The National Institute of Standards and Technology (NIST) yesterday continued its work coordinating the development of a framework that brings together existing standards and best practices that can be voluntarily applied by owners and operators of the nation’s critical infrastructures to protect their computer networks from cyber threats.
One of the purposes of the discussions this week among NIST officials and government and industry stakeholders in the Cybersecurity Framework is to “leave here with a set of key principles for the framework, those elements that match both the needs of the government and industry and will lead to a meaningful, adaptable framework,” Patrick Gallagher, director of NIST, said at the workshop being hosted by Carnegie Mellon Univ. in Pittsburgh.
Gallagher added that the key principles should lead this week to the initial standards, best practices and protocols that will help critical infrastructures make better decisions in protecting their networks.
This week’s workshop, which began yesterday and ends tomorrow, will be followed in July by another workshop in San Diego. Gallagher said the outputs from the meetings this week, which will be shared publicly, will provide the inputs for the meetings in California.
The creation of the Cybersecurity Framework was called for in President Barack Obama’s Executive Order on cyber security in February, which also directed the federal government to share classified and unclassified cyber threat data with the private sector (Defense Daily, Feb. 13). Shortly after the White House issued the directive, NIST issued a Request for Information (RFI) seeking responses for the establishment of the framework. It also hosted its first workshop on the project in April (Defense Daily, April 4).
At the meetings in Pittsburgh yesterday, Gallagher said there are four main topics under discussion that stem from the themes generated in the responses to the RFI. The main topics are the business of cyber risk, threat management, cyber security dependencies and resiliency, and cyber security progression and maturity.
Earlier this month, NIST issued an initial analysis of the responses to the RFI. The analysis categorized responses into three main themes, each of which included recurring and common themes. The categories are: Framework Principles, which include things like flexibility, leveraging existing best practices and standards; Common Points, such as senior management engagement, understanding the threat environment, the cyber security workforce and incident response; and Initial Gaps, including metrics, tools, privacy and civil liberties, resiliency and nomenclature around critical infrastructure cyber security. The NIST analysis says that the items within the Initial Gaps category are areas where the responses “were not sufficient to meet the goal of the Executive Order.”