Backup & Disaster Recovery IT Security Outsourced IT

CISA and Infrastructure Cybersecurity

What is Infrastructure Cybersecurity?

The Cybersecurity & Infrastructure Security Agency (CISA) defines National Critical Functions (NCFs) as, “…functions of the government and the private sector so vital to the United States their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”1 CISA identifies 16 critical infrastructure sectors: 

  • Chemical sector
  • Commercial Facilities sector
  • Communications sector
  • Critical manufacturing sector
  • Dams sector
  • Defense industrial base sector
  • Emergency services sector
  • Energy sector
  • Financial service sector
  • Food & agriculture sector
  • Government facilities sector
  • Healthcare and public health sector
  • Information technology sector
  • Nuclear reactors, material, and waste sector
  • Transportation systems sector
  • Water & Wastewater systems sector

CISA provides businesses, communities, and government partners with tools and resources related to critical infrastructure security. Chances are, your organization is either an organization defined as one that is in a critical infrastructure sector, or yours is an organization that relies on one or more critical infrastructure sectors to conduct your business. In order to help ensure that critical infrastructure is more resilient to cybersecurity threats, CISA promotes the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity”, which provides a framework for organizations to:

  • Describe their current cybersecurity posture
  • Describe their target state for cybersecurity
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
  • Assess progress toward the target state
  • Communicate among internal and external stakeholders about cybersecurity risk2

The Cybersecurity Framework includes three main components:

Framework Core. The Framework Core is a set of desired cybersecurity activities and outcomes organized into Categories. The Framework Core is designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simple and non-technical language. The Framework Core consists of three parts: Functions, Categories, and Subcategories. The Framework Core includes five high level functions: Identify, Protect, Detect, Respond, and Recover. Within the five functions there are 23 underlying categories (e.g. business environment) and associated subcategories that provide outcome focused statements (e.g. the organization’s place in critical infrastructure and its industry sector is identified and communicated).

Framework Implementation Tiers. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Implementation Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties.

Framework Profiles. Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile with a “Target” Profile.

The Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure, as organizations have unique risks such as different threats, different vulnerabilities, different levels of risk tolerance, and different customizations of the Cybersecurity Framework. The Cybersecurity Framework is aimed at reducing and better managing cybersecurity risks, and organizations can determine which activities are most important to critical service delivery to prioritize their cybersecurity investments accordingly.   

1 CISA, 2021, “National Critical Functions”

2 NIST, 2018, “Framework for Improving Critical Infrastructure Cybersecurity”