In order to fully understand the implications of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), it is necessary to examine the government directives that precipitated the CSF and how it relates to them.

Executive Order (EO) 16363 “Improving Critical Infrastructure Cyber Security” was implemented in concert with Presidential Policy Directive (PPD)-21 “Critical Infrastructure Security and Resilience” in February 2014 to do the following:

EO 16363: Improving Critical Infrastructure Cyber Security directs the Executive Branch to:

  1. Develop a technology-neutral voluntary cybersecurity framework.
  2. Promote and incentivize the adoption of cybersecurity practices.
  3. Increase the volume, timeliness and quality of cyber threat information sharing.
  4. Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure.
  5. Explore the use of existing regulation to promote cybersecurity.

PPD-21: Critical Infrastructure Security and Resilience replaces Homeland Security PPD-7 and directs the Executive Branch to:

  1. Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time.
  2. Understand the cascading consequences of infrastructure failures.
  3. Evaluate and mature the public-private partnership.
  4. Update the National Infrastructure Protection Plan.
  5. Develop a comprehensive research and development plan.

These requirements are split across multiple government agencies including the Office of the Director of National Intelligence (ODNI), the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).

So where does the DHS CRR fit in all of this acronym soup?

The DHS CRR was initially released in 2009 as a voluntary assessment to determine an organization’s ability to, among other things, detect, respond and recover from a cybersecurity event. The CRR is based on the Cyber Resilience Evaluation Method and the CERT® Resilience Management Model (CERT-RMM), both developed at Carnegie Mellon University’s Software Engineering Institute. Unfortunately, most private or commercial organizations did not take advantage of capability either through unawareness or limited consideration for cybersecurity concerns.

In February, 2013, EO 16363 and PPD-21 were released for governmental action.  One of the principal deliverables was a voluntary cybersecurity framework to be developed in concert with private industry.  Since the framework was to be voluntary, DHS was charged to develop incentive recommendations for organizations that adopted the CSF.

The NIST CSF and DHS incentive plan were formally released in February 2014.  It appears none of the DHS recommendations have been promulgated or adopted to date.  However, DHS updated the CRR and crosswalked it with the CSF to ensure alignment.  The crosswalk can be viewed at:

As part of EO 16363, the DHS launched the Critical Infrastructure Cyber Community or C³ Voluntary Program (C³ VP) to assist with enhancing critical infrastructure cybersecurity and to encourage the adoption of the NIST CSF. The C³ Voluntary Program was created to help improve the resiliency of critical infrastructure’s cybersecurity systems by supporting and promoting the use of the Framework.  The details of this program can be viewed at:

To distill this down to the basics, you may hear terms like cyber resilience, resilience management, cybersecurity framework, etc.  In many respects, the similarities between these models and frameworks are far greater than the differences.  Regardless, the NIST CSF is now the driver—and potential future standard—for developing or improving an organization’s cybersecurity program.

Clearwater Compliance has developed a methodology and Software-as-a-Service (SaaS) capability that aligns with the CRR and the CSF.  We are able to map all 5 functions, 22 categories and 98 subcategories from the framework core into our SaaS solution.  This serves as a repository from which to develop your current and target profiles.

The methodology and software will allow Clearwater to assist an organization in establishing their current profile through a comprehensive risk analysis and gap assessment, which is captured in the software.

A target profile will be discussed predicated on risk tolerance and business drivers and mapped to one of 4 implementation tiers.  The implementation tiers reflect a balance between cybersecurity and business requirements.  The organization will need to determine which of the tiers is best suited for their business needs/requirements based on risk and performance trade-offs.  Identifying the implementation tier will establish the roadmap to the target profile.  The gap assessment will ensure the steps necessary to achieve the target profile are clearly documented.  Wrapping it up would be a Clearwater implementation plan that would establish the actions necessary to achieve the target profile.  The framework core repository can be subsequently updated to indicate progress against actions.

An organization that follows this approach will be less susceptible to critical audit findings, showing due care and due diligence in their approach to cybersecurity, potentially improved cyber insurance rates, future DHS incentives, improved security measures

Rich Curtiss

Principal Consultant at Clearwater Compliance
Mr. Curtiss has over 35 years of diverse, executive IT experience across several verticals including Healthcare, Finance, Department of Defense, Intelligence Community and Consulting Services.Rich has served in executive information technology and cybersecurity positions as a CIO, CISO, Director and Program Manager. He's a member of the Clearwater consulting team.
Rich Curtiss