The National Institute of Standards and Technology (NIST) has just released its Preliminary Cybersecurity Framework: a set of best practices to help owners and operators of critical infrastructure reduce cybersecurity risks. This voluntary framework provides both private and public-sector organizations with a common language for understanding and managing cybersecurity risks internally and externally. The framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered by this blog. The Final Framework is due to be released in February 2014, following a 45-day public comment period on the Preliminary Framework.
The Preliminary Framework is composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
The Framework Core is a set of cybersecurity activities and references that are common across critical infrastructure sectors. It is presented in a manner that allows for communication of cybersecurity risk across the organization, from the senior executive level to the implementation/operations level. The Framework Core consists of five functions — Identify, Protect, Detect, Respond, Recover — which can provide a high-level, strategic view of an organization’s management of cybersecurity risk. These five functions are divided into categories, which are then split into subcategories. The subcategories then refer to existing industry standards and practices. This process is intended to tie high-level cybersecurity strategy with known solutions.
Next, the Framework Profile is a tool to enable organizations to establish a roadmap for reducing cybersecurity risk. Essentially, it is used to align the functions, categories, subcategories, and industry standards identified in the Framework Core with the business requirements and risk tolerance of the specific organization. The Profile is also used to identify opportunities to improve cybersecurity by enabling an organization to determine both the current state and the target state of specific cybersecurity activities. Thus, a company can use the Framework Profile to conduct a self-assessment of its overall cybersecurity risk.
Finally, the Framework Implementation Tiers describe how an organization manages its cybersecurity risk by providing a ranking system for the rigor of a company’s cybersecurity risk management practices. For example, an organization in Tier 1 has limited awareness of cyber-risk and lacks an established, organization-wide approach to managing cybersecurity risk. By contrast, a business in Tier 4 engages in a process of continually improving its cybersecurity practices and makes cybersecurity risk management a part of its culture. Again, these tiers are intended to assist an organization evaluate the sophistication of their existing cyber-risk management practices.
While the NIST’s proposed framework is directed to ensure the national and economic security of the United States, the need for cybersecurity creates business risks that must be addressed by any prudent company. To be sure, it is not a question of whether a company will have its systems compromised by hackers; rather, it is merely a question of when this will occur and, importantly, how much damage will be wrought after the infiltration. For that reason, organizations—whether considered as part of nation’s critical infrastructure or not—are encouraged to adopt the Framework when finalized because it provides an opportunity to protect against potentially catastrophic consequences, resulting from a cyber attack. Among other things, the failure to adopt the Framework may expose an organization to costly litigation.
This blog will cover the Final Framework when it is released in February 2014.