NIST issues framework to protect critical systems

To help organizations charged with providing the nation's financial, energy, health care, and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity.

The framework provides a structure that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs.

"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."

“We welcome the cybersecurity framework issued today by the National Institute of Standards and Technology as directed by the Obama Administration,” said Frank Keating, ABA president and CEO in a statement. “The framework reflects existing regulations and practices within the financial services sector. It also provides important direction to the public sector on improving cybersecurity soundness and ultimately the safety of our nation’s critical infrastructure.

“Banks and other financial services companies have made cybersecurity a top priority and are subject to the most stringent regulatory requirements. We have put in place the highest level of security among critical sectors, and become a role model sector for cooperation, effectiveness and security. We look forward to continuing to work with the Financial Services Sector Coordinating Council, the administration, and Congress toward our mutual goal of protecting our nation’s critical assets.”

The three main elements described in the document are the framework core, tiers, and profiles. The core presents five functions—identify, protect, detect, respond, and recover—that taken together allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.

"The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," says Gallagher. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel."

The framework allows organizations—regardless of size, degree of cyber risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.

Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.

While the framework is the culmination of a year-long effort that brought together thousands of individuals and organizations from industry, academia and government, it is expected to be a first step in a continuous process to improve the nation's cybersecurity.

The framework document is labeled "Version 1.0" and is described as a "living" document that will need to be updated to keep pace with changes in technology, threats, and other factors, and to incorporate lessons learned from its use. According to the document, these updates will ensure the framework meets the needs of critical infrastructure owners and operators in a dynamic and challenging environment.

NIST also released a "Roadmap" document to accompany the framework. It lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment, and collaboration. It says NIST will continue to serve as a convener and coordinator to work with industry and other government agencies to help organizations understand, use, and improve the framework. This will include leading discussions of models for future governance of the framework, such as potential transfer to a non-government organization.

In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for the development of a voluntary, risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.

As a nonregulatory agency of the Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.