On Feb. 12, 2014, following a year-long development process, the Commerce Department’s National Institute of Standards and Technology (NIST) released a framework for improving critical infrastructure cybersecurity. Although aimed in particular at providers of energy, financial, health care, communications, and other critical systems and services, the framework provides a standard model for the creation of new cybersecurity programs and the evaluation and improvement of existing programs that can be used by organizations of any size and in any industry.
The framework has its genesis in Executive Order 13636, Improving Critical Infrastructure Cybersecurity. Issued by President Obama in February 2013, the order called for stakeholders in the private and public sectors to collaborate in the development of voluntary, industry-specific standards to help organizations improve the security of critical infrastructure and reduce the risks posed by cyber-attacks. In the year since the order was issued, NIST sought input from individuals and organizations on how cyber-risk can be managed in a cost-effective manner without imposing an additional regulatory burden on businesses.
The fruit of that effort, the framework describes and defines a common taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state; and
- Communicate among internal and external stakeholders about cybersecurity risk.
The framework is expected — and intended — to evolve and change along with technology, and as such is best understood as the starting point of an ongoing effort to improve the country’s cybersecurity.
The framework is comprised of three main elements: the “core,” “tiers,” and “profiles.” The “core” consists of five concurrent and continuous functions — identify, protect, detect, respond and recover —that allow organizations to conceptualize and systematize their approach to cybersecurity. Each of the core functions is further divided into categories tied to programmatic needs and particular activities, such as “Asset Management,” “Access Control,” and “Detection Processes.” Categories, in turn, are divided into subcategories that identify specific activities or outcomes, such as “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.” These outcomes or activities refer to informative references, which are specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.
“Tiers” describe the level of sophistication and rigor an organization employs in applying its cybersecurity practices, and provide a context for applying the core functions. Comprising four levels from “Partial” (Tier 1) to “Adaptive” (Tier 4), the tiers describe approaches to cybersecurity that “range from informal, reactive responses to agile and risk-informed.” Applying the definitions provided in the framework, a business can characterize its current cybersecurity practices and select a target level appropriate to the cybersecurity threats it faces.
The framework “Profile” is the alignment of the core functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization into a comprehensive map for reducing cybersecurity risk. Creation of current and target profiles can help direct organizations’ efforts toward improved cybersecurity in a methodical manner.
NIST also released a “Roadmap” to accompany the framework. The Roadmap describes NIST’s vision of the development of future framework versions, in which INIST will continue to serve as a convener and coordinator working to help organizations understand, use and improve the framework.
By creating a standardized conceptual approach to cybersecurity, the framework provides an extremely useful tool for businesses of all sizes, in all geographic locations, and across all industries. The framework is available online.