NIST Releases ‘Version 1.0’ Cybersecurity Framework

The Version 1.0 framework released Wednesday largely mirrors a preliminary version NIST released in late October (WID Oct 23 p2), although the framework’s handling of privacy and civil liberties issues has changed. NIST decided to intersperse the privacy standards within the Framework Core. The preliminary framework included all privacy standards in the separate Appendix B, with notations about how the standards would apply within the Framework Core, a set of common standards and best practices that NIST and industry found constituted baseline cybersecurity risk management. NIST didn’t receive “sufficient support for a standalone Appendix B” during its consultation with industry stakeholders following the preliminary framework’s release, a senior administration official said Wednesday during a conference call with reporters. “We received comments saying that it needed to be integrated."

The Version 1.0 framework -- like the preliminary iteration -- centers on the Framework Core. The framework also continues to rely on the Framework Implementation Tiers, which allows companies to measure their level of current cyber risk management, and the Framework Profile, which allows an entity to create a plan to reduce cyber risk that also aligns with its business activities. The Framework Core continues to rely on security standards from the Council on CyberSecurity, ISACA (formerly the Information Systems Audit and Control Association), joint standards from the International Organization for Standardization and International Electrotechnical Commission, as well as NIST’s Special Publication 800-53, Revision 4 federal information systems security and privacy standard (http://1.usa.gov/1guHCWM).

DHS’s C3 program will provide a “single point of access” to DHS cybersecurity resources for entities working to adopt the Cybersecurity Framework, said Secretary of Homeland Security Jeh Johnson during a White House-led event Wednesday. DHS is responsible for implementing many parts of the cybersecurity executive order, including encouraging industry adoption of the Cybersecurity Framework. The C3 program will provide critical infrastructure companies and other industry stakeholders with free “direct access” to DHS cybersecurity experts, including specific threat information and solutions, as well as “immediate advice and assistance” after a cyberattack, Johnson said. C3 offerings will also include the Cyber Resilience Review, a free self-guided or DHS-facilitated review of the strengths and weaknesses of an entity’s cybersecurity, he said.

White House officials, along with Johnson and Secretary of Commerce Penny Pritzker, emphasized that industry adoption of the framework remains entirely voluntary, though Pritzker noted that “good risk management is simply good business.” NIST facilitated work on the framework, but it “belongs to industry,” she said. NIST will continue to facilitate future revisions of the framework, but those revisions will be “aligned with industry.” White House Cybersecurity Coordinator Michael Daniel noted that NIST is exploring moving ownership of the framework to a nongovernmental entity.

He and Lisa Monaco, deputy national security adviser for homeland security and counterterrorism, both praised the framework Wednesday, echoing a White House statement in which Obama called the framework a “turning point” in protecting U.S. critical infrastructure. Obama urged Congress to “move forward” on cybersecurity legislation. White House Chief of Staff Denis McDonough also urged legislative action from Congress, including “statutory authority that protects our nation.” Both the House and Senate have been considering cybersecurity bills, but industry policy experts have indicated they see limited prospects for such bills passing during the remainder of the current Congress (WID Jan 6 p2). The senior administration official told reporters the framework “stands on its own” and can be “an incredibly powerful tool that we can leverage to make real improvements across our critical infrastructure."

An ‘Essential Touchstone'

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said in a statement that the framework “should become an essential touchstone, not just for critical infrastructure operators, but for all companies and government agencies that need to protect their systems and their data.” Senate Homeland Security Committee Chairman Tom Carper, D-Del., also praised the framework and said in a statement that “we must now focus like a laser on ensuring widespread implementation of the framework in order to effectively protect our national and economic security.” Carper also pledged to “work with my colleagues on this important issue to ensure that Congress steps up to the plate and does its job to help protect our nation’s critical systems."

Several industry stakeholders also praised the framework. AT&T CEO Randall Stephenson said during the White House event that he was “enthusiastic” about the framework and would ensure AT&T uses it as the baseline requirements its suppliers and partners must meet in order to continue to do business with the telco. “Any large company that isn’t imposing cybersecurity standards” on its suppliers “has a vulnerability that they're missing,” he said. Telecommunications Industry Association President Grant Seiffert praised the framework in a statement, and called on Congress to “provide liability protections for the private sector that will allow for good faith efforts to address rapidly evolving threats, and that would facilitate information sharing among private sector members and the government.”

USTelecom President Walter McCormick said in a statement that the framework provides a “workable approach,” adding that it “emphasizes a multi-stakeholder, voluntary, flexible and cost-effective approach that can be used by organizations of all types and sizes.” Software & Information Industry Association President Ken Wasch praised the framework’s flexibility, which he said in a statement was “essential to its success.” Information Technology Industry Council President Dean Garfield said in a statement that the framework “represents an effective approach to cybersecurity because it leverages public-private partnerships, is based on risk management, is voluntary, and points to globally recognized, consensus-based standards and best practices.” CTIA and NCTA said they are still reviewing the document.

Internet Security Alliance President Larry Clinton said in a statement that the framework represented “progress,” but noted that it “did not deal with the critical issue of cost-effectiveness and there has been virtually no progress in developing an incentive package to promote use of the Framework beyond those companies who already are following industry best practices,” even though those were elements the executive order required. “If we don’t make real progress in these areas quickly all the work that went into developing the NIST Framework will go to waste,” Clinton said. ISA issued a series of papers last week examining portions of the executive order that federal agencies still need to address, including identifying incentives. Daniel said Wednesday that DHS and other sector-specific agencies have continued to refine possible incentives since the White House released agencies’ incentive recommendations in August (WID Aug 7 p4), and will release further details in the coming months.