A preliminary Cybersecurity Framework was presented in the Federal Register October 29 in an attempt to alight policy, businesses and technological approaches to address cyber risks. The goal is to reduce cyber espionage as well as to improve privacy and to share information securely.
In making the announcement, J. Michael Daniel, Cybersecurity Coordinator, and Dr. Patrick Gallagher, director of the National Institute of Standards and Technology (NIST), stressed that the preliminary framework incorporates industry best practices “to the fullest extent possible and will be consistent with voluntary international consensus-based standards” when those standards advance the objectives of the Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” signed last February. Desired outcomes are organized by functions that aid in communications, align with existing methodologies for incident management, and can be used to help show the impact of investments in cybersecurity.
The Cybersecurity Framework will provide a prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls to help owners and operators of critical infrastructure and other interested entities to identify, assess and manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
To support technical innovation and account for organizational differences, the Cybersecurity Framework will not prescribe particular technological solutions or specifications. It will include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework and will include methodologies to identify and mitigate impacts of the Framework and associated information security measures and controls on business confidentiality and to protect individual privacy and civil liberties.
The framework was developed based upon information collected by the National Institute of Standards and Technology (NIST) during public workshops. The comment period is open for 45 days.
NIST will hold a workshop to discuss the Preliminary Framework—including its implementation and future governance—November 14 and 15, 2013 at North Carolina State University.