The Preliminary Cybersecurity Framework that could help critical infrastructure owners and operators reduce cyber security risks in industries such as power generation, transportation and telecommunications is now available.
The National Institute of Standards and Technology (NIST) will soon open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014, as called for in Executive Order 13636—Improving Critical Infrastructure Cybersecurity.
In February 2013, President Obama directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks, recognizing U.S. national and economic security depends on the reliable functioning of critical infrastructure.
Through a request for information and a series of workshops held throughout this year, NIST worked with more than 3,000 individuals and organizations on standards, best practices and guidelines that can provide businesses, their suppliers, their customers and government agencies with a shared set of expected protections for critical information and IT infrastructure.
“Thanks to a tremendous amount of industry input, the voluntary framework provides a flexible, dynamic approach to matching business needs with improving cyber security,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. “We encourage organizations to begin reviewing and testing the Preliminary Framework to better inform the version we plan to release in February.”
The Preliminary Framework outlines a set of steps that various sectors can customize and adapt at large and small organizations while providing a consistent approach to cyber security.
The framework offers a common language and mechanism for organizations to determine and describe their current cyber security posture, as well as their target state for security. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.
The framework will foster communications among internal and external stakeholders and help organizations hold each other accountable for strong cyber protections while allowing flexibility for specific approaches tailored to each business’ market and regulatory environment. Its integrated approach focuses on outcomes, rather than any particular technology, to encourage innovation.
“We want to turn today’s best practices into common practices, and better equip organizations to understand that good cyber security risk management is good business,” Gallagher said. “The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies.”
While this framework ended up developed explicitly to respond to the February 2013 Executive Order and the importance of reducing risks to the critical infrastructure, other organizations can apply it to improve their readiness to deal with increasing cyber security risks in all industries.
NIST will hold a workshop to discuss the Preliminary Framework—including implementation and further governance—Nov. 14 and 15, 2013, at North Carolina State University.
Click here to review the Preliminary Framework.