Following an Executive Order issued by U.S. President Barack Obama in February of this year, the National Institute of Standards and Technology (NIST) yesterday made public a provisional copy of the government’s cybersecurity framework and says it will accept public comment on the draft for the next 45 days.
The preliminary framework is the collaborative effort of more than 3,000 individuals and organizations working together to develop sets of outcome-focused standards, best practices, and guidelines in order that government agencies as well as businesses and their suppliers and customers can address their network security needs with minimal impact on day-to-day operations. It aims to establish sets of industry specific security norms applicable to organizations of all sizes with the goal of securing the nation’s critical infrastructure.
Its key objective, NIST claims, is to encourage organizations to prioritize at cybersecurity risk in the same way they prioritize financial, safety, and operational risks.
The framework is broken into five core functions: identify; protect; detect; respond; and recover. Ideally, companies – particularly those that handle critical infrastructure – will aim to serve each function by identifying the potential risks they face ahead of time, establishing protections to address those threats, and developing methods of detecting, responding to, and recovering from attacks if and when they occur.
“Thanks to a tremendous amount of industry input, the voluntary framework provides a flexible, dynamic approach to matching business needs with improving cybersecurity,” said NIST Director Patrick Gallagher. “We encourage organizations to begin reviewing and testing the Preliminary Framework to better inform the version we plan to release in February.”
The framework hopes to help organizations establish prioritized internal IT security goals and provide guidance as organizations work toward those goals. It will also promote external communication with the government and other private companies so that organizations can share valuable threat information and – because attacks on one company often affect many others – hold one another accountable establishing strong defenses.
“We want to turn today’s best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business,” explained Gallagher. “The framework will be a living document that allows for continuous improvement as technologies and threats evolve.”
President Obama delivered his Executive Order with the stated intent of protecting the nation’s critical infrastructure, more specifically, “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The top standard’s body however, ambitiously hopes that final cybersecurity framework will prompt all of the countries businesses to implement better security procedures.
The NIST will host a workshop discussing the implementation and further governance of the preliminary framework at North Carolina State University on Nov. 14 and 15.
In February, many criticized President Obama’s executive order for being filled with voluntary initiatives and lacking concrete mandates and requirements. It remains to be seen what stakeholders will think of the preliminary framework, but the 45 day period of crowd-sourcing can only help make the policy framework better.