On October 22, 2013, the National Institute of Standards and Technology (“NIST”) released the draft Preliminary Cybersecurity Framework (“Framework”) for critical infrastructure. The Framework was developed in accordance with Executive Order 13636 of February 12, 2013 concerning improving critical infrastructure cybersecurity. The Framework seeks to create a voluntary program that could supplement existing cybersecurity programs. The voluntary framework may apply to those organizations declared to be part of a critical infrastructure sector. The Executive Order described these sectors as ones that are “so vital to the United States that [their] incapacity or destruction…would have a debilitating impact on security, national economic security, national public health or safety[.]”3 A few of the sectors that the Department of Homeland Security has identified as critical infrastructure sectors are communications, financial services, energy, and information technology.
The Framework presents a three-part approach to cybersecurity consisting of the “Framework Core,” the “Framework Profiles,” and the “Framework Implementation Tiers.” The Framework Core sets forth details for identifying risks in the context of an organization’s business. The Core breaks this task into four elements: Functions, Categories, Subcategories, and Informative References. Functions are meant to organize cybersecurity risks at a high level. The five Functions are:
- Identify: This function is where organizational assets and data are identified and risk assessment is done.
- Protect: This function is where an organization decides how best to safeguard the identified assets from cyber threats.
- Detect: This function is where an organization develops the ability to discover cybersecurity events.
- Respond: This function is where an organization decides on plans of action to respond to a cybersecurity event.
- Recover: This function is where an organization creates and implements procedures to restore critical infrastructure services after a cybersecurity event.
Within each Function are a set of Categories and Subcategories that cover specific aspects of the function, such as Access Controls and Asset Management. Each category also contains citations to relevant Informative References, such as NIST standards.
The second part of the Framework is the Framework Profiles.
The Profiles are tools an organization can use to track its progress toward cybersecurity goals. By creating both a current and target profile an organization can see its areas of strength and weakness, and devote resources to where they are most needed. Finally, an organization ranks its progress toward its goals using the Implementation Tiers, ranging from Partial (1) to Adaptive (4), and revises these profiles as time goes on.
One notable addition to the Framework is an appendix discussing privacy and civil liberty protections. Earlier drafts of the Framework had been criticized for lacking details on such protections.