Ride the Lightning

NIST Releases Preliminary Cybersecurity Framework

October 29, 2013

How in the world are entities supposed to deal with cybersecurity in a world without standards, even voluntary ones? The National Institute of Science and Technology (NIST) is looking to remedy that. On October 22nd, NIST released a Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications. NIST will open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014.

In February 2013, President Obama directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks, recognizing that U.S. national and economic security depends on the reliable functioning of critical infrastructure.

The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.

While the Preliminary Framework is geared toward critical infrastructure, it really can be applied to other industries to improve their cybersecurity. Cybersecurity risk management is good business – the more we can get all businesses to understand that, the more this "living document" will allow for continuing improvement as threats and technologies evolve.

The process seems slow in the light of the rapidly-moving threats we've seen, but progress of any kind is welcome.

http://twitter.com/sharonnelsonesq