NIST Reveals Cybersecurity Framework Draft
The National Institute of Standards and Technology unveiled a draft proposal for a voluntary cybersecurity framework (http://1.usa.gov/12kgl0Y) last week. NIST’s draft framework includes a section for senior executives to evaluate their cybersecurity preparedness, guidelines for organizations to understand how to apply the framework and a reference guide of existing guidelines and practices. NIST plans to hold its third cybersecurity framework workshop in San Diego July 10-12 and said it plans to publish its “official” draft cybersecurity framework for public comment in October.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
NIST’s draft framework was a requirement of President Barack Obama’s cybersecurity executive order that aims to strengthen U.S. cyberdefenses, increase information sharing between the public and private sectors and develop baseline cybersecurity standards (CD Feb 14 p1). The order directed NIST, in collaboration with U.S. companies, to lead the federal development of voluntary cybersecurity standards and best practices. The ultimate goal of NIST’s framework is to develop an industry-driven and voluntarily adopted set of cybersecurity rules that identify existing cybersecurity standards and best practices, identify high-priority gaps in infrastructure protections and develop plans to address those gaps, NIST said. Director Patrick Gallagher previously told lawmakers that the framework will likely include industry-driven standards, processes and methodologies to help owners and operators of critical infrastructure secure their systems (CD March 8 p3).
The draft “is and will remain a work in progress” that reflects input received from the private sector following NIST’s February request for information and subsequent workshops, NIST said. The institute needs more information on the current “lack of standards, guidelines and practices to address privacy and civil liberties issues, as well as the scarcity of helpful metrics for an organization’s cybersecurity effectiveness,” the draft said. Ultimately “both large and small organizations will be able to use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management,” said Adam Sedgewick, NIST senior information technology policy advisor.
NIST’s upcoming San Diego workshop will hold working sessions to flesh out five functions of the core structure of NIST’s framework to further specify an organization’s approach to cybersecurity (http://1.usa.gov/13lZYaV). The core structure categories of the framework suggests ways that owners and operators of critical infrastructure can identify their system’s potential cybersecurity weaknesses, ensure adequate protection of those systems, identify cyber threats, respond to cyber incidents and restore services that are impaired by cyber attacks. The goal of this aspect of the framework is to help business executives understand their capability to identify, protect against, detect, respond and recover from cybersecurity threats, NIST said.
The executive order also tasked DHS with overseeing the private sector’s implementation of NIST’s forthcoming cybersecurity standards and offering incentives to adopt them. On June 12, the departments of Homeland Security, Commerce and the Treasury submitted reports to the White House Office of Management and Budget, an OMB official confirmed. The reports consider the “feasibility and relative effectiveness of potential incentives that could be used to promote the adoption of the cybersecurity framework,” a DHS spokesman said. The reports are undergoing an interagency review process, the OMB spokesman said. “Once that process concludes, we plan to share the analysis and recommendations.”