The order has the primary goal to improve the network security of the US “critical infrastructure” and it assigns to the National Institute of Standards and Technology the responsibility of developing a framework of best practices for operators in critical sectors of the country (e.g. Industry, transportation, water and health). The Policy places at the base of the reform process the following three strategic principles:
All security reports released by principal security firms reveal the increase in the number of cyber attacks against private companies and critical infrastructures, last May Congress released a survey that claimed power utilities in the U.S. are under “daily” cyber attacks. It is necessary a strong response from the governments which must also be responsible for the definition of security guidelines.
The NIST has proposed its preliminary cybersecurity framework with specific intent to respond to the executive order 13636 and create guidelines to improve security for Critical Infrastructure. The adopting of the cybersecurity framework would be voluntary for companies and could help companies mitigate the numerous cyber threats.
The cybersecurity framework draft proposed by NIST was written with the involvement of roughly 3,000 industry and academic experts, it suggests best practices for networks and asset protection to the companies. Another crucial aspect approached by the draft is the guidance on how companies could respond to and recover from breaches. The document also examines how the companies could do all that while protecting privacy and civil liberties.
“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” said NIST Director Patrick Gallagher. He also defined the framework “a living document” that is expected to be flexible.
“The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.” The draft reads.
Giving a look to the index of NIST cybersecurity framework it is possible to distinguish the following sections:
Framework Introduction – In this section is provided an overview of the cybersecurity framework that is a risk-based approach composed of three parts:
Framework Basics – this section describes the following NIST Framework Core elements:
How to Use the Framework – the section has been written to propose a basic overview of cybersecurity practices to describe how an organization could use the NIST Framework to create a new cybersecurity program or improve an existing cybersecurity program.
The US government has been offering a series of incentives, including cybersecurity insurance and priority consideration for grants, to reward companies that adopt the framework.
NIST will now take public comments for 45 days while the final cybersecurity framework is planned for February 2014.
(Security Affairs – NIST, cyber security framework)