The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released the first version of the “Framework for Improving Critical Infrastructure Cybersecurity” in February. It was presented exactly one year after President Obama issued an executive order directing the agency to collaborate with industry to create a voluntary framework for managing cybersecurity-related risk based on existing standards, guidelines, and practices.
According to NIST, the framework uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. It focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk-management processes. Furthermore, because it references globally recognized standards on cybersecurity, it “can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.”
Per the executive order, the framework also provides guidance on how organizations can incorporate the protection of individual privacy and civil liberties into a comprehensive cybersecurity program.
NIST has stressed that the framework is not a one-size-fits-all approach to managing cybersecurity risk. “Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the framework will vary.”
The agency recommends that companies begin by prioritizing their business objectives and identifying the digital threats to those priorities; then determine how they would identify, protect against, detect, respond to, and recover from a cyber attack. The next step should be to conduct a risk assessment and define their cybersecurity objectives. Once they’ve identified the gaps between their current and desired cybersecurity profiles, they should be ready to develop an action plan.
The framework is generally regarded as a good first step, but some don’t think it goes far enough. Ann M. Beauchesne, vice president of national security and emergency preparedness for the U.S. Chamber of Commerce, stated, “[T]he Chamber believes that the framework will be fundamentally incomplete without the enactment of information-sharing legislation. Businesses need policies that foster public-private partnerships –unencumbered by legal and regulatory penalties – so that individuals can experiment freely and quickly to counter evolving threats to U.S. companies.”
Greg Nojeim, director of the Center for Democracy and Technology's Project on Freedom, Security and Technology, said, "The framework will be useful to companies and their privacy officers, because it will remind them that processes should be put in place to deal with the privacy issues that arise in the cybersecurity context. However, we are concerned that the privacy provisions in the framework were watered down from the original draft. We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended.”
NIST noted that the framework “is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the framework is put into practice, lessons learned will be integrated into future versions.”
NIST’s "Roadmap" document discusses future versions of the framework and “ways to identify and address key areas for cybersecurity development, alignment and collaboration.”
In conjunction with the release of the framework, the U.S. Department of Homeland Security launched the Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program to encourage use of the framework and to serve as the coordination point within the federal government for critical infrastructure owners and operators interested in improving their cyber-risk management processes. The C³ Voluntary Program is intended to increase awareness and use of the framework and to encourage organizations to manage cybersecurity as part of their enterprise-wide risk-management effort. Initially, the program will focus on working with sector-specific agencies and organization to develop guidance on how to implement the framework.