US government released draft for NIST cybersecurity framework

NIST released the draft of cybersecurity framework, which outlines how private companies can protect themselves against cyberattacks, and security breaches.

The National Institute of Standards and Technology has released a draft of the cybersecurity framework for private companies and infrastructure networks as part of  President Obama’s executive order.

The order has the primary goal to improve the network security of the US “critical infrastructure” and it assigns to the National Institute of Standards and Technology the responsibility of developing a framework of best practices for operators in critical sectors of the country  (e.g. Industry, transportation, water and health). The Policy places at the base of the reform process the following three strategic principles:

  • Enhance the level of security of national critical infrastructure and their resilience to cyber attacks through the clear assumption of the roles and responsibilities of each governmental entity.
  • Encourage and support an effective and efficient exchange of information on cyber threats, the information flow must involve both government and private actors.
  • Developing a framework for analysis of data related to cyber threats and occurred incidents for any critical sector of the country, particular attention has to be reserved to emerging risks.

All security reports released by principal security firms reveal the increase in the number of cyber attacks against private companies and critical infrastructures, last May Congress released a survey that claimed power utilities in the U.S. are under “daily” cyber attacks.  It is necessary a strong response from the governments which must also be responsible for the definition of security guidelines.

The NIST has proposed its preliminary cybersecurity framework  with specific intent to respond to the executive order 13636 and create guidelines to improve security for Critical Infrastructure. The adopting of the cybersecurity framework would be voluntary for companies and could help companies mitigate the numerous cyber threats.

The cybersecurity framework draft proposed by NIST was written with the involvement of roughly 3,000 industry and academic experts, it suggests best practices for networks and asset protection to the companies. Another crucial aspect approached by the draft is the guidance on how companies could respond to and recover from breaches. The document also examines how the companies could do all that while protecting privacy and civil liberties.

“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” said NIST Director Patrick Gallagher. He also defined the framework “a living document” that is expected to be flexible.

“The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.” The draft reads. 

Giving a look to the index of NIST cybersecurity framework it is possible to distinguish the following sections:

Framework Introduction – In this section is provided an overview of the cybersecurity framework that is a risk-based approach composed of three parts:

  • The Framework Core is a set of cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices and consists of five functions, Identify,Protect, Detect, Respond and Recover.

  • The Framework Profile is the outcomes that a particular system or organization has achieved or is expected to achieve as specified in the Framework.
  • The Framework Implementation Tiers describe how cybersecurity risk is managed by an organization.

Framework Basics – this section describes the following NIST Framework Core elements:

  • Functions
  • Categories
  • Subcategories
  • Informative References

How to Use the Framework – the section has been written to propose a basic overview of cybersecurity practices to describe how an organization could use the NIST Framework to create a new cybersecurity program or improve an existing cybersecurity program.

The US government has been offering a series of incentives, including cybersecurity insurance and priority consideration for grants, to reward companies that adopt the framework.

NIST will now take public comments for 45 days while the final cybersecurity framework is planned for February 2014.

Pierluigi Paganini

(Security Affairs –  NIST, cyber security framework)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

5 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.