On February 26, 2013, the National Institute of Standards and Technology (NIST) issued a Request for Information (RFI) entitled, “Developing a Framework to Improve Critical Infrastructure Cybersecurity.” The RFI requests “information to help identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop" a Cybersecurity Framework as mandated by Cybersecurity Executive Order 13636 issued by the Obama Administration on February 12, 2013.

The White House and NIST have repeatedly emphasized that the Cybersecurity Framework, which will serve as the cornerstone of a voluntary cybersecurity program for critical infrastructure owners and operators, will be developed through an “open public review and comment process” that will give stakeholders numerous opportunities to provide input on the standards, methodologies, procedures and processes that will make up the Framework. The RFI represents the first opportunity for public comment. Responses to the RFI must be submitted by 5:00 p.m. on April 8, 2013.

The RFI states that the Framework development process will seek to identify existing “cross-sector” cybersecurity standards and guidelines that are currently or could be applied to critical infrastructure as well as any “potential gaps (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through collaboration with industry and industry-led standards bodies.” Further, any gaps identified will be addressed through collaboratively-developed action plans.

Although NIST admits that a one-size-fits-all Framework is not possible in light of the diversity of industries and businesses that own and operate critical infrastructure, the RFI states that “there are core cybersecurity practices that can be identified and that will be applicable to a diversity of sectors and a spectrum of quickly evolving threats.” Ultimately, the Framework is intended to include, among other mechanisms, consultative processes to assess cybersecurity-related risks and to identify security controls that would adequately address those risks, as well as “metrics, methods, and procedures that can be used to assess and monitor, on an ongoing or continuous basis, the effectiveness of security controls that are selected and deployed that can be used to facilitate continuous improvement in such controls.”

In light of these goals, the RFI seeks input from organizations on the following topics, each of which contains several questions:

  1. current risk management practices;
  2. use of frameworks, standards, guidelines, and best practices; and
  3. specific industry practices.

Regarding the third category, NIST requests comment on a list of potential “core” practices, including separation of business from operational systems; use of encryption and key management; identification and authorization of users accessing systems; asset identification and management; monitoring and incident detection tools and capabilities; mission/system resiliency practices; security engineering practices; and privacy and civil liberties protection.

For more information, see Cybersecurity regulation: 5 issues for companies.