The information, resources, and tools on this website are disseminated under the sponsorship of the U.S. Department of Transportation’s ITS Joint Program Office in the interest of information exchange and in a manner that promotes public understanding. The U.S. Government assumes no liability for the use of the information contained on this website and information does not constitute a standard, specification, regulation, policy nor does it represent an endorsement of any specific vendor, vendor product or service, or any specific process.
National Institute of Standards and Technology (NIST) Framework
NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to address current and future computer and information security challenges. Several standards, frameworks, and guidance documents that NIST developed can be used to support and shape ITS cybersecurity programs:
NIST Cybersecurity Framework (CSF) – The framework is voluntary guidance based on existing standards, guidelines, and practices for organizations to manage and reduce cybersecurity risk. The framework provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can help identify and prioritize actions to reduce cybersecurity risk, and provides a tool for aligning policy, business, and technological approaches to managing that risk. The framework core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The figure below shows the core functions that organize basic cybersecurity activities at their highest level—identify, protect, detect, respond, and recover. Listed below each function are categories and subcategories that are closely tied to programmatic needs and activities.
Figure 1. Core functions that organize basic cybersecurity activities. Source: NIST
NIST Privacy Framework – The NIST Privacy Framework is a tool for improving privacy through enterprise risk management. It is a voluntary tool to help organizations identify and manage privacy risk so that they can build innovative products and services while protecting individuals’ privacy. The framework enables organizations to communicate and prioritize their privacy protection activities and outcomes to address diverse privacy needs, develop more effective solutions that can lead to better outcomes for individuals and organizations, and stay current with technology trends such as artificial intelligence and the internet of things (IoT). The Privacy Framework is designed to be compatible with existing domestic and international legal and regulatory regimes and to be usable by any type of organization to enable widespread adoption.
Figure 2. NIST Risk Management Framework
Risk Management Framework (RMF) (SP 800-37) – Managing organizational risk is vital to effective information security and privacy programs. The RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and in any type of organization regardless of size or sector. Selecting and specifying security controls for a system is accomplished as part of an organization-wide information security program that involves managing organizational risk—that is, the risk to the organization or to individuals who operate an information system. NIST recently updated the RMF to connect it with the CSF and to highlight relationships between the two frameworks.
ISO/IEC 27000 Family of Information Security Standards
The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organizations improve their information security. It is a framework that is closely aligned with the NIST Cybersecurity Framework but with a compliance component. The series is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and explains how to implement information security best practices. It does this by setting out information security management system (ISMS) requirements. ISMS requirements are a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes, and technology. The series consists of 46 individual standards, including ISO 27000, which provides an introduction to the family as well as clarifying key terms and definitions. (Source: https://www.itgovernanceusa.com/iso27000-family )
Center for Internet Security (CIS) Controls and Benchmarks
The Center for Internet Security (CIS) is a nonprofit organization created by businesses and government agencies dedicated to preventing and mitigating new cyber threats. CIS uses a closed crowdsourcing model to identify and refine effective security measures. Member individuals develop recommendations that are shared with the community for evaluation through a consensus decision-making process. At the national and international level, CIS plays an important role in forming security policies and decisions by maintaining the CIS Controls and CIS Benchmarks , and hosting the Multi-State Information Sharing and Analysis Center (MS-ISAC) .
CIS Controls – The CIS Security Controls are a set of recommended actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. Information technology (IT) security leaders can use CIS controls to quickly establish protections providing the highest payoff in their organizations. They guide the user through a series of 20 foundational and advanced cybersecurity actions to eliminate the most common attacks. Controls include:
Basic CIS Controls
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
6. Maintenance, Monitoring, and Analysis of Audit Logs
Foundational CIS Controls
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols, and Services
10. Data Recovery Capabilities
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
Organizational CIS Controls
17. Implement a Security Awareness and Training Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
CIS Benchmarks – CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 140 technologies, CIS Benchmarks are developed using a unique consensus-based process composed by cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best practice security configuration guides developed and accepted by government, business, industry, and academia. The benchmark list covers various technological systems, including:
- Desktops and web browsers
- Mobile devices
- Network devices
- Security metrics
- Servers – operating systems
- Other servers
- Virtualization platforms and clouds
- Others, including Microsoft Office Suite
Figure 3. MS-ISAC Identified SLTT Government Breach Data Vector
Multi-State Information Sharing and Analysis Center (MS-ISAC)
The Multi-State Information Sharing and Analysis Center (MS-ISAC) was formed to improve the overall cybersecurity posture of the nation’s state, local, tribal, and territorial (SLTT) governments through focused cyber threat prevention, protection, response, and recovery. MS-ISAC is designated by the Department of Homeland Security (DHS) as a key cybersecurity resource for the nation’s SLTT governments. It provides a central resource for gathering information on cyber threats to critical infrastructure and information sharing between public and private sectors to identify, protect, detect, respond, and recover from attacks on public and private critical Infrastructure. The MS-ISAC’s 24-hour watch and warning center provides real-time network monitoring, dissemination of early cyber threat warnings, vulnerability identification and mitigation, along with education and outreach to reduce risk to our government’s cyber domain. Its membership spans all 50 states and the District of Columbia, as well as U.S. territorial, tribal, and local governments.
The MS-ISAC services include:
- 24/7 Security Operation Center (SOC)
- Incident response services
- Cybersecurity advisories and notifications
- Access to secure portals for communication and document sharing
- Cyber alert map
- Malicious Code Analysis Platform (MCAP)
- Weekly top malicious domains/IP report
- Monthly members-only webcasts
- Access to cybersecurity tabletop
- Vulnerability Management Program (VMP)
- Nationwide Cyber Security Review (NCSR)
- Awareness and education materials
In addition to these general cybersecurity references and guides, the U.S. DOT’s ITS Cybersecurity Program supports the transportation workforce by conducting research that adopts or adapts implementation practices from other industries, or develops new approaches specific to transportation if needed. The tools and reference materials described in the Informative References Tailored for the ITS Environment are the result of research projects sponsored by the ITS JPO and its modal partners.