NIST Releases Cybersecurity FrameworkVoluntary Guide for Critical Infrastructure Sectors
The National Institute of Standards and Technology has unveiled its long-awaited cybersecurity framework, which provides best practices for voluntary use in all critical infrastructure sectors, including, for example, government, healthcare, financial services and transportation.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The 41-page catalog of tools is designed to help organizations develop information security protection programs. The creation of the framework was a collaborative effort of the government and the private sector (see: On Deck: The Cybersecurity Framework).
President Obama proposed the cybersecurity framework in his 2013 State of the Union address to help mitigate growing cyberthreats to the nation's critical infrastructure. He signed an executive order designating NIST to shepherd the creation of the framework.
"The framework ... reflects the good work of hundreds of companies, multiple federal agencies, and contributors from around the world," Obama said in a Feb. 12 statement. "While I believe today's framework marks a turning point, it's clear that much more work needs to be done to enhance our cybersecurity."
Best Practices Are Voluntary
The cybersecurity framework consists of best practices that government and businesses can use to reduce risk to critical infrastructure. It relies on existing international standards, practices and procedures that have proven effective.
"We're not being prescriptive," says Adam Sedgewick, the NIST executive overseeing the creation of the framework. "People said very early on, 'Make this risk based; don't make this compliance based.' We're trying to keep it at such a level that people have flexibility in how they use it."
In a conference call with news media on Feb. 12, one senior administration official noted: "We wanted this framework to be voluntary, and that was important because it encourages the widest possible set of stakeholders to come to the table and work with us. It also ensures that the muscle in this approach comes from the companies themselves."
Another administration official added: "It's about companies setting their own level of care, not a one-size-fits-all approach from the outside."
In conjunction with the release of the framework, the Department of Homeland Security also announced its Critical Infrastructure Cyber Community program, which is designed to coordinate cross-sector cybersecurity efforts.
The program supports the use of the cybersecurity framework through a "cyber resilience review," a free assessment that evaluates an organization's information technology resilience. The review can be a self-assessment or facilitated in-person, according to a senior Obama administration official.
During the next six months, NIST will sponsor workshops and other events to help organizations adopt the framework and to review stakeholder experiences with version 1.0 to improve the next iteration of the guidance.
"The whole thing is intended to be flexible," Sedgewick adds. "You build your cybersecurity program and here are some tools by which you can do it."
Building off standards, guidelines and practices listed in the document, the framework furnishes a common approach for organizations to describe their current and target cybersecurity postures, identify and prioritize prospects for improving IT security through risk assessment, evaluate progress and foster communication among stakeholders.
The framework's release comes at a time when significant Congressional action on cybersecurity legislation has stalled.
"We believe that the framework stands on its own and can be an incredibly powerful tool for enabling the kinds of conversations that need to happen between boards of directors and between government and industry," one senior administration official says. "The framework ... can be leveraged to make real improvements, regardless of what happens [on legislation]."
Putting Framework to Use
Because of the voluntary nature of the framework, some security experts question whether organizations will actually adopt the recommendations set forth by NIST. But Harriet Pearson, a security and privacy lawyer who once served as IBM's chief privacy officer, predicts the framework will see wide adoption.
"Primarily because of the level of government attention and resources that were put into its development ... and the expertise of the stakeholders who contributed to it and helped form it, the framework will be very influential in the U.S. and, I suspect, internationally as well," Pearson says.
In the banking sector, the framework could prove particularly helpful in educating smaller institutions, says Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable.
"It will be helpful for small organization to have defined processes that the framework suggests, but our industry has created a lot of frameworks already just because of the nature of what we do," he says.
In the healthcare sector, the Health Information Trust Alliance plans to incorporate elements of the new NIST cybersecurity framework into its HITRUST Common Security Framework, a set of industry-specific guidelines, says Daniel Nutkis, CEO. He contends the NIST framework contains relatively few recommendations that are lacking in the HITRUST framework.
Chris Blask, chairman of the Industrial Control Systems Information Sharing and Analysis Center, says he expects vendors and service providers to tailor their offerings to the cybersecurity framework.
"Anytime you have NIST or someone coming out with recommended guidelines, it provides vendors with the opportunities to position their products and services against that [guidance]," Blask says.
Commenting on the framework's content, Blask points out that "situational awareness" is called out 18 times, including as an area in need of further efforts.
"This is an area which is not robustly defined in industry or government standards and practices to date, and as such, it is understandable that the framework does not point to artifacts of knowledge which critical infrastructure operators and their partners can leverage to develop mature capabilities," he says. "This is a key area which is absolutely necessary to the safety and reliability of national infrastructure and will require efforts on the part of the public and private sectors."
(Eric Chabrow, executive editor of GovInfoSecurity, contributed to this story).