http://www.us-cert.gov/ccubedvp

 

As part of Executive Order (EO) 13636, the Department of Homeland Security (DHS) is developing the Critical Infrastructure Cyber Community or C³ (pronounced “C Cubed”) Voluntary Program to assist the enhancement of critical infrastructure cybersecurity and to encourage the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (the Framework), due to be released in February 2014. The C³ Voluntary Program was created to help improve the resiliency of critical infrastructure’s cybersecurity systems by supporting and promoting the use of the Framework. To contact us, please email us at ccubedvp@hq.dhs.gov.

The C³ Voluntary Program Outreach and Messaging Kit includes informational materials provided in PDF format for easy printing and/or electronic distribution to help educate stakeholders about the C³ Voluntary Program.

Access the C³ Voluntary Program Outreach and Messaging Kit.

On This Page:
About the C³ Voluntary Program
C³ Voluntary Program Activities

About the C³ Voluntary Program

The United States depends on critical infrastructure every day to provide energy, water, transportation, financial systems, and other capabilities that support our needs and way of life. Over the years, improvements in technology have allowed these capabilities to evolve, with most critical infrastructure now dependent on cyber systems to run more efficiently and effectively.

With this increased reliance on cyber-dependent systems, however, come increased threats and vulnerabilities. Protecting the cybersecurity of our critical infrastructure is a top priority for the Nation, and in February 2013 the President signed EO 13636: Improving Critical Infrastructure Cybersecurity. One of the major components of EO 13636 is the development of the Framework by NIST to help critical infrastructure sectors and organizations reduce and manage their cyber risk.

The C³ Voluntary Program helps sectors and organizations that want to use the Framework by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations, and the private sector. At the time of launch, available resources will primarily consist of DHS programs, which will grow to include cross sector, industry, and state and local resources.

The C³ Voluntary Program’s launch in February 2014 coincides with the release of the final Framework. The C³ Voluntary Program’s focus during the first year will be engagement with Sector-Specific Agencies (SSAs) and organizations using the Framework to develop guidance on how to implement the Framework. Later phases of the C³ Voluntary Program will broaden the program’s reach to all critical infrastructure and businesses of all sizes that are interested in using the Framework.

Back to Top

C³ Voluntary Program Activities

The C³ Voluntary Program focuses on three major activities:

Supporting Use

The C³ Voluntary Program will assist stakeholders with understanding use of the Framework and other cyber risk management efforts, and support development of general and sector-specific guidance for Framework implementation. The C³ Voluntary Program will also work with the 16 critical infrastructure sectors to develop sector-specific guidance, as needed, for using the Framework.

Outreach and Communications

The C³ Voluntary Program will serve as a point of contact and customer relationship manager to assist organizations with Framework use, and guide interested organizations and sectors to DHS and other public and private sector resources to support use of the Cybersecurity Framework.

Feedback

The C³ Voluntary Program encourages feedback from stakeholder organizations about their experience using C³ Voluntary Program resources to implement the Framework. The C³ Voluntary Program works with organizations to understand how they are using the Framework, and to receive feedback on how the Framework and the C³ Voluntary Program can be improved to better serve organizations. Feedback about the Framework will also be shared with NIST, to help guide the development of the next version of the Framework and similar efforts.

Use: Assist stakeholders with understanding use of the Cybersecurity Framework (The Framework) and other risk management efforts, and support development of general and sector-specific use guidance

Outreach and Communications: Serve as a point of contact and customer relationship manager to assist organizations with Framework use, and guide interested organizations and sectors to DHS and other public and private sector resources to support use of the Framework

Feedback: Work with organizations using the Framework to understand how they are using the Framework, and receive feedback on how the Framework and C³ Voluntary Program resources can be improved to better serve organizations.

If you are interested in providing feedback, please email us at ccubedvp@hq.dhs.gov.

 

Getting Started

The C³ Voluntary Program has identified existing DHS resources and programs that can assist enterprises in their use of the Cybersecurity Framework and overarching cyber risk management efforts.

On This Page:
Cybersecurity Framework Function Areas

Cybersecurity Framework Function Areas

This section features existing DHS resources, identified as applicable for various stakeholder groups. See the box to the left to learn more about these DHS resources.

The C³ Voluntary Program has aligned existing resources to the Cybersecurity Framework’s five function areas:

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.