From power generation and utilities to transportation and telecommunications, U.S. critical infrastructure provides a wide attack surface for cyber criminals. The National Institute of Standards and Technology (NIST), part of the Department of Commerce, was tasked by President Barack Obama’s cybersecurity executive order to devise a framework aimed at reducing cyber risks for owners and operators of U.S. critical infrastructure. The framework, which was released last month, is similar to draft documents previously issued for comment. While the framework does follow the overall format set out in discussions with industry, it does not reflect specific suggestions on privacy or compliance issues.
NIST engaged with more than 3,000 individuals and organizations to develop the Framework for Improving Critical Infrastructure Cybersecurity through a series of workshops and requests for information (RFI), which yielded more than 200 public comments. Kevin Stine, manager of the Security Outreach and Integration Group Computer Security Division at NIST, says that developing the framework in a collaborative way created new opportunities for engagement among U.S. critical infrastructure stakeholders.
“Everything you see in the framework was informed by comments we received throughout the process, including an RFI that we did earlier in the year, and our efforts have built off the feedback that we received throughout the process and the workshops,” he tells Security Management. “One of the goals of the framework as called for in the executive order is really to leverage those existing practices, those standards, guides, and practices that many organizations are already using today. So, in essence, we are not creating or recreating new things but rather taking advantage of the things that are out there today.”
Through the framework, companies are offered a common language and a mechanism through which they can establish a robust cybersecurity program that meets the unique needs of both their industry and individual organizations. “The framework tries to highlight some of those practices that would be helpful for organizations of all shapes and sizes, and all levels of sophistication, ranging from organizations with very well-established security programs all the way to new programs that are finding their way,” Stine says.