Today the National Institute of Standards and Technology (“NIST”) issued a discussion draft of a “Preliminary Cybersecurity Framework.”

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity tasked NIST with developing a “Cybersecurity Framework” “to reduce cyber risks to critical infrastructure.”  The Order specifies that the Framework must “provide a prioritized, flexible repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

NIST is drafting the Framework in consultation with industry, other government agencies, and other experts.  The final version will provide voluntary cybersecurity guidance for critical infrastructure and other business.  NIST describes the Framework as providing “a common language for expressing, understanding, and managing cybersecurity risk.”

As described by the NIST discussion draft, the Framework is intended to guide businesses through a risk-based assessment and improvement of their cybersecurity posture.  The discussion draft Framework is organized around three issues: the Framework Core, Implementation Tiers, and Profile.

  • The Framework Core includes five functions: identify, protect, detect, respond, and recover.  Each function is tied to categories of activities that address cybersecurity risk, including, for example, access control and data security.  Each category includes references to particular standards or industry practices that can inform how businesses accomplish each function.  Such standards include, for example, NIST Special Publication 800-53, which addresses recommended security controls for federal government systems.
  • Framework Implementation Tiers describe the sophistication of risk management an organization chooses to apply to each category of action.  The tiers include partial, risk-informed, repeatable, and adaptive levels, with the “adaptive” tier denoting the best developed risk management procedures.
  • The Framework Profile combines the selection of the categories of activities in the Framework Core that are relevant to a particular business, with an assessment of which Implementation Tier the organization is currently achieving or wishes to achieve in the future with respect to each category.  The draft Framework suggests that organizations create both a current profile and a target profile to assist organizations in improving cybersecurity by moving toward their target profile.

In addition, NIST released a discussion draft of illustrative examples of how businesses could use the Cybersecurity Framework in response to particular scenarios, including a cyber intrusion, malware, and an insider threat.

In accordance with the Executive Order, the discussion draft Framework also identifies “areas for improvement” that NIST may address in future collaborations with standards-developing organizations or specific sectors.  High priority areas for improvement include identity authentication, automated sharing of cybersecurity threat indicators, standardized methods for protecting individual privacy, and managing supply chain risk. 

NIST is expected to issue a preliminary Cybersecurity Framework in October.