NIST cybersecurity framework: What it means
Regardless of where one lives in the world, we all know that our country’s national infrastructures are very important to our economies and our national defense. And with incidents like the attacks on the gas pipeline industry and the details revealed in the Madiant Report, nowhere has this point been driven home more than in the U.S.
Critical infrastructure is defined in the EO as “systems and assets – whether physical or virtual – so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Example industry sectors and the corresponding Federal oversight agency in the U.S. considered “critical infrastructure” are shown in the table below.
- Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
- Shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
- Shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.
- What is the Framework supposed to do? According to the overview documents, the Framework:
- Shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
- Shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
- Will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
- Should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies procedures and processed developed to address cyber risks.
- Describe their current cyber security posture (and a semblance of maturity level)
- Describe their target state for cyber security
- Identify and prioritize opportunities for cyber security improvement within the context of risk management
- Assess progress toward the target state
- Foster communications among internal and external stakeholders.
Original content can be found at www.tofinosecurity.com.