NIST Publishes Draft Cybersecurity Framework For Critical Infrastructure Industries


On October 23, 2013, the National Institute of Standards and Technology (NIST) released a long-anticipated draft of its Cybersecurity Framework. The Framework, as NIST explains, is “not a risk management process itself,” but is intended to provide a common language for addressing cybersecurity risk that can be used by all personnel in critical infrastructure industries from senior executives to frontline IT staff members. “Critical infrastructure” includes organizations in the energy, finance and banking, healthcare, transportation, telecommunications, defense, food and agriculture, water, and utilities sectors. Organizations in such fields (or closely associated with them) should familiarize themselves with the Framework, and may wish to comment on it formally by the end of the public comment period on December 13, 2013.

Background -

Executive Order 13636, which President Obama issued in early 2013, recognizes that “[t]he national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of [cyber] threats,” and calls for the development of a “Cybersecurity Framework” that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach . . . to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” President Obama directed NIST to consult with government agencies, industry stakeholders, and the public before issuing a final Framework by February 2014. Over the past year, as a result, NIST has issued Requests for Information and a preliminary version of the document, as well as held a number of public workshops. The draft Framework marks the last chance for stakeholders to provide comments before the document becomes final.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.