US government released draft for NIST cybersecurity framework

NIST released the draft of cybersecurity framework, which outlines how private companies can protect themselves against cyberattacks, and security breaches.

The National Institute of Standards and Technology has released a draft of the cybersecurity framework for private companies and infrastructure networks as part of  President Obama’s executive order.

The order has the primary goal to improve the network security of the US “critical infrastructure” and it assigns to the National Institute of Standards and Technology the responsibility of developing a framework of best practices for operators in critical sectors of the country  (e.g. Industry, transportation, water and health). The Policy places at the base of the reform process the following three strategic principles:

• Enhance the level of security of national critical infrastructure and their resilience to cyber attacks through the clear assumption of the roles and responsibilities of each governmental entity.
• Encourage and support an effective and efficient exchange of information on cyber threats, the information flow must involve both government and private actors.
• Developing a framework for analysis of data related to cyber threats and occurred incidents for any critical sector of the country, particular attention has to be reserved to emerging risks.

All security reports released by principal security firms reveal the increase in the number of cyber attacks against private companies and critical infrastructures, last May Congress released a survey that claimed power utilities in the U.S. are under “daily” cyber attacks.  It is necessary a strong response from the governments which must also be responsible for the definition of security guidelines.

The NIST has proposed its preliminary cybersecurity framework  with specific intent to respond to the executive order 13636 and create guidelines to improve security for Critical Infrastructure. The adopting of the cybersecurity framework would be voluntary for companies and could help companies mitigate the numerous cyber threats.

The cybersecurity framework draft proposed by NIST was written with the involvement of roughly 3,000 industry and academic experts, it suggests best practices for networks and asset protection to the companies. Another crucial aspect approached by the draft is the guidance on how companies could respond to and recover from breaches. The document also examines how the companies could do all that while protecting privacy and civil liberties.

“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” said NIST Director Patrick Gallagher. He also defined the framework “a living document” that is expected to be flexible.

“The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.” The draft reads. 

Giving a look to the index of NIST cybersecurity framework it is possible to distinguish the following sections:

Framework Introduction – In this section is provided an overview of the cybersecurity framework that is a risk-based approach composed of three parts:

• The Framework Core is a set of cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices and consists of five functions, Identify,Protect, Detect, Respond and Recover.

• The Framework Profile is the outcomes that a particular system or organization has achieved or is expected to achieve as specified in the Framework.
• The Framework Implementation Tiers describe how cybersecurity risk is managed by an organization.

Framework Basics – this section describes the following NIST Framework Core elements:

• Functions
• Categories
• Subcategories
• Informative References

How to Use the Framework – the section has been written to propose a basic overview of cybersecurity practices to describe how an organization could use the NIST Framework to create a new cybersecurity program or improve an existing cybersecurity program.

The US government has been offering a series of incentives, including cybersecurity insurance and priority consideration for grants, to reward companies that adopt the framework.

NIST will now take public comments for 45 days while the final cybersecurity framework is planned for February 2014.

Pierluigi Paganini

(Security Affairs –  NIST, cyber security framework)