The soon-to-be-issued cybersecurity framework is not, as some maintain, a federal government mandate for how the nation's privately owned critical infrastructure operators must secure their information systems. Rather, it's designed to be a catalog of tools to help organizations develop information security protection programs.
Scheduled to be released on Feb. 12, the creation of the framework was a collaborative effort of the government and the private sector. It's intended for voluntary use in such critical infrastructure sectors as agriculture, energy, healthcare, financial services and transportation, to name a few.
The cybersecurity framework consists of best practices used by the government and businesses to reduce risk to critical infrastructure; it relies on existing international standards, practices and procedures that have proven to be effective.
"It's a good table of contents to existing standards and practices, a reflection of what's going on in industry," says Chris Blask, chairman of the Industrial Control Systems Information Sharing and Analysis Center, one of hundreds of groups and individuals that helped formulate the framework.
Building off standards, guidelines and practices listed in the document, the framework furnishes a common approach for organizations to describe their current and target cybersecurity postures, identify and prioritize prospects for improving IT security through risk assessment, evaluate progress and foster communication among stakeholders.
At the core of the framework are five functions - identify, protect, detect, respond and recover - which provide a high-level, strategic view on how an organization manages risk. The core is divided into function groups such as asset management, access control and detection processes.
The framework is voluntary; infrastructure owners cannot be compelled to adopt it. Indeed, a significant number of individuals and organizations formally commenting on the framework stated that its voluntary nature should be reinforced throughout the document.
Often branded as the NIST framework because President Obama last year ordered the National Institute of Standards and Technology to work with the private sector to develop the guide, it incorporates hundreds of ideas presented by the private sector.
"This is one of the better examples of public-private sector cooperation we've seen," says Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable. "NIST had not only offered a lot of opportunities to the private sector to engage in the development of the framework, but in reality, the private sector was engaged."
Obama proposed the cybersecurity framework in his 2013 State of the Union address to help mitigate growing cyberthreats to the nation's critical infrastructure. He signed an executive order last February designating NIST to shepherd the creation of the framework (see Obama Issues Cybersecurity Executive Order).
NIST held five workshops as well as well as numerous meetings, webinars and informal sessions to gather feedback from stakeholders in government, the private sector and academia. NIST, which estimates more than 3,000 people participated in the process, solicited comments from stakeholders and received nearly 2,500 suggestions on what should be contained in the framework.
A Shift on Privacy
One of the more influential suggestions came from Harriet Pearson, the former chief privacy officer of IBM, who wrote that the privacy guidance in the preliminary draft of the framework would discourage companies from voluntarily adopting it (see Reworking Framework's Privacy Approach). NIST had based the proposed privacy provisions on language culled from its guidance designed for federal government agencies that does not reflect private-sector consensus on privacy.
"While government agencies have to be held to a high bar as they conduct their own cybersecurity efforts - because government is unique and government has many powers industry does not have - the same standards and rules that apply to government are not applicable to industry," says Pearson, a partner in the law firm Hogan Lovells.
Also, Pearson contends, the privacy provisions incorporated in the preliminary draft were too broad. Instead, she offered NIST an alternative privacy methodology that addresses privacy as it relates to specific cyber-activities, such as privacy concerns raised by continuous monitoring or information sharing. NIST incorporated Pearson's methodology into the framework.
Pearson says having the framework reflect industry consensus should help encourage adoption by organizations that need to strengthen their IT security.
Even those with sophisticated information security programs based on other IT security frameworks could benefit from the plan emanating from NIST.
BITS's Smocer sees the cybersecurity framework helping the financial services industry even though most banks and financial companies have had sophisticated IT security programs in place for years. He says many banking industry partners in other sectors provide needed services that could be threatened if they don't implement an appropriate IT security program. "The framework will help raise those folks to same level as we are and we'll all be in much better shape," Smocer says.
The Cost Factor
Smocer's enthusiasm for the framework isn't shared by all.
The industry trade group Internet Security Alliance, in a paper published to coincide with the release of the NIST framework, questions whether it's cost-effective, a condition of the president's executive order. That's important, the alliance says, because organizations, whether public or private, consider cost when assessing risk.
"The cost-effectiveness requirement in the president's executive not only makes imminent sense; it is fundamental to the long-term success of voluntary adoption of the framework," the paper says.
Cost is on the mind of Joseph Rigby, chief executive of Pepco Holding, an energy distribution company. Rigby, along with other top infrastructure company executives, met with Obama late last year to discuss the framework in the White House Situation Room (see Obama, CEOs Meet on Cybersecurity Framework). He said Pepco would voluntarily adopt the framework, but added that his firm would seek approval from state regulators to incorporate the costs of adopting the framework in the rates it charges customers.
"It is important that the federal government and the states speak with one voice on cybersecurity and support the recovery of the costs of protecting critical infrastructure and information against the perpetrators of cyber-attacks," Rigby says. "We expect these expenses to continue to rise as standards evolve and new threats arise."
A Living Document
The costs to implement the framework, as well as other elements, such as incentives to get companies to adopt the framework, won't appear in version 1.0 of the framework NIST is releasing Feb. 13.
"People have to realize that this is the beginning and not the end," says Adam Sedgewick, the NIST executive overseeing the creation of the framework. "It's a living document."
Over the next half year, NIST will sponsor workshops and other events to help organizations adopt the framework and to review stakeholder experiences with version 1.0 in order to improve the next iteration of the guidance.
Sedgewick says implementing the framework alone cannot assure that an organization's information systems will be secure. "The framework is something that needs to be embraced by organizational culture instead of something that's freestanding," he says.