The release yesterday of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology caps a year-long effort by NIST to find an industry consensus for assessing and improving the cybersecurity of the nation’s privately-owned critical infrastructure.
We will be publishing a more detailed analysis of the final Framework in the next few days, but here are some quick takeaways:
- The core of the Framework that resulted from a series of industry meetings over the past year, and which is based upon a combination of NIST and industry standards publications, remains quite consistent with earlier versions that were published for public comment.
- The language surrounding the core Framework has been modified from earlier versions to emphasize that adoption of the Framework by industry is voluntary, remaining consistent with the Administration’s repeated assurances that the Framework is not a new regulation.
- There is new language suggesting that the tiers of the Framework are not to be interpreted as a rating of cybersecurity preparedness or a standard of care, but rather a means for a business to describe how it is addressing its internally adopted cybersecurity goals.
- Privacy controls based upon the Fair Information Practice Principles (FIPPs) have been removed as an element of a cybersecurity strategy, and in place of controls, the Framework has substituted “a general set of considerations” to be adopted “in circumstances where such measures are appropriate.”
- In the course of the industry consultations for the development of the Framework, participants identified numerous areas where technical ability and coordination to respond to cybersecurity threats is inadequate. These include authentication technologies, supply chain assurance, and engineering systems with enhanced privacy protections. NIST proposes a work plan or “roadmap” to address such issues in the coming months.