NIST Releases Cybersecurity Framework ‘Discussion Draft’ Ahead of Final Development Workshop
The forthcoming Cybersecurity Framework being developed by critical infrastructure industries and the National Institute of Standards and Technology “complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program,” said a discussion draft of the framework NIST released Wednesday night. The framework is instead meant to help an organization leverage its existing cybersecurity processes and identify areas to improve risk management, although organizations that lack a cybersecurity program can use the framework as a “reference when establishing one,” NIST said in the draft (http://1.usa.gov/154Zjp9).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
A NIST spokeswoman said the draft is meant to guide discussion at the fourth and final framework development workshop, set for Sept. 11-13 at the University of Texas-Dallas. NIST released an outline of the framework in early July in advance of a framework development workshop in San Diego (WID July 8 p1). A complete preliminary version of the framework will be released in October for public comment, while the final framework will go public in February, as required in President Barack Obama’s cybersecurity executive order (WID Feb 14 p1).
The “Framework Core” advises critical infrastructure owners and operators to identify and prioritize which assets and systems need to be protected, and then implement “appropriate safeguards.” Owners and operators also should develop a plan to detect, respond and recover from a “cybersecurity event,” NIST said in the draft. Elements within the Framework Core will help an organization organize its cybersecurity activities and provide references to common standards and practices that can be used as a guide, NIST said.
A set of “Framework Implementation Tiers” will show the degree to which an organization manages cybersecurity risk, ranging from “Partial” at Tier 0 to “Adaptive” at Tier 3. A Tier 0 organization “has not yet implemented a formal, threat-aware risk management process” but might implement some framework guidelines on an irregular basis, NIST said. A Tier 3 organization actively adapts “to a changing cybersecurity landscape and emerging/evolving threats,” NIST said. “The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before an event occurs."
A “Framework Profile” will help critical infrastructure owners and operators establish a “roadmap for reducing cybersecurity risk” that both fits within the Framework Core goals and is “aligned with the business requirements, risk tolerance, and resources of the organization,” NIST said. The framework doesn’t include profile templates and doesn’t have specific tier requirements that organizations should adhere to. An accompanying document NIST also released Wednesday provides “illustrative examples” of threat mitigation profiles targeted at specific cyberthreats like hacking or malware (http://1.usa.gov/158as8M).
The framework draft remains a work in progress, with NIST identifying privacy protections as one of several areas that require additional work. Although the Fair Information Practice Principles are a “longstanding framework for evaluating and mitigating privacy impacts around the collection, use, disclosure and retention of personally identifiable information,” they don’t contain standardized guidance on best practices, NIST said. “There are few identifiable standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy and civil liberties.” Other areas requiring improvement include authentication methods, automated indicator sharing, conformity assessment, data analytics, international standardization and supply chain risk management.
NIST wants participants at next month’s workshop to provide specific feedback based on the discussion draft. The agency wants participants to say whether the current version of the framework includes -- and doesn’t disrupt -- current effective cybersecurity practices, as well as whether it will enable organizations to incorporate threat information. NIST also wants to know whether the draft framework is specific enough in its presentation and whether it adequately addresses privacy and civil liberties needs. Participants should provide additional input on ways the framework more adequately can define outcomes that strengthen cybersecurity, better conform to business objectives and provide the best guidance to businesses, NIST said.
USTelecom Vice President Robert Mayer praised the draft. It’s “a thoughtful approach of suggested industry-wide practices across a wide variety of enterprises that will ultimately lead to greater protections for consumers,” he said in a statement. Wiley Rein encourages “stakeholders to engage in the continuing processes and discussions surrounding the Cybersecurity Framework and the Incentive Report,” said the law firm in an email to clients. “Actions pursuant to both the Framework and recommended incentives could result in regulatory changes, federal procurement requirements, federal grant requirements, and possible legislative action.”