NIST Framework Released to Widespread Praise, But What Happens Next?
Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its "final" framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November.
Thu, February 13, 2014
CSO — Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its "final" framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November.
The framework consists of a core set of activities, outcomes and references that are common across critical infrastructure industries. Also included are implementation tiers that describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics of the framework, as well as a framework profile that aligns standards, guidelines, and practices to the framework core in any particular implementation scenario.
Among the key changes made to the preliminary version is the elimination of a controversial privacy appendix, which many critical infrastructure owners found overly expansive. Instead, softer suggested privacy methodology is now incorporated into a section that provides guidance on how to use the framework.
Another important change is the elimination of any language referring to the "adoption" of the framework. Earlier versions referenced adoption of the framework, sparking many questions at NIST-run workshops and in formal comments regarding how to define adoption, a word that evokes regulation and is potentially contrary to the voluntary nature of the framework. Instead, NIST has emphasized the concept of "using" the framework to improve cybersecurity.
Finally, NIST has revamped its earlier section on areas for improvement in the framework and has instead produced a roadmap for improving upon the framework, covering topics such as authentication; automated indicator sharing; conformity assessment; cybersecurity workforce; data analytics; international aspects; privacy standards; and supply chain risk management.
The framework was widely praised at a high-profile release event in Washington, preceded by a statement from President Obama. The framework "is a great example of how the private sector and government can, and should, work together to meet this shared challenge," Obama said, adding that much more work needs to be done on cybersecurity, particularly the need for Congress to pass legislation that provides greater legal protection to spur greater cybersecurity information sharing.
Michael Daniel, Obama's cybersecurity coordinator, echoed at the launch event the need for congressional action, saying that "the threats are only becoming more sophisticated [a]s our adversaries become more capable in their offenses."
Accolades for the framework poured in from numerous companies and trade associations following its release. "This guideline provides a flexible structure that can help organizations improve information security protection programs to manage risks to industrial control and information systems," Rockwell Automation CEO Keith Nosbusch said in a statement.