The National Institute of Standards and Technology (NIST) today released its Preliminary Cybersecurity Framework after having missed the initial October 10 deadline for the draft to be posted for review and commentary because of the recent government shutdown.
The Framework, intended to bolster cybersecurity for critical infrastructure assets, is being developed with the aid of several thousand security experts who have attended workshops or otherwise contributed to the draft.
“Thanks to a tremendous amount of industry input, the voluntary framework provides a flexible, dynamic approach to matching business needs with improving cybersecurity. We encourage organizations to begin reviewing and testing the Preliminary Framework to better inform the version we plan to release in February,” said Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director.
The Framework initiative was prompted by President Obama’s Executive Order issued in February of this year, and is set to be finalized by February, 2014, and is designed to be a broadly applicable “living document” that allows for flexibility to accommodate a range of industries already subject to numerous regulatory mandates.
“We want to turn today’s best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business. The framework will be a living document that allows for continuous improvement as technologies and threats evolve,” said Gallagher. “Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies.”
But critics of the draft proposal say the NIST’s version of the Framework is too complicated, and instead should seek to unify the fractured nature of the various security standards already in existence.
“In its current form, the CSF will be perceived as overwhelming and the lack of prioritization of 88-121 sub-categories will leave most mid- and small-sized companies, and many larger companies as well, uncertain as to where to direct their limited human and financial capital,” said Phil Agcaoili, who recently released his own version of the Framework that takes advantage of already existing standards like NIST SP800-53, ISO 27001, CCS CSC, NERC CIP, ISA 99 and COBIT, among others.
Categories: Top Security Stories