NIST Attempts to Lift All Boats with Draft Cyber Framework

The National Institute of Standards and Technology (NIST) has released its important and much-anticipated Preliminary Cybersecurity Framework (PDF). The Framework plan was put forward in February 2013 as part of  President Barack Obama’s cybersecurity Executive Order to push a collaborative concept in which NIST takes the lead in coordinating with all interested stakeholders in the development of a security framework that 1) is based on existing, voluntary, consensus-based standards and best practices; 2) allows critical infrastructure (CI) owners and operators to identify, assess, and manage their cyber risks; and 3) is technologically neutral. 

One of the tech industry’s guiding principles for effective cybersecurity policies is the need to raise awareness about what all stakeholders can do to improve their own cybersecurity. The tech industry can build leading-edge security technologies and services.  We all can share information on threats we see so as to better protect our networks. Law enforcement can track down and arrest bad actors. But all cyberspace stakeholders – including CI owners and operators, as well as businesses of all sizes, citizens, and governments – also need to know what steps they can take to reduce risks to their property, reputations, and operations.  

What tools do cyberspace’s stakeholders have to do this? Some of the most essential tools are global, voluntary, consensus-based standards, guidelines, and best practices to manage cybersecurity risk.  A range of such standards and best practices are developed (and continuously updated) in standards development organizations and other groups populated by some of the best, technically competent, innovative minds in the world.  These standards and best practices are focused on what organizations need. Specifically, they facilitate how to identify potential cybersecurity risks, protect against various risks, and, if incidents occur, detect, respond to, and recover from them. 

Many organizations in the United States voluntarily use many of these standards and best practices to improve their cybersecurity risk postures.  But some organizations likely do not use enough of the standards and best practices that might help them.  This is not because such organizations lack a keen desire to improve their cybersecurity, but rather they may not really know where to start or where to go next.

The NIST Framework aims to bridge this information gap, by seeking to help all interested entities – critical infrastructure owners, operators, and all others — not only understand where to start, but also where they want to be and how to move forward.  Significantly, the voluntary nature of the Framework allows flexibility for businesses to use those practices that fit their risk profiles, business models, and inherent interest in protecting their networks, customers, and assets.  The draft Framework is well on its way toward providing effective tools enabling much greater voluntary use of standards and best practices that can make a difference at the individual organization’s level, collectively raising all boats. 

But to succeed, the draft Framework must be easier to understand by those who seek to use it — and give a more compelling case for them to do so.  NIST must create methodologies for key building blocks of the Framework, namely the implementation tiers and risk profiles, and amend guidance related to them to avoid unintended consequences.  NIST must limit the privacy methodology to only those privacy-related considerations implicated by cybersecurity activities.   Finally, NIST must more clearly explain that the Framework references global standards and best practices.  The Framework does this, but it’s not apparent unless you’re an expert on standards and know what you are looking at.  A global audience is closely watching us develop this Framework, and it’s imperative that this audience understands the U.S. Government believes the most effective cybersecurity policies are workable globally. 

Doing so is essential if we are to achieve greater collective security and protect America’s citizens, critical assets, and infrastructures from ever-evolving cyber threats.