On Wednesday, the National Institute for Standards and Technology (NIST) released a draft framework on voluntary cybersecurity standards for critical infrastructure that attempts to further formalize industry best practices, offer language implementation, and define privacy requirements. The documents supporting the framework were released in advance of the Fourth Cybersecurity Framework workshop on Sept.11-13, 2013, in Dallas.
NIST describes the purpose of the framework, required under Executive Order 13636 (EO), as “providing a common language and mechanism for organizations to: 1) describe current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; 5) foster communications among internal and external stakeholders.”
To assist entities with interpretation and adoption of the standards to be developed within the framework NIST also released the document “Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples." The examples contemplate a broad range of technical solutions and mitigation recommendations for various threat scenarios. Finally, NIST released for review and comment a document titled “Message to Senior Executives on the Cybersecurity Framework.”
Pursuant to the EO the final framework will be published within the year.