"We're from the Government and we're to help with Cybersecurity..." - NIST Preliminary Cybersecurity Framework Released
How in the world are entities supposed to deal with cybersecurity in a world without standards, even voluntary ones? The National Institute of Science and Technology (NIST) is looking to remedy that. On October 22nd, NIST released a Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications. NIST will open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014.
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) today released its Preliminary Cybersecurity Framework (PDF) to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications. In the coming days, NIST will open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014, as called for in Executive Order 13636—Improving Critical Infrastructure Cybersecurity.
In February 2013, President Obama directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks, recognizing that U.S. national and economic security depends on the reliable functioning of critical infrastructure. Through a request for information and a series of workshops held throughout 2013, NIST engaged with more than 3,000 individuals and organizations on standards, best practices and guidelines that can provide businesses, their suppliers, their customers and government agencies with a shared set of expected protections for critical information and IT infrastructure.
"Thanks to a tremendous amount of industry input, the voluntary framework provides a flexible, dynamic approach to matching business needs with improving cybersecurity," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. "We encourage organizations to begin reviewing and testing the Preliminary Framework to better inform the version we plan to release in February."
The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.
The framework will foster communications among internal and external stakeholders and help organizations hold each other accountable for strong cyber protections while allowing flexibility for specific approaches tailored to each business' market and regulatory environment. Its integrated approach focuses on outcomes, rather than any particular technology, to encourage innovation.
It's just too easy to take pot shots, so I won't. I'll applaud our Government in at least trying to do this. IMHO, this is a good kind of role for government...
Related Past Post XRef:
Never a Cloudy day in DC? Not if the NIST has anything to say about it... "DRAFT Cloud Computing Synopsis and Recommendations"