NIST Unveils Draft of Cybersecurity FrameworkExecutives Given Key Role in Voluntary Framework
The cybersecurity framework, ordered by President Obama, will emphasize the importance of senior executives in managing programs to secure their enterprises' information systems and assets, according to a draft of the cybersecurity framework released by the National Institute of Standards and Technology.
"By using this framework, these senior executives can manage cybersecurity risks within their enterprise's broader risks and business plans and operations," says the draft dated July 1, but made public a day later.
In February, Obama issued an executive order directing NIST, working with the private sector, to develop a framework to reduce cybersecurity risks that the mostly private operators of the nation's critical infrastructure could adopt voluntarily [see Obama Issues Cybersecurity Executive Order].
NIST concedes much more work must be done by the time the final version of the framework is issued next February. Among the areas NIST identifies that need to be addressed in the framework are privacy and civil liberties standards, guidelines and practices as well as helpful metrics for organizations to determine their cybersecurity effectiveness.
"We want to provide something that has flexibility, that can be implemented by different sectors," Donna Dodson, chief of NIST's computer security division, said in an interview with Information Security Media Group prior to the draft's release [see Fulfilling the President's Cybersecurity Executive Order]. "We want it to be specific in other ways so that we are sure we are working to reducing cybersecurity risks in the critical infrastructure."
5 Core Cybersecurity Functions
The framework, according to the draft, will revolve around a core structure that includes five major cybersecurity functions, each with its own categories, subcategories and information references. The five functions include Know, Prevent, Detect, Respond and Recover.
The Know function, for instance, would include a category entitled "know the enterprise risk architecture" with subcategories of "understand corporate risk tolerance" and "identify risk assessment methodologies," as well as others. An information reference, in this instance, would link to guidance such as NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations and ISO 31000: Risk Management.
The framework also will include three implementation levels that reflect organizational maturity in addressing cybersecurity. Incorporated into the framework will be a user's guide to help organizations understand how to apply it as well as a compendium of informative references, existing standards, guidelines and practices to assist with specific implementation.
Framework as a Guide, Not Detailed Manual
NIST says the framework should not be seen as a detailed manual, but as a guide to help executives, managers and staff to understand and assess the cybersecurity capabilities, readiness and risks their organizations face, as well as identify areas of strength and weakness and aspects of cybersecurity on which they should productively focus.
Some 240 entities including major technology and security vendors, trade groups, local and state governments, not-for-profit organizations and individuals this past spring submitted to NIST their ideas on IT security best practices to incorporate into the framework. NIST held a workshop in late May in Pittsburgh, where it reviewed the submissions and started to create the framework. Another workshop is scheduled for July 10-12 in San Diego, where the framework will be refined.
"Many comments advised that the cybersecurity framework would not be effective unless the very senior levels of management of an organization were fully engaged and aware of the vulnerabilities and risks posed by cybersecurity threats and committed to integrating cybersecurity risks into the enterprise's larger risk management approach," according to the draft.
"Time and again, comments reflected that these senior executives, including boards of directors, need to integrate and relate cybersecurity concerns and risks to critical infrastructure to the organization's basic business and its ability to deliver products and services," the draft says. "It is clear that these officials are best positioned to define and express accountability and responsibility, and to combine threat and vulnerability information with the potential impact to business needs and operational capabilities."