President Barack Obama’s administration on Wednesday released its much-anticipated voluntary cybersecurity framework, giving U.S. companies a common handbook on how they can try to fend off hackers.
The Framework for Improving Critical Infrastructure Cybersecurity, put out by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), is intended to help banks, utilities, technology companies and other businesses that work with critical infrastructure better appraise their risks from hackers and fortify themselves from cyberattacks. The guidelines, which NIST said it will update as warranted, came one year after Obama signed an executive order to provide companies with best practices to mitigate cyberrisk.
“Today I was pleased to receive the cybersecurity framework, which reflects the good work of hundreds of companies, multiple federal agencies and contributors from around the world,” Obama said in a written statement. “This voluntary framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge.”
The 41-page framework [PDF] focuses on what businesses can do to improve their cybersecurity, practices based on the policies they already have in place and what they’re hoping to accomplish. NIST says the framework isn’t a “one-size-fits-all approach” to improving critical infrastructure cybersecurity, noting that companies can use it in different ways. But the agency listed several steps businesses can take to help them utilize the framework.
NIST recommends that companies begin by prioritizing their business objectives and identifying the digital threats to those priorities. Businesses then should determine how they would identify, protect against, detect, respond to and recover from a cyberattack.
Next, companies should perform a risk assessment and define their cybersecurity objectives. Finally, businesses should determine the gaps that exist between their current cybersecurity profiles and the profiles they want, allowing them to develop their own action plan.
Ann Beauchesne, the U.S. Chamber of Commerce’s vice president of national security and emergency preparedness, said the U.S. government must do more to improve cybersecurity. The framework needs the enactment of information-sharing legislation to be effective, she said.
“Businesses need policies that foster public-private partnerships—unencumbered by legal and regulatory penalties—so that individuals can experiment freely and quickly to counter evolving threats to U.S. companies,” Beauchesne said in a written statement. “We will continue to work with Congress toward this goal.”
The Center for Democracy and Technology had concerns about the framework, too. Greg Nojeim, director of the privacy advocacy group’s Project on Freedom, Security & Technology, said the framework lacks strong privacy provisions. NIST says it created “a general set” of processes in that area due to differing privacy situations across various industries.
“We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended,” he said in a written statement. “As the framework is implemented, we are hopeful that such privacy protections are further developed and become standardized.”
With the release of the framework, the U.S. Department of Homeland Security launched the Critical Infrastructure Cyber Community program, which is intended to help companies with the NIST guidelines. The Obama administration also continues to work on incentives to encourage companies to implement the framework. But a senior administration official who wasn’t authorized to comment publicly said the incentives won’t be the best drivers for adoption of the framework.
“Don’t get me wrong—I think the government-based incentives are really important for us to pursue,” the official said. “But at the end of the day, it’s the market that’s got to drive the business case for the cybersecurity framework.”