The National Institute of Standards and Technology (NIST) has just released its Framework for Improving Critical Infrastructure Cybersecurity designed to provide a structure that U.S. organizations, regulators and developers can use to build a comprehensive cybersecurity programs.
It was created at the direction of President Obama who 12 months ago issue Executive Order 13636: Improving Critical Infrastructure Cybersecurity calling for creation of a voluntary, risk-based Cybersecurity Framework. Rather than mplement anything new, the framework gathers is a codification of existing standards, guidelines and practices created through public-private collaboration.
“The framework provides a consensus description of what's needed for a comprehensive cybersecurity program,” said NIST Director Patrick D. Gallagher. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”
He said it was designed so that organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.
It is expected to be a first step in a continuous process to improve the nation's cybersecurity, said Gallagher. The framework document is labeled “Version 1.0” which he described as a “living” document that will need to be updated to keep pace with changes in technology, threats and other factors. It incorporates three main components: the framework core, tiers and profiles.
The core presents five functions—identify, protect, detect, respond and recover—that taken together, said Gallagher, allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and “range from informal, reactive responses to agile and risk-informed.” The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
NIST has also released a “Roadmap” document that lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration, with NIST continuing to serve as a convener and coordinator for everyone involved in the effort, including leading discussions of models for future governance of the framework, such as potential transfer to a non-government organization.
More information about the Cybersecurity Framework development process and all related documents can be found on the framework website.