The NIST Cybersecurity Framework turns 1 on Feb. 12 tomorrow, fulfilling its initial goal of acting as a voluntary framework to improve cybersecurity for critical infrastructure in the United States.
In many ways, it has accomplished much more than that, by providing a platform from which to discuss cybersecurity on a grander scale than in the past.
“It has documented a set of control objectives which can be read as a definition of cybersecurity—a term which has always been somewhat vague,” said Gregory Nowak, principal research analyst at the Information Security Forum, in an email. “It has created a common language for cybersecurity, where there previously was none. Secondly, it has started a national conversation about cybersecurity and the control measures necessary to improve it.”
In February 2013, President Obama issued an executive order calling for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack.
The resulting framework was created through public-private collaboration via a series of recommendations, drafts and comment periods over the course of 2013 before being finalized in February of 2014. Nowak noted that an unexpected success of the framework is the extent to which it has caused the conversation about cybersecurity to expand beyond the information security community.
“Our members report that security professionals are fielding questions from many corporate functions—business units, legal, HR and public relations—about whether they have implemented the Cybersecurity Framework,” said Nowak. “Similarly, we hear from our Information Security Forum members outside the US—in both the public and private sectors—that they are interested in demonstrating alignment with the framework, or adopting something similar.”
During 2014, the question became how to spur along implementation by organizations. To help ease the process, the ISF last fall created a mapping between the framework and its annual Standard of Good Practice for IT security professionals.
“By providing leadership in this area, NIST has advanced the cause of cybersecurity worldwide,” Nowak added. “While no document can guarantee security, providing a common language and gaining the attention of decision-makers outside the security community are significant contributions that cannot be overlooked.”