The National Institute of Standards and Technology has released Version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity. NIST hopes this document will provide “a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.”
The framework has been anticipated since February 2013, when President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. That order sparked a public-private collaboration to create a “set of existing standards, guidelines and practices to help organizations manage cyber risks.” This Cybersecurity Framework seeks to provide a way for organizations to develop their own risk-appropriate, cost-effective cybersecurity program. Collaborators to the framework include a “broad range of industries that see the value of and need for improving cybersecurity.” While the Framework is specifically aimed at organizations that are part of the United States’ critical infrastructure, the cybersecurity development tools included in the Framework could be incorporated into any entity.
There has been criticism that the release Cybersecurity Framework does not do enough, especially as compliance with the framework is voluntary. Others believe that the “voluntary” standard established by the Framework will be “the de facto standard for litigators and regulators.” Still a third group sees the NIST Framework as an opportunity to enhance cybersecurity consulting, as it provides a compilation of current best practices.
The actual impact of the newly released Framework is yet to be seen, but, as a “living document,” it is expected to be updated and amended over time.