Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its "final" framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November.
The framework consists of a core set of activities, outcomes and references that are common across critical infrastructure industries. Also included are implementation tiers that describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics of the framework, as well as a framework profile that aligns standards, guidelines, and practices to the framework core in any particular implementation scenario.
Among the key changes made to the preliminary version is the elimination of a controversial privacy appendix, which many critical infrastructure owners found overly expansive. Instead, softer suggested privacy methodology is now incorporated into a section that provides guidance on how to use the framework.
Another important change is the elimination of any language referring to the "adoption" of the framework. Earlier versions referenced adoption of the framework, sparking many questions at NIST-run workshops and in formal comments regarding how to define adoption, a word that evokes regulation and is potentially contrary to the voluntary nature of the framework. Instead, NIST has emphasized the concept of "using" the framework to improve cybersecurity.
Finally, NIST has revamped its earlier section on areas for improvement in the framework and has instead produced a roadmap for improving upon the framework, covering topics such as authentication; automated indicator sharing; conformity assessment; cybersecurity workforce; data analytics; international aspects; privacy standards; and supply chain risk management.
The framework was widely praised at a high-profile release event in Washington, preceded by a statement from President Obama. The framework "is a great example of how the private sector and government can, and should, work together to meet this shared challenge," Obama said, adding that much more work needs to be done on cybersecurity, particularly the need for Congress to pass legislation that provides greater legal protection to spur greater cybersecurity information sharing.
Michael Daniel, Obama's cybersecurity coordinator, echoed at the launch event the need for congressional action, saying that "the threats are only becoming more sophisticated [a]s our adversaries become more capable in their offenses."
Accolades for the framework poured in from numerous companies and trade associations following its release. "This guideline provides a flexible structure that can help organizations improve information security protection programs to manage risks to industrial control and information systems," Rockwell Automation CEO Keith Nosbusch said in a statement.
The Information Technology Industry Council congratulated NIST for providing a model of effective public-private collaboration. "In effect, the U.S. Government leveraged a tremendous amount of stakeholder input in an open, transparent, and collaborative manner, to create a major cybersecurity policy initiative," Danielle Kriz, Director of Global Cybersecurity Policy for the group said in a blog post.
Sign up for Computerworld eNewsletters.