Cybersecurity Framework Discussion Draft IssuedDocument Seen as Precursor to Final Draft Due in October
The National Institute of Standards and Technology has issued a discussion draft of a cybersecurity framework ordered by President Obama.
The draft, issued Aug. 28, outlines areas where further work needs to be done by next February, when the final framework is slated to be issued.
In February, Obama issued an executive order directing NIST, working with the private sector, to develop a framework to reduce cybersecurity risks that the mostly private operators of the nation's critical infrastructure could adopt voluntarily [see Obama Issues Cybersecurity Executive Order].
NIST is leading a process in which industry and government collaborate to create the cybersecurity framework, and has solicited ideas over the Internet as well as at three workshops held since early spring. The discussion draft is a briefing document aimed at helping participants at the fourth workshop, to be held Sept. 11-13 at the University of Texas at Dallas. There, stakeholders will help shape the final draft of the framework to be issued in October.
Based on the responses so far, NIST says several high-priority areas to improve the framework have been identified, including:
- Overcoming inadequate authentication solutions;
- Extracting indicator data to analyze cybersecurity incidents;
- Developing conformity assessments to evaluate cybersecurity risk;
- Employing data analytics to scrutinize structured and unstructured data;
- Aligning international aspects of cybersecurity so critical infrastructure organizations can operate globally and effectively;
- Standardizing guidance on implementation of privacy best practices;
- Identifying risks associated with the supply chain.
The discussion draft says areas for improvement require continued focus. "They are important but evolving areas that have yet to be developed or require further research and understanding," the document says. "While tools, methodologies and standards exist for some of the areas, they need to become more mature, available and widely adopted. To address the areas for improvement, the community must identify primary challenges, solicit input from stakeholders to address those identified challenges and collaboratively develop and execute action plans for addressing the challenges."
NIST says the framework complements, but does not replace, an organization's risk management process or cybersecurity program. "Rather, the organization can use its current processes and leverage the framework to identify opportunities to improve an organization's cybersecurity risk management," the working draft says. "Alternatively, an organization without an existing cybersecurity program can use the framework as a reference when establishing one."
The working draft also describes the framework's key components, presents examples of how the framework can be used and addresses areas for improvement in cybersecurity standards and practices.
Among the working draft's appendices is one that contains a methodology to protect privacy and civil liberties.