Today the Administration released their Cybersecurity Framework, which is a voluntary how-to cybersecurity guide for critical infrastructure (CI) organizations. The framework was part of the Executive Order the President released last February and was developed by the US National Institute of Standards and Technology (NIST) with input from businesses. The Framework is comprised of three components:
- The Framework Core is a set of cybersecurity activities and informative references that are common across CI sectors. The cybersecurity activities are grouped by five functions that provide a high-level view of an organization’s management of cyber risks:
- The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
- The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.
Though the adoption of the Framework is voluntary, DHS is partnering with the CI community to encourage use of the Framework. They have established the Critical Infrastructure Cyber Community (C3 pronounced “C Cubed”) Voluntary Program as a public-private partnership to increase awareness and use of the Framework. The C3 Voluntary Program will connect companies, as well as federal, state, local, tribal, and territorial partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks. Participants will be able to share lessons learned, get assistance, and learn about free tools and resources that can help them.
NIST also released a roadmap (http://www.vantagepointstrat.com/wp-content/uploads/2014/02/roadmap-021214.pdf) detailing next steps for the framework. They plan on holding at least one workshop within the next six months to provide a forum for stakeholders to share experiences in using the Framework. NIST will also hold a privacy workshop in the second quarter of 2014 with the intention of advancing “the identification of technical standards and best practices” for mitigating cybersecurity impacts on privacy and civil liberties.
Federal executive branch civilian agencies are evaluating how they will use the Framework to enhance the protection of their systems, and State and local governments are also looking at how they can leverage capabilities found in the Framework to assist managing their cybersecurity risk. DHS is developing the Voluntary Program to respond to state and local government needs, and it is examining incentives tailored to these stakeholders.