NIST cybersecurity framework: What it means

You may have heard some buzz in the press about the release of the Cybersecurity Framework Draft from the U.S. National Institute of Standards and Technology (NIST). However, you may not know much about its background. And you probably don’t know what it may mean to you as a control or security professional. This should give you a high level overview of the genesis of this document and some handy points of reference.

Due to the growing concerns over continued cyber attacks on U.S. national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing – President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. This document is fondly referred to as the “EO.”

The EO called for development of a voluntary Cybersecurity Framework to provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.

Critical infrastructure is defined in the EO as “systems and assets – whether physical or virtual – so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Example industry sectors and the corresponding Federal oversight agency in the U.S. considered “critical infrastructure” are shown in the table below.

Designated Critical Infrastructure Sectors and Sector-Specific Agencies in the U.S.

As a follow up to the EO, NIST was assigned responsibility for development of the Framework in collaboration with industry feedback. The Framework is intended to provide guidance to an organization on managing cyber security risk. A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk, while factoring in larger systemic risks inherent to critical infrastructure.

The previous sentence is important – if the framework is accepted, then cyber security risk and considerations need to be included in the day-to-day discussions at your company or organization. As you expand your business, build new facilities, install new equipment and hire new people, cyber security must be part of the management discussion.

First, the EO instructed NIST to be the lead in developing the Framework. They did and now you can find the Framework DRAFT document (and supporting information) at the NIST site.

So what does the Framework contain? According to the Cybersecurity Framework Overview, the Framework shall:

• Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
• Shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
• Shall be consistent with voluntary international standards when such international standards will advance the objectives of this order. 
• What is the Framework supposed to do? According to the overview documents, the Framework:
• Shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
• Shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
• Will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
• Should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies procedures and processed developed to address cyber risks.

With the guidance above – and with input from industry – the draft of the Framework is intended to provide a common language and mechanism for organizations to:

1. Describe their current cyber security posture (and a semblance of maturity level)
2. Describe their target state for cyber security
3. Identify and prioritize opportunities for cyber security improvement within the context of risk management
4. Assess progress toward the target state
5. Foster communications among internal and external stakeholders.

A key aspect of the Framework is that it is not intended to replace an organization’s existing business or cyber security risk-management process and cyber security program. Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cyber security risk management. Also, the Framework can be helpful to a company that does not have a currently existing cyber security program so they can build in key elements raised by the Framework.

First of all, take a look at the list of the critical infrastructures listed above. Does your company fall into any of those categories? If not, is your company substantially reliant on any of those key infrastructures for your success and even existence? If the answer to either is YES then I’d suggest you take time to read the draft Framework as it stands and figure out how you can apply it to your current cyber security risk management.

Secondly, acquaint your executive management and board nembers with the Framework. Give them a sense of how your company stands today relative to the Framework Implementation Tiers listed. Use this as a means of highlighting your organization’s “Cybersecurity maturity level.” If you aren’t near the top, use it to highlight the resources (people, time and money) you need to raise your game.

Thirdly, take a hard look at the Framework and “test drive” it as it stands. 

When you read the draft Framework, recognize that it is not a “checklist” or a simple “compliance” item to be fulfilled. Nor is it a “how-to” on building a security program (check out ISA/IEC-62443.02.01 for that). Instead the framework provides a set of performance objectives for your cybersecurity risk program to achieve against your prioritized list of key assets.

So, consider the framework to be a nationwide score card for security preparedness. Maybe even an international score card. Either way, you don’t want to be at the bottom of the class with the hackers come calling.