NIST debuts preliminary framework for securing critical infrastructure

Share this article:
A draft of the voluntary framework was released by NIST.
A draft of the voluntary framework was released by NIST.

The National Institute of Standards and Technology (NIST) has introduced a preliminary cyber security framework to help companies thwart critical infrastructure attacks.

Released Tuesday, the framework (PDF) offers guidance that supports President Obama's “Improving Critical Infrastructure Cybersecurity” executive order issued in February. NIST has encouraged organizations to implement the voluntary framework, which is designed to complement an enterprise's existing security management program – not replace it.

The 47-page document aims to build off of existing standards, guidelines and best practices and “provides a common language and mechanism” for organizations to carry out four major steps: to describe their current security posture; describe their target cyber security state; identity and prioritize opportunities for risk management improvement; assess their progression toward their target posture; and foster communications among internal and external stakeholders," the framework said.

The guidelines are made up of three parts: the framework core, profile and implementation tiers.

“A key objective of the framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk while factoring in larger systemic risks inherent to critical infrastructure,” the document said.

On Wednesday, Gerald Ferguson, a partner at law firm BakerHostetler, told that an earlier draft of the framework, released in late August, provided an outline of what companies were to expect in this version.

Ferguson also serves as the firm's coordinator for its Intellectual Property, Technology and Media Group and is the national co-leader of BakerHostetler's privacy and data protection team.

He advised that though the framework is voluntary, companies would have additional checks in place should litigation arise in response to breaches at their organization.

“I don't think that there is anything in this document that is going to be surprising to a security expert at a company who has been spending a lot of time understanding best practices,” Ferguson said. “This document was not created out of thin air, it is the product of a lot of cooperation between private industry and NIST."

He added that he believes it "would be a mistake for companies to ignore this document, because when parties get into litigation and disputes there is always an effort to identify industry standards."

NIST plans to release a final version of the framework in February, after it goes through a period of public comment.

Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...