NIST Draft Cybersecurity Framework

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.

Discussion Draft of the Preliminary Cybersecurity Framework

A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity is now available for review. This draft is provided by the National Institute of Standards and Technology (NIST) in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. In addition, NIST is providing a draft Executive Overview and Illustrative Examples for review.

Participants are asked to review these discussion draft materials in advance of the workshop. The workshop is designed to allow participants to offer substantive input on these versions, as well as on related topics — including implementation and governance of the Framework.

Comments from the public also can be provided via email to [email protected]

Discussion Draft – Preliminary Cybersecurity Framework, August 28, 2013

Discussion Draft – Executive Overview, August, 28, 2013

Discussion Draft – Illustrative Examples, August 28, 2013

Discussion Draft – Illustrative Example, ICS Profile for the Electrical Subsector, August 30, 2013

 

Supporting Materials:

DRAFT Outline – Preliminary Cybersecurity Framework, July 1, 2013
The purpose of this document is to define the overall Framework and provide guidance on its usage. The primary audiences for the document and intended users of the Framework are critical infrastructure owners and operators and their partners. However, it is expected that many organizations facing cybersecurity challenges may benefit from adopting the Framework. The Framework is being designed to be relevant for organizations of nearly every size and composition. It is also expected that many organizations that already are productively and successfully using appropriate cybersecurity standards, guidelines, and practices – including those who contributed suggestions for inclusion in this document – will continue to benefit by using those tools.

DRAFT – Framework Core
The Framework Core offers a way to take a high-level, overarching view of an organization’s management of cybersecurity risk by focusing on key functions of an organization’s approach to this security. These are then broken down further into categories. The Framework’s core structure consists of:

• Five major cybersecurity functions and their categories and subcategories
• Three Framework Implementation Levels associated with an organization’s cybersecurity functions and how well that organization implements the framework.

DRAFT – Compendium
The Framework’s core also includes the compendium of informative references, existing standards, guidelines, and practices to assist with specific implementation.

The compendium of informative references that included standards, guidelines and best practices is provided as an initial data set to map specifics to sub-categories, categories and functions. The Framework’s compendium points to many standards – including performance and process-based standards. These are intended to be illustrative and to assist organizations in identifying and selecting standards for their own use and for use to map into the core Framework. The compendium also offers practices and guidelines, including practical implementation guides.

 

Background – NIST Responsibilities

NIST will develop the Framework in a manner that is consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework will be developed by ongoing engagement with, and input from, stakeholders in government, industry, and academia, including an open public review and comment process, workshops and other means of engagement.

To develop the Framework, NIST will use a Request for Information (RFI) and ongoing stakeholder engagement to: (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) specify high-priority gaps for which new or revised standards are needed; and (iii) collaboratively develop action plans by which these gaps can be addressed.

The Framework will seek to promote the wide adoption of practices to increase cybersecurity across all sectors and industry types. It will seek to provide owners and operators a flexible, repeatable and cost effective risk-based approach to implementing security practices while allowing organizations to express requirements to multiple authorities and regulators.

The below presentation shows the process by which NIST will work with stakeholders to develop the Initial Framework.

Cybersecurity Framework Development Overview

Update on Development of the Cybersecurity Framework (July 24, 2013)

Update on Development of the Cybersecurity Framework (June 18, 2013)

Events:

Throughout the development of the Framework, NIST will host a series of events and workshops to gather additional input and develop the Framework. Look here for an updated schedule of events.

• 4th Cybersecurity Framework Workshop – September 11-13, 2013
• 3rd Cybersecurity Framework Workshop – July 10-12, 2013
  • Cybersecurity Framework Development Overview
  • Closing Plenary
• 2nd Cybersecurity Framework Workshop – May 29-31, 2013
  • Initial Analysis of Cybersecurity Framework RFI Responses
  • Cybersecurity Framework Development Overview
  • Closing Plenary
• 1st Cybersecurity Framework Workshop – April 3, 2013

RFI

NIST has issued a Request for Information (RFI) in the Federal Register to gather initial information on the many interrelated considerations, challenges, and efforts needed to develop the Framework.

RFI

If you have any questions, please contact NIST at [email protected].

RFI Supporting Materials:

RFI – Framework for Reducing Cyber Risks to Critical Infrastructure

RFI Comments

Initial Analysis Cybersecurity Framework RFI Responses

NOI

The Department of Commerce has issued a Notice of Inquiry (NOI) in the Federal Register to gather comments from the private sector on a broad set of incentives that could help to promote the adoption of proven efforts to address cybersecurity vulnerabilities.

If you have any questions, please email [email protected].

The Framework

As responses come in to the Request for Information, they will be publicly posted here to encourage wide review and public engagement.

Contact Us

For further information and/or questions about the Cybersecurity Framework, contact us at:[email protected]