The Respond category includes the following sub-categories: Response Planning, Communications, Analysis, Mitigation, Improvements The Recovery category includes the following sub-categories: Recovery Planning, Improvements, Communications

Figure 1. Core functions that organize basic cybersecurity activities. Source: NIST

NIST Privacy Framework – The NIST Privacy Framework is a tool for improving privacy through enterprise risk management. It is a voluntary tool to help organizations identify and manage privacy risk so that they can build innovative products and services while protecting individuals’ privacy. The framework enables organizations to communicate and prioritize their privacy protection activities and outcomes to address diverse privacy needs, develop more effective solutions that can lead to better outcomes for individuals and organizations, and stay current with technology trends such as artificial intelligence and the internet of things (IoT). The Privacy Framework is designed to be compatible with existing domestic and international legal and regulatory regimes and to be usable by any type of organization to enable widespread adoption.

The NIST Risk Management Framework includes the following actions: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

Figure 2. NIST Risk Management Framework

Risk Management Framework (RMF) (SP 800-37) – Managing organizational risk is vital to effective information security and privacy programs. The RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and in any type of organization regardless of size or sector. Selecting and specifying security controls for a system is accomplished as part of an organization-wide information security program that involves managing organizational risk—that is, the risk to the organization or to individuals who operate an information system. NIST recently updated the RMF to connect it with the CSF and to highlight relationships between the two frameworks.

ISO/IEC 27000 Family of Information Security Standards

The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organizations improve their information security. It is a framework that is closely aligned with the NIST Cybersecurity Framework but with a compliance component. The series is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and explains how to implement information security best practices. It does this by setting out information security management system (ISMS) requirements. ISMS requirements are a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes, and technology. The series consists of 46 individual standards, including ISO 27000, which provides an introduction to the family as well as clarifying key terms and definitions. (Source: https://www.itgovernanceusa.com/iso27000-family )

Center for Internet Security (CIS) Controls and Benchmarks

The Center for Internet Security (CIS) is a nonprofit organization created by businesses and government agencies dedicated to preventing and mitigating new cyber threats. CIS uses a closed crowdsourcing model to identify and refine effective security measures. Member individuals develop recommendations that are shared with the community for evaluation through a consensus decision-making process. At the national and international level, CIS plays an important role in forming security policies and decisions by maintaining the CIS Controls and CIS Benchmarks , and hosting the Multi-State Information Sharing and Analysis Center (MS-ISAC) .

CIS Controls – The CIS Security Controls are a set of recommended actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. Information technology (IT) security leaders can use CIS controls to quickly establish protections providing the highest payoff in their organizations. They guide the user through a series of 20 foundational and advanced cybersecurity actions to eliminate the most common attacks. Controls include:

Basic CIS Controls

1. Inventory and Control of Hardware Assets

2. Inventory and Control of Software Assets

3. Continuous Vulnerability Management

4. Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

6. Maintenance, Monitoring, and Analysis of Audit Logs

Foundational CIS Controls

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols, and Services

10. Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

16. Account Monitoring and Control

Organizational CIS Controls

17. Implement a Security Awareness and Training Program

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

CIS Benchmarks – CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 140 technologies, CIS Benchmarks are developed using a unique consensus-based process composed by cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best practice security configuration guides developed and accepted by government, business, industry, and academia. The benchmark list covers various technological systems, including:

  • Desktops and web browsers
  • Mobile devices
  • Network devices
  • Security metrics
  • Servers – operating systems
  • Other servers
  • Virtualization platforms and clouds
  • Others, including Microsoft Office Suite

A stacked bar graph titled Hot Topic and subtitled MS-ISAC Identified SLTT Government Breach Data Vector Yearly Breakdown TLP: WHITE. The x-axis is years ranging from 2012 to 2019. The y-axis is a percentage ranging from 0% to 100%. The graph showcases the following cyber threats: Unknown Vector, SQLi, Misconfigured Servers, Third Party Breach, Phishing, Malware, Stolen Credentials, and Keylogging. The graph shows Stolen Credentials, Phishing, and Third Party Breaches growing as larger threats in more recent years.

Figure 3. MS-ISAC Identified SLTT Government Breach Data Vector

Multi-State Information Sharing and Analysis Center (MS-ISAC)

The Multi-State Information Sharing and Analysis Center (MS-ISAC) was formed to improve the overall cybersecurity posture of the nation’s state, local, tribal, and territorial (SLTT) governments through focused cyber threat prevention, protection, response, and recovery. MS-ISAC is designated by the Department of Homeland Security (DHS) as a key cybersecurity resource for the nation’s SLTT governments. It provides a central resource for gathering information on cyber threats to critical infrastructure and information sharing between public and private sectors to identify, protect, detect, respond, and recover from attacks on public and private critical Infrastructure. The MS-ISAC’s 24-hour watch and warning center provides real-time network monitoring, dissemination of early cyber threat warnings, vulnerability identification and mitigation, along with education and outreach to reduce risk to our government’s cyber domain. Its membership spans all 50 states and the District of Columbia, as well as U.S. territorial, tribal, and local governments.

The MS-ISAC services include:

  • 24/7 Security Operation Center (SOC)
  • Incident response services
  • Cybersecurity advisories and notifications
  • Access to secure portals for communication and document sharing
  • Cyber alert map
  • Malicious Code Analysis Platform (MCAP)
  • Weekly top malicious domains/IP report
  • Monthly members-only webcasts
  • Access to cybersecurity tabletop
  • Vulnerability Management Program (VMP)
  • Nationwide Cyber Security Review (NCSR)
  • Awareness and education materials

In addition to these general cybersecurity references and guides, the U.S. DOT’s ITS Cybersecurity Program supports the transportation workforce by conducting research that adopts or adapts implementation practices from other industries, or develops new approaches specific to transportation if needed. The tools and reference materials described in the Informative References Tailored for the ITS Environment are the result of research projects sponsored by the ITS JPO and its modal partners.