“America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.“
–Barack Obama, February 12, 2014
Formally known as the Framework for Improving Critical Infrastructure Cybersecurity, the National Institute of Standards and Technology (NIST) released a set of standards, guidelines and practices to lead the implementation of secure critical infrastructure in the United States. Designed to be cost-effective, flexible, prioritized and repeatable, this set of recommendations was developed through a year-long process that ended with the first release in February 2014.
In 2009, when President Barack Obama was inaugurated, there was a growing realization that America’s critical infrastructure was vulnerable to attack. Since then, there has been an explosion of reports of data breaches. According to www.DataLossDB.org, seven of the nine largest data breaches have been reported since the beginning of January 2009. Excluding those in South Korea and China, these breaches represent a staggering 469 million records hacked in half a decade.
Made up of both a Framework and a Roadmap, these guidelines are being made available to the public. While they are directly applicable to the U.S. federal government and to organizations providing critical infrastructure components, the guidelines apply to most industries and businesses.
Shortly after his inauguration, President Obama began a systemic review of the federal government’s cybersecurity posture through a program called the Comprehensive National Cybersecurity Initiative (CNCI), which generated 12 key security programs for the executive branch. There was a clear understanding that the prior administration had suffered major cybersecurity breaches. As Jim Lewis of the Center for Strategic and International Studies said on “60 Minutes,” the Bush administration “… had been rolled.” In response to this and other attacks, such as the Conficker worm attacking U.S. Central Command, the U.S. worked to strengthen its systems.
Four years later, President Obama signed executive order 13636, bringing private sector experts, the NIST, Department of Homeland Security (DHS), and the attorney general to drive the Framework across multiple private and public sectors in a technology-neutral way.
The first version of the Cybersecurity Framework was issued a year later, on February 12, 2014.
Based on standard processes for incidence response, the basic functions of the Framework Core include Identify, Protect, Detect, Respond and Recover. Each of these functions is then divided into categories and subcategories. Categories include management areas, such as access control, asset management, awareness and training, protective technology, mitigation communication. For example, within a category such as access control, we find a subcategory titled “Remote access is managed.”
The NIST Cybersecurity Framework website provides resources to support deployment of the Framework, including the master document in PDF and EPUB formats and the Framework Core in PDF and Excel formats.
While the Cybersecurity Framework directly relates to the 16 Critical Infrastructure Sectors, as defined by DHS, it provides cross-industry guidance in a technology-neutral (some might say agnostic) form. Developed with input from business, security, privacy and government contributors, the Framework has input from those fighting cybercrime and cyber attacks. Lacking federal legislation, long-stalled in Congress, the NIST Framework can become a standard for business to apply.
The Roadmap, also found on the NIST website, starts with a section on strengthening private sector involvement in the governance of the Framework. It outlines areas of development and collaboration, cybersecurity workforce (more information below), data analytics, privacy standards and so on.
Focusing on resilience and a dynamic update cycle, the Framework provides deep guidance into which controls should be implemented at the various tiers (or maturity levels) in an organization’s security processes.
Additionally, the Cybersecurity Framework also includes workforce components such as training and awareness programs, which ties to the work of the NIST program called National Initiative for Cybersecurity Education (NICE). This portion of the Framework also identifies research opportunities and workforce needs. The Roadmap also includes the opportunity to participate and to define tools, guidelines, and resources for cybersecurity awareness. For more information on NICE, please check out my blog post from last October.
Beyond critical infrastructure and government, the Cybersecurity Framework should be on any security professional’s reading list with an aim to implement and deploy its guidelines and recommendations.