Cybersecurity remains one of the most important and least understood issues of the day. Last week, the National Institute of Standards and Technology (NIST) hosted a workshop in Tampa, Florida, to receive private sector feedback on Version 1.0 of its Cybersecurity Framework (CSF), released on February 12, 2014. The purpose of the workshop, NIST advertised, was to gather input on users’ initial experiences with the framework “with a focus on resources to help organizations use the Framework more effectively and efficiently.” While certainly optimistic, the agenda might be too ambitious for the private sector, where awareness of the NIST standards remains low.

How does your organization measure up to the NIST Framework?

The NIST Framework stemmed from Executive Order 13636, Improving Critical Infrastructure Cybersecurity.”[1] E.O. 13636 directed NIST to develop a voluntary cybersecurity framework. The purpose of the framework was to provide a baseline for organizations: “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The resulting Cybersecurity Framework allows an organization to understand and shape its cybersecurity program using five functions—identify, protect, detect, respond, and recover:[2]

• Identify cybersecurity risk to systems, assets, data, and capabilities. These activities are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
• Protect critical infrastructure by developing and implementing appropriate safeguards. This function supports the ability to limit or contain the impact of a potential cybersecurity event.
• Detect breaches by developing and implementing appropriate activities to identify the occurrence of a cybersecurity event.
• Respond to breaches by developing and implementing appropriate activities to take action regarding a detected cybersecurity event. This function supports the ability to contain the impact of a potential cybersecurity event.
• Recover from a cybersecurity event using appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired.

What does the NIST Framework mean for Government contractors?

While the NIST Framework is still voluntary, Government contractors should be on the lookout for agencies using the Framework to develop their own standard cybersecurity requirements in contracts. A January 2014 Department of Defense and General Services Administration joint report, “Improving Cybersecurity and Resilience through Acquisition,” recommended the institution of “baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions” and a “federal acquisition cyber risk management strategy,” both of which suggest that the NIST Framework could become de facto mandatory for Government contractors.

Be wary of NIST tunnel vision.

One of the biggest takeaways from the NIST workshop last week is that there is no such thing as being “CSF-compliant.” The NIST Framework is specifically designed not to be a checklist, and even states that it is “not a one-size-fits-all approach to managing cybersecurity risks for critical infrastructure,” because “organizations will continue to have unique risks… and how they implement the practices in the Framework will vary.” Although Government contractors must be aware of cybersecurity’s evolving regulatory landscape and should use the NIST Framework accordingly, the takeaway from Tampa is clear: use the NIST Framework, but tailor implementation to your company’s own unique risks and needs... and watch for incorporation of the NIST Framework into Government contracts as mandatory requirements.

Notes:

[1] Exec. Order No. 13636

[2] NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.0