Skip to content

NIST Releases Preliminary Cybersecurity Framework

The National Institute of Standards and Technology (NIST) released apreliminary version of its cybersecurity frameworkon Wednesday. The document is meant to serve as a reference guide of best practices for both public and private organizations when it comes to managing cyber risk, all in accordance with President Obama’s Executive Order“Improving Critical Infrastructure Cybersecurity,” released in February.

Meant to “assist organizations in addressing a variety of cybersecurity challenges,” the preliminary framework provides urges companies to consider the cyber risks relevant to them, and to make dealing with those risks a priority. As the framework states, the document “provides a common language and mechanism” by which organizations can achieve these goals, as well as assess their progress, and facilitate communication among key stakeholders throughout the process. The framework is not meant to replace any existing guidelines or cybersecurity risk management process at an organization, but rather is to be leveraged as “opportunities to improve” those practices already in place.

NIST divides the framework into three parts – the framework core, the framework profile, and the framework implementation tiers.

NIST held several workshops prior to issuing the preliminary framework to gather industry and academic-expert input, and solicited public comments through a request for information that generated 243 responses. Manyprivacy and civil liberties concerns that come along with managing cyber risk were expressed by advocacy groups in those public comments. To address such issues specifically, Appendix B of the initial framework highlights “privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls.” It is yet to be seen whether or not privacy groups believe the parameters laid out in the preliminary version suffice.

“We are pleased that many private-sector organizations have put significant time and resources into the framework development process," said Adam Sedgewick, senior information technology policy advisor at NIST, in the official release of the framework on theorganization’s Web site. "We believe that both large and small organizations will be able use the final framework to reduce cyber risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management."

NIST will open the initial framework up for public comment for a 45-day period before releasing the final version in February 2014.