NIST issues preliminary cybersecurity draft framework
Sources say draft is a a 'solid gauge' of what the final framework is likely to look like.
NISt is working toward framework to protect America's assets, such as the power grid, from cyber attack. (Stock image)
The National Institute of Standards and Technology released a preliminary cybersecurity draft framework outlining standards, best practices and guidance expected to be codified in October as directed by President Barack Obama's February executive order.
A NIST spokesperson said the documents released Aug. 28 are a discussion draft ahead of NIST's upcoming meeting in Dallas, to be held Sept. 11-13, the fourth in a series of workshops in which officials meet with industry to discuss cybersecurity and help shape the forthcoming framework.
Sources say the preliminary draft, a document NIST officials stress is meant to complement and not replace organizations' existing cybersecurity processes, is a solid gauge of what the official framework will look like.
"The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk, in a manner similar to financial, safety, and operational risk," the NIST document states. "The framework is not a one-size-fits-all approach for all critical infrastructure organizations. Because each organization's risk is unique, along with their implementation of information technology and operational technology, the implementation of the framework will vary."
At the heart of the preliminary draft are three main points -- the framework core, implementation tiers and profile -- designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communications between stakeholders.
The core is broken down into five functions: Identify what must be protected and establish priorities and processes for reaching risk management goals; protect by implementing safeguards to ensure critical infrastructure services; detect by establishing methods for identifying malicious activities; respond by developing and implementing priorities and activities for taking action after an event; and recover by establishing tools for restoring impaired capabilities after malicious activity.
The framework's implementation tiers help "reflect how an organization implements the framework core functions and categories and manages its risk." The progressive tiers range from zero, or partially participating in the framework's guidelines, to three, or adaptive, which involves ongoing updates that enable agile cybersecurity and risk management.
The profile portion of the framework effectively summarizes an organization's standing in terms of its management of cyber risks. The profile is based on the use of the framework's core functions, which include categories and subcategories, and how much of the guidance is being implemented or planned for implementation. The profile also is used to identify an organization's cybersecurity goals and assess progress toward those goals.
"By relying on practices developed, managed, and updated by industry, the framework will evolve with technological advances and will align with business needs," NIST's executive summary notes. "Unique missions, threats, vulnerabilities, and risk tolerances may require different risk management strategies. One organization's decisions on how to manage cybersecurity risk may differ from another. The framework is intended to help each organization manage cybersecurity risks while maintaining flexibility and the ability to meet business needs."