Standards

NIST issues preliminary cybersecurity draft framework

power lines at sunset

NISt is working toward framework to protect America's assets, such as the power grid, from cyber attack. (Stock image)

The National Institute of Standards and Technology released a preliminary cybersecurity draft framework  outlining standards, best practices and guidance expected to be codified in October as directed by President Barack Obama's February executive order.

A NIST spokesperson said the documents released Aug. 28 are a discussion draft ahead of NIST's upcoming meeting in Dallas, to be held Sept. 11-13, the fourth in a series of workshops in which officials meet with industry to discuss cybersecurity and help shape the forthcoming framework.

Sources say the preliminary draft, a document NIST officials stress is meant to complement and not replace organizations' existing cybersecurity processes, is a solid gauge of what the official framework will look like.

"The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk, in a manner similar to financial, safety, and operational risk," the NIST document states. "The framework is not a one-size-fits-all approach for all critical infrastructure organizations. Because each organization's risk is unique, along with their implementation of information technology and operational technology, the implementation of the framework will vary."

At the heart of the preliminary draft are three main points -- the framework core, implementation tiers and profile -- designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communications between stakeholders.

The core is broken down into five functions: Identify what must be protected and establish priorities and processes for reaching risk management goals; protect by implementing safeguards to ensure critical infrastructure services; detect by establishing methods for identifying malicious activities; respond by developing and implementing priorities and activities for taking action after an event; and recover by establishing tools for restoring impaired capabilities after malicious activity.

The framework's implementation tiers help "reflect how an organization implements the framework core functions and categories and manages its risk." The progressive tiers range from zero, or partially participating in the framework's guidelines, to three, or adaptive, which involves ongoing updates that enable agile cybersecurity and risk management.

The profile portion of the framework effectively summarizes an organization's standing in terms of its management of cyber risks. The profile is based on the use of the framework's core functions, which include categories and subcategories, and how much of the guidance is being implemented or planned for implementation. The profile also is used to identify an organization's cybersecurity goals and assess progress toward those goals.

"By relying on practices developed, managed, and updated by industry, the framework will evolve with technological advances and will align with business needs," NIST's executive summary notes. "Unique missions, threats, vulnerabilities, and risk tolerances may require different risk management strategies. One organization's decisions on how to manage cybersecurity risk may differ from another. The framework is intended to help each organization manage cybersecurity risks while maintaining flexibility and the ability to meet business needs."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.