Based on the principle that national and economic security of the United States depends on the reliable functioning of critical infrastructure, President Obama, under the Executive Order dubbed “Improving Critical Infrastructure Cybersecurity,” has directed NIST to work with stakeholders in both private and public sectors to develop a voluntary framework for reducing cyber risks to critical infrastructure.
According to NIST, the framework will consist of standards, guidelines and best practices to promote the protection of critical infrastructure. The efforrt aims to outline a prioritized, flexible, repeatable, and cost-effective approach to help owners and operators of critical infrastructure manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
The draft outline reflects input received in response to a February 2013 Request for Information, discussions at two workshops and other forms of stakeholder engagement.
The outline proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need and application of the framework in business. Reflecting received comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts, NIST said.
"We are pleased that many private-sector organizations have put significant time and resources into the framework development process," said Adam Sedgewick, senior information technology policy advisor at NIST. "We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management."
NIST also released a draft compendium of references composed of existing standards, practices and guidelines to reduce cyber risks to critical infrastructure industries. The material was released to foster discussion at upcoming workshops and to further encourage private-sector input, before NIST publishes the official draft Cybersecurity Framework for public comment in October 2013.