The National Institute of Standards and Technology (NIST) issued today the final version of a set of cybersecurity guidelines meant to help critical industries better protect themselves.
The Cybersecurity Framework came out of the executive order issued by President Barack Obama last year that in part directed NIST to come up with a set of voluntary cybersecurity standards for critical infrastructure companies. What NIST has developed however can be applicable to enterprises of all shapes and sizes.
The Framework itself consists of three parts: the Framework Core, the Framework Profile and the Framework Implementation Tiers. The Framework Core involves five key functions: identify, protect, detect, respond and recover. The first function – ‘identify’ – involves gaining an understanding of resources and any associated risk levels and covers subjects such as asset management, governance and risk management. The ‘protect’ and ‘detect’ functions are self-explanatory and cover issues such as access control and security monitoring. The final two functions – ‘respond’ and ‘recover’ – deal with reacting in the event of a security incident and recovering from it.
Jeff Greene, senior policy counsel at Symantec, said NIST did a great job of getting feedback from the private sector on the framework, and that the document is adaptable for different types of organizations.
“It’s not a check the box approach to security…you can really make use of as much or as little of it as you think is relevant and useful to you,” he told SecurityWeek.
Two of the intended goals of the framework are to allow an organization to compare its current cybersecurity activities with those outlined in the core, and help organizations create a new cybersecurity program or improve upon an existing program. Other objectives mentioned by NIST include improving communication with business stakeholders, describing a methodology to protect civil liberties and identify opportunities for new revised and new standards.
The Framework Profile provides a picture of the current and desired state of an organization’s security program. Through the use of the Profiles, companies can align their cybersecurity activities with their business requirements, risk tolerances and resources. Similarly, the Tiers component of the framework describes how an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework, such as being risk and threat aware and repeatable.
Despite calling the goal of the framework laudable, Phillip Smith, senior vice president of government solutions at Trustwave, said NIST needs to go one step further and develop frameworks for specific verticals.
“For example, draft guidelines that speak to business leaders in the financial, electricity and oil and gas industries,” he said. “Compartmentalizing the industries will be more effective in getting the right people to pay attention since the information caters to their specific business.”
“NIST should also create a list of questions that bring to light essential elements of security that cannot be overlooked,” he continued. “Answers to those questions should be included in the guidelines to help business leaders as they structure their security plans. Questions should include – what are the most common security risks among businesses within that particular industry? What should business leaders do to identify those risks?”
“By answering these questions, the Framework helps businesses create a holistic plan that meets their security needs,” he added.
In the document, NIST argues that the Framework is not intended to be a one-size-fit all approach to managing cybersecurity.
“Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary,” according to the document. “Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.”
The main difference from the draft release is the inclusion of a section on protecting privacy, something that is likely the result of the fallout from the controversy surrounding U.S. government surveillance programs, said Matt Standart, threat intelligence director at HBGary.
“Hopefully this framework will lead the way for an industry-wide standard (on privacy) that companies adopt and adhere to in the future,” he said.
“In summary,” said Standart, “everyone should adopt a framework for cyber security like this as it is a good place to start, and since cyber security involves the collection, analysis, and reporting of data they need to factor in and incorporate privacy and civil liberties into their every day processes.”
To help spur adoption of the framework, the Department of Homeland Security has launched the Critical Infrastructure Cyber Community (C³) Voluntary Program. During the next year, the C³ program will be focused on working with private sector organizations to developing guidance on implementing the framework.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”