NIST offers first look at critical infrastructure security plan
- By William Jackson
- Oct 23, 2013
The National Institute of Standards and Technology has released for comment a preliminary version of a framework for improving the cybersecurity of the nation’s critical infrastructure, a voluntary set of industry standards and best practices that the administration hopes to see widely adopted.
The Preliminary Cybersecurity Framework draws heavily from guidance developed by NIST for the Federal Information Security Management Act and was produced with input from the U.S. intelligence community as well as regulatory agencies. Although voluntary, the framework could have an impact on the way key industries are regulated and how agencies procure services from them. Compliance with the framework could become a federal contracting requirement.
The framework draft, released late because of the government shutdown, is on track for formal release in February after a 45-day comment period, NIST officials said. The February release still will be labeled “preliminary,” and NIST director Patrick Gallagher said the framework will be a living document that will be frequently updated.
An appendix in the current version identifies gaps where improvements are needed in the document.
The framework is a broad, multi-sector effort that Gallagher called a “vehicle for translating lists of standards into action.” It was mandated by an executive order issued in February in response to Congress’s failure to pass cybersecurity legislation for the nation’s critical infrastructure. The order identified threats to critical infrastructure as “one of the most serious national security challenges we must confront,” and declared that ‘it is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure.”
Critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.” Although critical, most of this infrastructure is owned and operated by the private sector and is outside government protection. The Homeland Security Department offers help to the private companies, and some sectors — such as financial and some power distribution — are federally regulated. But there has been no overarching framework for ensuring cybersecurity.
The framework provides a common language for describing current and target states of security, identifying and prioritizing changes needed, assessing progress and fostering communications with stakeholders. It is meant to complement, not replace, existing cybersecurity programs.
The plan consists primarily of lists of existing technology-neutral standards and best practices and a structure for implementing them. Because the framework is intended to be used across many industry sectors, it is not prescriptive, but it allows each user to determine how best to use controls based on business needs and threats.
The core of the framework addresses the basic elements of managing cybersecurity risk, including identifying threats, protecting assets, detecting malicious activity, and responding and recovering from attacks.
Although the framework recommendations are general, the standards and practices referenced are specific and detailed.
“As a voluntary standard, [the framework] cannot create any new requirements for anybody,” Gallagher said. Incentives for adopting the standards will be developed separately, but Gallagher said self-interest should be the primary incentive for adoption.
But where self-interest fails, regulators can step in. Agencies will develop guidance for harmonizing their regulations for industry with framework recommendations. If they lack regulatory authority to establish requirements based on the framework, they could go to Congress to seek it.
NIST will hold a final workshop on the Preliminary Cybersecurity Framework Nov. 14 and 15 at North Carolina State University. Comments on the framework should be submitted using the comment template to firstname.lastname@example.org, with “Preliminary Cybersecurity Framework Comments” in the subject line.