On Wednesday, February 12, the White House released the Framework for Improving Critical Infrastructure Cybersecurity. The Framework represents the culmination of a year-long private-sector led effort to create voluntary guidelines for businesses which are a part of the “critical infrastructure” – banks, utilities, public transportation, etc. – to strengthen their cybersecurity. While the focus of the Framework is the critical infrastructure of the country, it provides excellent guidance for all businesses concerned about data security. The National Institute of Standards and Technology assembled input from the private and government sectors, and drafted the Framework.
The Framework contains three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a compilation of cybersecurity activities, outcomes, and source material references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational security Profiles. Using the Profiles, the Framework helps the organization to align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers allow organizations to identify the characteristics of their procedures for managing cybersecurity risk.
The Framework Core is comprised of four elements – Functions, Categories, Subcategories and Informative References, as illustrated in the table on page 7 (Figure 1: Framework Core Structure), available online.
Categories and Subcategories provide detail within each Function, and Informative References are references to existing source materials that contain additional detailed security guidelines, standards and best practices (e.g., publication from the International Organization for Standardization, Control Objectives for Information and Related Technology, and the NIST).
The Framework describes best practices for the flow of information and decisions through the Executive, Business/Process and Implementation/Operations levels within an organization, as depicted in the image on page 12 (Figure 2: Notional Information and Decision Flows within an Organization), available online.
Thus, the executive team focuses on organizational risks, and communicates decisions relating to risk and priorities to the business/process team; which in turn makes decisions regarding the appropriate risk profile for the company and allocating funding for security initiatives. The implementation/operations team then implements the measures identified and funded by the business/process team.
Appendix A of the Framework contains the meat of the Framework – a 16-page Table containing detailed information for each element of the Framework Core. For example, as depicted in the table on pages 20-35 (Table 2: Framework Core), available online, asset management is one aspect of the Identify function. Asset management includes identifying and managing security related assets, such as physical devices (e.g., computers, laptops and smartphones), software, internal communications, external IT systems used by the company, prioritization of these resources, and establishing cybersecurity roles with the organization.
While providing concrete guidelines, the Framework is designed to be flexible based on the different risks faced by organizations. Companies face different threats and different vulnerabilities, and have different risk tolerances. The Framework recognizes that how companies implement the practices will vary. The Framework is one manifestation of the current best practices in cybersecurity risk management. Whether or not your organization is part of the nation’s critical infrastructure, it is an excellent guide for addressing and managing security risks in our highly connected and networked society and economy.