NIST Requests Information Regarding Cybersecurity Framework


On February 26, the National Institute of Standards and Technology (NIST), issued a request for information to begin developing the “Cybersecurity Framework” required by a recent executive order directing NIST to develop a framework to reduce cyber risks to critical infrastructure. The request explains that the framework will incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and should include flexible standards, guidelines, and best practices that provide (i) a consultative process to assess the cybersecurity-related risks to organizational missions and business functions, (ii) a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats, (iii) a consultative process to identify adequate security controls, (iv) metrics to assess and monitor the effectiveness of security controls, (v) a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide industry leadership with necessary information to help make ongoing risk-based decisions, and (vi) a menu of privacy controls. The goal of the framework development process is to (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities, (ii) specify high-priority gaps for which new or revised standards are needed, and (iii) collaboratively develop action plans by which those gaps can be addressed. NIST asks that comments be provided by April 8, 2013.