A “Framework for Improving Critical Infrastructure Cybersecurity” released.
The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cyber security programs, said National Institute of Standards and Technology (NIST) officials. NIST ended up charged to put the framework together.
In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for the development of a voluntary, risk-based Cybersecurity Framework — a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.
“The framework provides a consensus description of what’s needed for a comprehensive cyber security program,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher. “It reflects the efforts of a broad range of industries that see the value of and need for improving cyber security and lowering risk. It will help companies prove to themselves and their stakeholders that good cyber security is good business.”
The framework allows organizations — regardless of size, degree of cyber risk or cyber security sophistication — to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
Organizations can use the framework to determine their current level of cyber security, set goals for cyber security in sync with their business environment, and establish a plan for improving or maintaining their cyber security. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cyber security program.
While today’s framework is the culmination of a year-long effort that brought together thousands of individuals and organizations from industry, academia and government, it is expected to be a first step in a continuous process to improve the nation’s cyber security.
The framework document is labeled “Version 1.0” and is described as a “living” document that will need to be updated to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use. According to the document, these updates will ensure the framework meets the needs of critical infrastructure owners and operators in a dynamic and challenging environment.
The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions — identify, protect, detect, respond and recover — that taken together allow any organization to understand and shape its cyber security program. The tiers describe the degree to which an organization’s cyber security risk management meets goals set out in the framework and “range from informal, reactive responses to agile and risk-informed.” The profiles help organizations progress from a current level of cyber security sophistication to a target improved state that meets business needs.
“The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders,” said Gallagher. “They can now work to understand the cyber security issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel.”
Cyber security Framework development process and all related documents can be found on the framework website.