October 22, 2013, the National Institute for Standards and Technology (NIST) posted a preliminary cybersecurity framework (the “Framework”) on its website. The complete Framework had been expected to be unveiled earlier in October, but was delayed as a result of the federal government shutdown. For background on earlier activity with respect to the Framework, please see the following blog entries: White House Announces Creation of “Voluntary Program” to Encourage Adoption of Cybersecurity Framework, Provides Incentives for Joining, NIST Releases Discussion Draft of Framework for Improving Critical Infrastructure Cybersecurity, and NIST Meeting to Finalize Cybersecurity Framework.
While the Framework is voluntary and directed at “critical infrastructure” as defined by the Department of Homeland Security, such as the power and transportation industries, it outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations beyond the critical infrastructure sector.
According to NIST, “[t]he Framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations in managing their cybersecurity risk.” By using the Framework, organizations will be able to: “1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; [and] 5) foster communications among internal and external stakeholders.”
The framework is broken into three components: the Framework Core, the Framework Profile and the Framework Implementation Tiers. The Framework Core consists of five functions (Identify, Protect, Detect, Respond, Recover) which “can provide a high-level, strategic view of an organization’s management of cybersecurity risk.” The Profile “represents the outcomes that a particular system or organization has achieved or is expected to achieve,” and the Implementation Tiers help assess the level of an organization’s practices with respect to cybersecurity risk.
In a statement, Under Secretary of Commerce for Standards and Technology and NIST director Patrick Gallagher said: “”We want to turn today’s best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business. The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies.”
The Framework is expected to be published for public comment in the Federal Register in the coming days. In the introduction to the framework, NIST asks reviewers to consider several questions, such as whether the Framework “adequately define[s] outcomes that strengthen cybersecurity and support[s] business objectives” and “enable[s] cost-effective implementation.” The official version of the Framework is expected to be released in February of 2014.