With the draft, NIST is continuing to carry out its fulfillment of President Obama’s February 2013 Executive Order, which calls for the development of a Cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for managing cybersecurity risk within critical infrastructure services to in a manner similar to how financial, safety and operational risk is handled.
After releasing a draft outline in July, NIST is now looking for another round of feedback and private-sector input before it publishes the official draft Cybersecurity Framework for public comment in October 2013. The final will be published in February 2014.
NIST noted in the draft that the Framework is not a one-size-fits-all approach for all critical infrastructure organizations. Utilities, power plants, transportation companies, water management organizations and contractors and other sectors all have their own set of unique challenges.
“Because each organization’s risk is unique, along with their implementation of information technology and operational technology (OT), the implementation of the Framework will vary,” it said. “The focus of the Framework is to support the improvement of cybersecurity for the nation’s critical infrastructure using industry-known standards and best practices.”
The Framework provides a common language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; 5) and foster communications among internal and external stakeholders.
NIST also stressed that the Framework complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program. Rather, the organization can use its current processes and leverage the framework to identify opportunities to improve an organization’s cybersecurity risk management. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference when establishing one.
Of course, adoption of the Framework is entirely voluntary, and NIST is concerned that Framework adoption will be slow at best in these resource-constrained times, despite the uptick in SCADA vulnerability discovery and threats. For instance, there is a challenge of clearly identifying the benefits of making certain cybersecurity investments. To help ease or balance out that financial burden, the White House is exploring incentives for program participants, like making adoption of the Framework a condition or a weighted criterion for federal critical infrastructure grants.