In February 2013, President Obama issued an executive order calling for the development of a voluntary, risk-based cybersecurity framework – a set of existing standards, guidelines and practices to help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack.
The resulting framework was created through public-private collaboration via a series of recommendations, drafts and comment periods over the course of the last year.
"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said under-secretary of commerce for standards and technology and NIST, director Patrick Gallagher, in a statement. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."
The idea is for organizations to adopt the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.
(ISC)² hailed the release.
“The experts at NIST have put together a comprehensive, yet flexible, plan for organizations to effectively manage cyber risk under the increasing pressure of the nation’s evolving threat landscape,” said W. Hord Tipton, executive director of (ISC)² and former CIO for the US Department of Interior, in an email to Infosecurity.
The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions – identify, protect, detect, respond and recover – that taken together allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and, NIST said, "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
"The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," said Gallagher. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel."
NIST also released a roadmap document to accompany the framework, laying out a path toward future framework versions and ways to identify and address additional areas of cybersecurity development, alignment and collaboration as they arise. One area will be models for future governance of the framework, such as potential transfer to a non-government organization, it said.
“While the framework is the culmination of a year-long effort that brought together thousands of individuals and organizations from industry, academia and government, it is expected to be a first step in a continuous process to improve the nation's cybersecurity,” it noted.
Tipton also said that the workforce skills gap should be part of the discussions. “Unfortunately, the lack of qualified information security professionals with the skills and knowledge to create, understand, and implement such programs remains an area of improvement that must be further addressed,” he said. “A skilled workforce is the foundation of any successful security program. I believe the success of the Cybersecurity Framework will depend on how quickly and effectively the area of workforce shortage is addressed.”