National Institute of Standards and Technology Releases Draft Cybersecurity Framework

On October 22, 2013, the National Institute of Standards and Technology (“NIST”) released its voluntary Preliminary Cybersecurity Framework (“the Framework”) to provide a cost-effective, performance-based, flexible, and repeatable approach for critical infrastructure organizations to manage cybersecurity risks. A key objective of the Framework, which was drafted pursuant to Executive Order 13636, is to encourage critical infrastructure organizations to consider cybersecurity a priority similar to financial, safety, and operational risk.

The Framework is composed of three parts: (1) the Framework Core; (2) the Framework Profile; and (3) the Framework Implementation Tiers. First, the Framework Core provides standards and best practices so that the senior executive level of an organization can effectively communicate cybersecurity risk to the implementation or operations level across the organization. The Framework Core represents an organization’s strategy to manage cybersecurity risk through five functions: Identify, Protect, Detect, Respond, and Recover. The Framework Core then identifies categories and subcategories for each of these functions and matches them with references, such as existing standards, for each category.

Second, a Framework Profile represents the outcomes a system or organization is expected to achieve based on criteria identified in the Framework Core. An organization may use this Framework Profile to select an industry’s best practices or to compare the organization’s current Profile to a target Profile. This allows organizations to track their progress toward a target Profile and prioritize their progress.

Third, the Framework Implementation Tiers describe an organization’s current cybersecurity risk management. The Tier selection process considers an organization’s current practices, threat environment, legal requirements, business or mission objectives, and organizational constraints. Using these criteria, an organization can evaluate its risk management practices over a range from Tier 1, which means reactive and informal, to Tier 4, which means agile and risk-informed.

The NIST opened a 45-day comment period on the Framework before releasing the final Framework in February 2014. A copy of the Framework is available here.