A cybersecurity framework meant to provide a voluntary guide for nationally critical industries was issued this week by the National Institute of Standards and Technology.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Obama said in a statement. “Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.”
Obama urged Congress to move forward on cybersecurity legislation.
A year ago an executive order—spawned by Congress’ lack of progress to adopt cybersecurity legislation—called for the development, with the help of the private sector, of a voluntary framework to help organizations manage cybersecurity risks.
On Feb. 12—exactly a year after the executive order—the NIST released the ‘living document” of principles and best practices to improve security and resiliency, Framework for Improving Critical Infrastructure Cybersecurity.
Individuals and organizations across the globe lend insight to establish the framework.
The American Insurance Association “commends NIST for its diligent and thoughtful work in the development of the framework and we appreciated the opportunity to provide input during the development process,” said Angela Gleason, associate counsel for the AIA, in a statement. “We look forward to seeing the potential impact the framework may have on the nation’s cyber resiliency.”
The Department of Commerce’s NIST said the framework give “organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today.”
According to the report, organizations can use information contained within the framework to review cybersecurity practices, establish or improve programs and communicate plans to stakeholders.
“The NIST Framework will probably drive the private sector toward the NIST security model through common law liability,” said Paul Rosenzweig, founder of homeland security consulting company Red Branch Consulting and a senior advisor to The Chertoff Group, in a blog. “If we layer on top of that other federal incentives—like grants, or preferential access to threat and vulnerability information—the pressure to conform will be significant. And, yet, the security model is very ‘status quo’ and probably will not significantly improve security at the top end of the threat spectrum.”