On Deck: The Cybersecurity Framework

NIST to Unveil Compilation of InfoSec Best Practices, Standards

By , February 8, 2014.
Adam Sedgewick is NIST's point man on the cybersecurity framework.
Adam Sedgewick is NIST's point man on the cybersecurity framework.

The soon-to-be-issued cybersecurity framework is not, as some maintain, a federal government mandate for how the nation's privately owned critical infrastructure operators must secure their information systems. Rather, it's designed to be a catalog of tools to help organizations develop information security protection programs.

See Also: Stop Mobile Payment Fraud, Not Customers

Scheduled to be released on Feb. 12, the creation of the framework was a collaborative effort of the government and the private sector. It's intended for voluntary use in such critical infrastructure sectors as agriculture, energy, healthcare, financial services and transportation, to name a few.

The cybersecurity framework consists of best practices used by the government and businesses to reduce risk to critical infrastructure; it relies on existing international standards, practices and procedures that have proven to be effective.

"It's a good table of contents to existing standards and practices, a reflection of what's going on in industry," says Chris Blask, chairman of the Industrial Control Systems Information Sharing and Analysis Center, one of hundreds of groups and individuals that helped formulate the framework.

Building off standards, guidelines and practices listed in the document, the framework furnishes a common approach for organizations to describe their current and target cybersecurity postures, identify and prioritize prospects for improving IT security through risk assessment, evaluate progress and foster communication among stakeholders.

At the core of the framework are five functions - identify, protect, detect, respond and recover - which provide a high-level, strategic view on how an organization manages risk. The core is divided into function groups such as asset management, access control and detection processes.

No Mandate

The framework is voluntary; infrastructure owners cannot be compelled to adopt it. Indeed, a significant number of individuals and organizations formally commenting on the framework stated that its voluntary nature should be reinforced throughout the document.

Often branded as the NIST framework because President Obama last year ordered the National Institute of Standards and Technology to work with the private sector to develop the guide, it incorporates hundreds of ideas presented by the private sector.

"This is one of the better examples of public-private sector cooperation we've seen," says Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable. "NIST had not only offered a lot of opportunities to the private sector to engage in the development of the framework, but in reality, the private sector was engaged."

Obama proposed the cybersecurity framework in his 2013 State of the Union address to help mitigate growing cyberthreats to the nation's critical infrastructure. He signed an executive order last February designating NIST to shepherd the creation of the framework (see Obama Issues Cybersecurity Executive Order).

NIST held five workshops as well as well as numerous meetings, webinars and informal sessions to gather feedback from stakeholders in government, the private sector and academia. NIST, which estimates more than 3,000 people participated in the process, solicited comments from stakeholders and received nearly 2,500 suggestions on what should be contained in the framework.

A Shift on Privacy

One of the more influential suggestions came from Harriet Pearson, the former chief privacy officer of IBM, who wrote that the privacy guidance in the preliminary draft of the framework would discourage companies from voluntarily adopting it (see Reworking Framework's Privacy Approach). NIST had based the proposed privacy provisions on language culled from its guidance designed for federal government agencies that does not reflect private-sector consensus on privacy.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Will MasterCard, Target Renegotiate?

MasterCard's breach settlement with Target has been derailed after not enough card issuers agreed...

Latest Tweets and Mentions

ARTICLE Will MasterCard, Target Renegotiate?

MasterCard's breach settlement with Target has been derailed after not enough card issuers agreed...

The ISMG Network