On Wednesday, February 12, 2014, the National Institute of Standards and Technology (NIST) released the final version of its Cybersecurity Framework (Version 1.0). The Framework was created pursuant to the White House’s February 2013 Cybersecurity Executive Order and Policy Directive, which directed NIST to publish a framework that will establish a baseline Cybersecurity Program for entities managing cyber risks to critical infrastructure industries, including the energy sector.
The Framework was developed in conjunction with a collaborative cross-sector process with industry leaders through a series of workshops, and offers guidance to 18 critical infrastructure industries, including the energy, financial, agribusiness, transportation and communications sectors. Guidance on managing cybersecurity risk is outlined through the application of five “Core Functions” based on industry standards and best practices. The Framework's five Core Functions are these:
- Identify: Develop institutional understanding to manage cybersecurity risk to organizational systems, assets, data and capabilities.
- Protect: Develop and implement safeguards, prioritized through an organization’s risk management process, to ensure delivery of critical infrastructure services.
- Detect: Develop and implement activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement activities, prioritized through an organization’s risk management process, to take action regarding a detected cybersecurity event.
- Recover: Develop and implement activities, prioritized through an organization’s risk management process, to restore capabilities or critical infrastructure services that were impaired through a cybersecurity event.
The Framework lists a series of categories and subcategories for each function, including asset management, governance, risk assessment, access control, use of protective technology, training, data security, information protection, monitoring, detection, mitigation and communication.
NIST contemplates that entity performance may be assessed according to four “Framework Implementation Tiers” (e.g., partial, risk-informed, repeatable and adaptive). Entities are advised to gear their target Implementation Tiers to their self-assessed “Profiles,” which are a function of an organization's individual business needs, risk tolerance and resources.
According to NIST, the Framework provides a common language and method for organizations to describe their cybersecurity risk management posture and objectives, and to identify and prioritize areas for improvement. NIST adds that the framework can be leveraged by organizations to enhance existing cybersecurity practices, or used as a reference to integrate cybersecurity risk management into an organization’s overall risk management process.
NIST has released a companion Roadmap document which outlines areas for further improvement, and describes NIST's next steps for long-term governance of the Framework. NIST states that it will host future workshops to facilitate stakeholder discussion on Framework implementation, and to review opportunities for improvement.