NIST publishes draft outline for Cybersecurity Framework
By Mickey McCarter
A week ahead of the next national workshop for development of a Cybersecurity Framework, the National Institute of Standards and Technology (NIST) posted a draft outline of the framework to solicit public input.
NIST is hosting a workshop in San Diego, Calif., at the University of California to meet with participants interested in building out the Cybersecurity Framework, intended to be a voluntary guide for how business owners and operators mitigate and respond to major cyberattacks.
The outline, which is currently rather brief, specifies a core structure for the overall framework. It reflects feedback from businesses who have replied to a NIST solicitation as well as those that have participated in previous workshops.
“We are pleased that many private-sector organizations have put significant time and resources into the framework development process,” said Adam Sedgewick, NIST senior information technology policy advisor, in a statement Tuesday. “We believe that both large and small organizations will be able use the final framework to reduce cyberrisks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management.”
On Monday, NIST published a draft outline addressing issues of interest to owners and operators of US critical infrastructure as well as a framework core discussing five major cybersecurity functions and a compendium of references. The agency will hold a fourth national workshop after the gathering in San Diego on July 10-12, and it will publish a draft Cybersecurity Framework for public comment in October.
Manuel Humberto Santander Peláez, an analyst at the SANS Internet Storm Center, praised the draft outline for the Cybersecurity Framework upon its release.
“While this framework is still in draft state, I consider it a breakthrough in increasing the level of security of critical infrastructure, as critical infrastructure officers of the companies have always been reluctant to implement security measures as in the IT normal world because it goes against the way their operating processes work and because managers of these areas see no value added in these tasks,” he wrote. “This framework shows them information security as part of their function and shows a way to integrate seamless to the normal business operation, as they work same process to prevent operation risks to the critical infrastructure, like power disruption, pipe explosion, transformer damage and many others.”
Directed primarily at senior executives, the draft outline proposes steps for executives, managers and staff under functions for an organization’s cybersecurity approach. The five key cybersecurity functions envisioned by the outline include know, prevent, detect, respond and recover — each of these have categories where specific objectives and skills are brought to bear. For example, under the prevent function, categories include identity and access management, physical security, and training and awareness.
The draft outline acknowledges some shortcomings in guidance under the Cybersecurity Framework, as determined by public comments so far. The shortcomings include a lack of standards, guidelines and practices to address privacy and civil liberties and a lack of useful metrics for measuring the effectiveness of cybersecurity operations. NIST continues to ask for input into those areas.
The Cybersecurity Framework is one of several products under development at NIST and the Department of Homeland Security in response to Executive Order 13636, published Feb. 12.
Follow me on Twitter at www.twitter.com/mickeymccarter