The National Institute of Standards and Technology (NIST) announced the first step in the development of a Cybersecurity Framework, which will be a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that are vital to the nation’s economy, security and daily life.
President Obama called for the Cybersecurity Framework in his Improving Critical Infrastructure Cybersecurity Executive Order. In accordance with the executive order, the secretary of commerce has directed the director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure, such as power plants and financial, transportation and communications systems.
NIST will issue a request for information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders.
NIST will use the input gathered to identify existing consensus standards, practices and procedures that have been effective and that can be adopted by industry to protect its digital information and infrastructure from the full range of cybersecurity threats.
The framework will not dictate “one-size-fits-all” solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors.
In the official request for information, which will be published in the Federal Register, NIST will ask organizations to share their current risk management practices; use of frameworks, standards, guidelines and best practices; and other industry practices. NIST plans to hold workshops over the next several months to collect additional input and will complete the framework within one year.
The RFI will request additional information on a number of core practices NIST views as applicable across industry, for example:
· Encryption and key management—With multiple encryption tools in use at any given organization, how does one protect, store and organize encryption keys?
· Asset identification and management—How does an organization determine which assets need protection and their value?
· Security engineering practices—How does an organization design its systems to meet security needs?
The framework will consist of a roadmap and structure for future efforts, including a recommended process for how the standards within each sector will be reviewed by each stakeholder community. NIST will continue to revise and update the framework to meet changing business and security needs.
It will include metrics, methods and procedures that can be used to continuously assess and monitor the effectiveness of deployed security controls as well as the effectiveness of framework standards, guidelines and best practices. The framework will provide a menu of management, operational and technical security controls, including policies and processes; and will lay a foundation for the development of effective conformity assessment based on NIST’s guidelines.