NIST debuts preliminary framework for securing critical infrastructure
A draft of the voluntary framework was released by NIST.
The National Institute of Standards and Technology (NIST) has introduced a preliminary cyber security framework to help companies thwart critical infrastructure attacks.
Released Tuesday, the framework (PDF) offers guidance that supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February. NIST has encouraged organizations to implement the voluntary framework, which is designed to complement an enterprise's existing security management program – not replace it.
The 47-page document aims to build off of existing standards, guidelines and best practices and “provides a common language and mechanism” for organizations to carry out four major steps: to describe their current security posture; describe their target cyber security state; identity and prioritize opportunities for risk management improvement; assess their progression toward their target posture; and foster communications among internal and external stakeholders," the framework said.
The guidelines are made up of three parts: the framework core, profile and implementation tiers.
“A key objective of the framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk while factoring in larger systemic risks inherent to critical infrastructure,” the document said.
On Wednesday, Gerald Ferguson, a partner at law firm BakerHostetler, told SCMagazine.com that an earlier draft of the framework, released in late August, provided an outline of what companies were to expect in this version.
Ferguson also serves as the firm's coordinator for its Intellectual Property, Technology and Media Group and is the national co-leader of BakerHostetler's privacy and data protection team.
He advised that though the framework is voluntary, companies would have additional checks in place should litigation arise in response to breaches at their organization.
“I don't think that there is anything in this document that is going to be surprising to a security expert at a company who has been spending a lot of time understanding best practices,” Ferguson said. “This document was not created out of thin air, it is the product of a lot of cooperation between private industry and NIST."
He added that he believes it "would be a mistake for companies to ignore this document, because when parties get into litigation and disputes there is always an effort to identify industry standards."
NIST plans to release a final version of the framework in February, after it goes through a period of public comment.