The National Institute of Standards and Technology (NIST) has released the the first version of the Framework for Improving Critical Infrastructure Cybersecurity, which was developed with the aid of several thousand security experts.
The Framework initiative was prompted by President Obama’s Executive Order issued in February of 2013, and is designed to be a broadly applicable security standard that allows for flexibility to accommodate a range of industries already subject to numerous regulatory mandates.
“The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure,” a NIST statement said. “The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.”
The Framework aims to consolidate various controls like ISO27k, NERC CIP, COBIT, the Top 20 Critical Controls and others into one streamlined document to produce a security capability maturity model that will be propelled by stakeholder-driven incentives that are meant to encourage voluntary adherence.
Ultimately success will require the willful participation of early adopters who already maintain a mature security and compliance posture, and the subsequent alignment of risk management strategies by those who will require time and resources to come into line with the standards, a potentially costly endeavor.
“The Department of Homeland Security’s Critical Infrastructure Cyber Community C³ Voluntary Program helps align critical infrastructure owners and operators with existing resources that will assist their efforts to adopt the Cybersecurity Framework and manage their cyber risks,” the NIST statement said. “Learn more about the C³ Voluntary Program by visiting: www.dhs.gov/ccubedvp.”
NIST also issued a companion Roadmap that discusses the next steps in the Framework’s development and identifies key areas alignment and collaboration.
“In the interest of continuous improvement, NIST will continue to receive and consider informal feedback about the Framework and Roadmap,” NISt said. “As has been the case throughout the process, organizations and individuals may contribute observations, suggestions, and lessons learned to email@example.com.”
For a better understanding of how the Framework was developed, here are several articles from experts involved in the creation of the document who offered their analysis in the led up to the final draft released this week:
- Don’t Reinvent the Wheel: Phil Agcaoili on the Cyber Security Framework
- Cyber Security Framework Lacks Mitigating Controls and Cloud Security
- ISA’s Larry Clinton on Incentivizing the Cyber Security Framework
- Adam Meyer on Implementing the Cyber Security Framework
- The Cyber Security Framework and the Case for Platform IT