On October 22, NIST released the official Preliminary Cybersecurity Framework under development pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. A formal 45-day comment period will begin once the Preliminary Cybersecurity Framework is published in the Federal Register, which is expected next week. NIST remains on track to meet the Executive Order’s February 2014 deadline for issuance of the final Cybersecurity Framework. NIST officials (including Director Patrick Gallagher) spoke with reporters today regarding the release of the Preliminary Cybersecurity Framework, in which NIST officials discussed the release and answered various questions.

The Framework’s foundational elements and approach remain unchanged from the discussion draft released in August (which we covered previously): the Framework still includes three parts (Framework Core, Framework Profile, and Framework Implementation Tiers), and the subdivisions within the Framework Core still list the various activities that comprise a cybersecurity program (including, at the broadest level, five Functions: Identify, Protect, Detect, Respond, and Recover).

The Preliminary Cybersecurity Framework nonetheless includes several changes from the August discussion draft. Substantial changes include the following:

  • Section 1.2, Risk Management and the Cybersecurity Framework, has been substantially rewritten to explain how the Framework uses risk management processes (including an understanding of risk tolerance) to facilitate cybersecurity decisionmaking.
  • Section 2.1, Framework Core, includes an expanded definition for Functions.
  • Section 3.1, Basic Overview of Cybersecurity Practices, has been added and provides additional detail on how use of the Framework comports with risk management.
  • Section 3.2, Establishing or Improving a Cybersecurity Program, has been revamped and now includes steps for conducting a risk assessment (Step 3) and determining, analyzing, and prioritizing gaps (Step 5).
  • Appendix A, Framework Core, includes substantial revisions throughout and includes new subcategories within the following Categories:
    • Business Environment (BE)
    • Governance (GV)
    • Risk Assessment (RA)
    • Risk Management (RM)
    • Information Protection Processes and Procedures (IP)
    • Maintenance (MA)—new category
    • Detection Processes (DP)
  • Appendix B, Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program, now includes references to other privacy standards/guidelines and adds new substantive content to several Categories (e.g., Risk Management, Information Protection Processes and Procedures, Security Continuous Monitoring, Mitigation).
  • Appendix C (formerly Section 4), Areas for Improvement for the Cybersecurity Framework, adds a new subsection on cybersecurity workforce (C.4) and expands on privacy (C.7).
  • Appendix E, Glossary, changes several definitions (e.g., Risk, Risk Management) and adds a definition for Personally Identifiable Information.

NIST also announced that it will hold a fifth Cybersecurity Framework Workshop on November 14–15 in Raleigh, NC. Registration is open, but the workshop materials (including the draft agenda) are not yet available on the NIST website.

When finalized, the Cybersecurity Framework is likely to be highly influential within and beyond the United States, and beyond the critical infrastructure industries it is intended primarily to address. Organizations of all types would be advised to consider whether and how their cybersecurity programs align with relevant elements of the emerging Framework, and to provide input as appropriate to inform the final phase of its development.