The framework is one of the fruits of President Obama’s February Executive Order, requiring agencies to work to improve information-sharing and best practices for critical infrastructure cybersecurity. Accordingly, NIST has been working with stakeholders to develop its voluntary framework for reducing cyber-risk, through a request for information and a series of workshops held throughout 2013. NIST engaged with more than 3,000 individuals and organizations on standards, best practices and guidelines that can provide businesses, their suppliers, their customers and government agencies with a shared set of expected protections for critical information and IT infrastructure.
NIST plans to soon open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014.
"Thanks to a tremendous amount of industry input, the voluntary framework provides a flexible, dynamic approach to matching business needs with improving cybersecurity," said Under Secretary of Commerce for Standards and Technology and NIST director Patrick Gallagher, in a statement. "We encourage organizations to begin reviewing and testing the Preliminary Framework to better inform the version we plan to release in February."
It comes at a time when vulnerabilities in critical infrastructure such as water facilities and electrical substations have been making headlines. Much of the issue boils down to aging systems and infrastructure, and internal processes that are very specific and which have not modernized for the all-digital era. Hoping to simplify implementation for various sectors, the Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.
The hope is that the framework will foster communications among internal and external stakeholders and help organizations hold each other accountable for strong cyber-protections, while allowing flexibility for specific approaches tailored to each business' market and regulatory environment. Its integrated approach focuses on outcomes, rather than any particular technology, to encourage innovation.
"We want to turn today's best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business," explained Gallagher. "The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies."
To bolster adoption of the framework by private companies responsible for running the infrastructure, the White House is also mulling incentives for the market, it said over the summer.