On February 26, 2013, the National Institute of Standards and Technology (NIST) published a Request for Information (RFI) in the Federal Register soliciting views from both government and industry on developing the Cybersecurity Framework required by President Obama’s recent Executive Order on Cybersecurity. The Framework will consist of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. NIST’s RFI seeks information on these topics in the context of critical infrastructure, which is defined so broadly that it includes not only stakeholders in the defense industrial base but also providers of banking, energy, transport, health, Internet, and, e-commerce services. Private companies in these diverse industries have the unique opportunity to take part in shaping cybersecurity standards prior to the potential implementation of legislatively mandated standards. Stakeholders must act quickly as comments are due by April 5, 2013 and NIST’s first meeting and public workshop with critical infrastructure stakeholders will be held April 3, 2013 at NIST’s headquarters.

Background on President Obama’s Cybersecurity Executive Order -

On February 12, 2013, President Obama issued an Executive Order on Cybersecurity seeking to improve the cybersecurity of critical infrastructure across a broad range of industries. Section 7 of the Executive Order requires NIST to lead the creation of a “Cybersecurity Framework” that would include best practices, standards, and technical approach that incorporates “voluntary consensus standards and industry best practices to the fullest extent possible” that would be set forth in a guidance that is technology neutral. The Framework’s purpose is to assist owners and operators of critical infrastructure to identify and manage risks posed from cyber threats and that would allow for continued collaboration of products and services to reduce and address cyber risks. Once the Framework is established, the Department of Homeland Security will establish a voluntary program to support adoption of the Framework by owners and operators of critical infrastructure. The President directed NIST to develop the Framework through an “open public review and comment process” with a preliminary framework to be published within 240 days and a final framework within one-year. More information on the Executive Order can be found at this link...