NIST releases cybersecurity framework
The National Institute of Standards and Technology has released a cybersecurity framework groups can use to create, assess or improve comprehensive cybersecurity programs.
The new framework is in response to a February 2013 executive order issued by President Barack Obama that called for the development of a voluntary, risk-based cybersecurity framework. This set of existing standards, guidelines and practices is designed to help organizations manage cyber risks. The framework was created through public-private collaboration and provides a common language to address and manage cyber risk in a cost-effective way, without placing additional regulatory requirements on businesses.
"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher, in a statement. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."
Organizations can use the framework to determine their level of cybersecurity, set goals for cybersecurity in sync with their business environment and establish a plan for improving or maintaining their cybersecurity, according to officials. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.
This framework is just the beginning, according to officials, who say the framework is part of a continuous process to improve the nation's cybersecurity. The framework will be updated as needed to match changes in technology and potential threats.
"The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," said Gallagher. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel."
The document describes three main elements: the framework core, tiers and profiles. The core presents five functions--identify, protect, detect, respond and recover--which, when taken together, allow groups to understand and shape a cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
Access the complete framework here.
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.