On August 28, NIST released a discussion draft of the Preliminary Cybersecurity Framework that it is developing pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. NIST invites stakeholder review and input of this discussion draft, leading into the publication of the Preliminary Cybersecurity Framework on October 10 for formal public comment. The discussion draft follows on what has already been an active summer with respect to cybersecurity.
The draft Preliminary Cybersecurity Framework (“draft Framework”) is intended to serve as a voluntary risk-based approach to developing reasonable and appropriate cybersecurity programs. The draft Framework notes that it is designed to either create a new cybersecurity program or improve an existing one, as well as to create a common language around cybersecurity activities.
The draft Framework consists of three distinct parts:
- Framework Core: The Core lists the areas in which organizations should evaluate what measures and activities are in place to manage cybersecurity risk.
- Framework Implementation Tiers: The Tiers represent the degree of implementation of the Framework, ranging from partial to sophisticated.
- Framework Profile: The Profile supports a visual representation of an organization’s current and target state with respect to Framework implementation.
Appendix A of the draft Framework presents the Framework Core, which is a nonexhaustive listing of Categories, Subcategories, and Informative Resources for each of the five Functions in the Framework Core. The Framework Core is broken down as follows:
There are five Functions for organizing cybersecurity activities.
- Identify: “Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission, and establish processes to achieve risk management goals.”
- Protect: “Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.”
- Detect: “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
- Respond: “Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.”
- Recover: “Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity event.”
- Within each Function are Categories, which reflect “programmatic needs” within a given Function.
- Each Category has Subcategories, or “high-level tactical activities to support technical implementation.”
- Finally, each Subcategory has associated Informative References, which are the existing standards, guidelines, and practices that address that activity.
Appendix B of the draft Framework presents a methodology to address privacy and civil liberties considerations when deploying measures within each of the above Categories. The draft Framework also includes a list of seven areas for improvement that will not be addressed directly in the Framework, but instead require continued focus as “important but evolving areas that have yet to be developed or require further research and understanding.”
Along with the draft Framework itself, NIST also released two other companion documents:
- a high-level Executive Overview directed at senior executives, explaining the basis for and use of the Framework; and
- a lengthy set of Illustrative Examples, presenting Threat Mitigation Profiles for three types of threats (cybersecurity intrusions, malware, and insider threat).
NIST seeks stakeholder review and input leading into its fourth and final Framework development workshop, which will take place September 11–13 in Dallas. On August 29, NIST posted the draft agenda for that workshop. The draft Framework lists a number of questions for which NIST seeks input at the final workshop.
When finalized, the Cybersecurity Framework is likely to be highly influential within and beyond the United States, and beyond the critical infrastructure industries it is intended primarily to address. Organizations of all types would be advised to consider whether and how their cybersecurity programs align with relevant elements of the emerging Framework, and to provide input as appropriate to inform the final phases of its development.