After several months of work on bringing together best practices and standards that could be used by owners and operators of the nation’s critical infrastructure, the National Institute of Standards and Technology (NIST) this week released a draft outline of the emerging Cybersecurity Framework that proposes a core for an organization to view its management of cyber security risk.
The framework is trying to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts, NIST said.
The release of the three-page draft follows two spring workshops to discuss the emerging framework as well as other stakeholder engagements.
 |
| The 3rd Cybersecurity Framework Workshop will be held next week at the University of California San Diego’s Geisel Library. Photo: NIST. |
“We are pleased that many private sector organizations have put significant time and resources into the framework development process,” Adam Sedgewick, senior information technology policy adviser at NIST, said in a statement on Tuesday. “We believe that both large and small organizations will be able to use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cyber security-related policies and plans, functions and investments into their overall risk management.”
NIST also released a draft compendium of references, existing standards, guidelines, and practices to help with specific implementation.
NIST is coordinating the development of the framework, which will consist of existing standards and best practices, so that crucial infrastructures can voluntarily draw from it to better protect their computer networks from cyber threats. Establishment of the framework was called for in an executive order issued by President Barack Obama in February, with the final version due in February 2014.
The framework core released on Tuesday consists of five major cyber security functions—know, prevent, detect, respond, and recover—and their categories and subcategories. It also has three implementation levels outlining roles for senior executives, business process managers, and operational managers, associated with an organization’s cyber security functions and how well that organization implements the framework.
A third workshop on the framework with stakeholders is scheduled for next week in San Diego.