On February 12, 2014 NIST released the Cybersecurity Framework Version 1.0 and an accompanying Roadmap document. The following excerpts are taken from the NIST web site – http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm – and we recommend that all of our partners review the information contained within these documents.
To help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack, the Commerce Department’s National Institute of Standards and Technology (NIST) today released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
NIST also released today a “Roadmap” document to accompany the framework. It lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration.