NIST Releases Cybersecurity Framework

By Holly Gilbert Stowell

01 March 2014

Print Issue: March 2014

From power generation and utilities to transportation and telecommunications, U.S. critical infrastructure provides a wide attack surface for cyber criminals. The National Institute of Standards and Technology (NIST), part of the Department of Commerce, was tasked by President Barack Obama’s cybersecurity executive order to devise a framework aimed at reducing cyber risks for owners and operators of U.S. critical infrastructure. The framework, which was released last month, is similar to draft documents previously issued for comment. While the framework does follow the overall format set out in discussions with industry, it does not reflect specific suggestions on privacy or compliance issues.

NIST engaged with more than 3,000 individuals and organizations to develop the Framework for Improving Critical Infrastructure Cybersecurity through a series of workshops and requests for information (RFI), which yielded more than 200 public comments. Kevin Stine, manager of the Security Outreach and Integration Group Computer Security Division at NIST, says that developing the framework in a collaborative way created new opportunities for engagement among U.S. critical infrastructure stakeholders.

“Everything you see in the framework was informed by comments we received throughout the process, including an RFI that we did earlier in the year, and our efforts have built off the feedback that we received throughout the process and the workshops,” he tells Security Management. “One of the goals of the framework as called for in the executive order is really to leverage those existing practices, those standards, guides, and practices that many organizations are already using today. So, in essence, we are not creating or recreating new things but rather taking advantage of the things that are out there today.”

Through the framework, companies are offered a common language and a mechanism through which they can establish a robust cybersecurity program that meets the unique needs of both their industry and individual organizations. “The framework tries to highlight some of those practices that would be helpful for organizations of all shapes and sizes, and all levels of sophistication, ranging from organizations with very well-established security programs all the way to new programs that are finding their way,” Stine says.

The framework is divided into three main sections: a framework core, a profile, and implementation tiers. “The Framework Core consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk,” according to the document. The profile is a representation of what a company’s cyber program should look like if it aligns with the standards set out in the framework. Finally, the implementation tiers outline how cybersecurity risk is managed by an organization. “The tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints,” the framework states.

Stine emphasizes the criticality of the private sector’s feedback and suggestions in crafting the framework. “We’ve gained tremendous input and insight from the actual critical infrastructure owners and operators, really the key target audience of this framework development effort,” he says. “They’re the ones who are working in the trenches on a daily basis, day in and day out to deliver these critical services, and they’re the ones who also see firsthand the evolving threat environment that they each face.”

Jeff Greene, senior policy counsel at Symantec, which makes computer security software, says the framework is easy to understand, even for organizations that are starting new cybersecurity programs. “There’s a lot of other frameworks and approaches and controls out there, but one of the things about the NIST framework that I like is that it’s written in relatively plain English. Anything that talks about cybersecurity is going to be somewhat technical, but it’s something that you don’t have to be very sophisticated to look at and say, ‘okay I get it, I know what they want me to do here,’” he tells Security Management.

One concern voiced by private industry was the way the cybersecurity framework would deal with privacy and civil liberties. The preliminary framework guidelines, released in October 2013, set aside a lengthy appendix to outline controls and procedures to protect the privacy of individuals. Public comments noted that this privacy section was too broad to be useful to most companies.

For example, Harriet Pearson, a partner at the law firm of Hogan Lovells US LLP, in Washington, D.C., commented that the privacy methodology included in the framework “should be narrowed and focused so that, like the rest of the framework, it reflects private sector practices.” Specifically, Pearson advocated that the framework include issues such as identifying and addressing the privacy implications of access control measures that involve the collection or use of protected information.

None of these suggestions were incorporated into the first version of the framework. Instead, NIST greatly shortened the section dealing with privacy concerns, shifting most of that discussion to the “How to Use the Framework” section of the document. While the framework states that the “government and agents of the government have a direct responsibility to protect civil liberties arising from cybersecurity activities,” it notes that “not all activities in a cybersecurity program may give rise to” privacy and civil liberties considerations.

Commenters also suggested that NIST develop some sort of certification for companies that implement the framework. John M. Fowler, deputy information security officer for Henry Ford Health System, noted that while such certification would be voluntary, “the value derived from certification would be in the form of marketing, assurance between collaborating organizations, and selection of service providers following a thorough methodology for protecting information and systems.” NIST did not add any specific language regarding certification to the first version of the framework.

An accompanying document to the framework, called the Roadmap for Improving Critical Infrastructure Cybersecurity, does outline a plan for maintaining the framework over time. Within that roadmap is a section on “Conformity Assessment,” which states that NIST will continue to work with the private sector to ensure that companies are complying with the guidelines. However, the framework does not give any specific methods or plans for ensuring compliance.

As Greene from Symantec points out, such a mandate would exceed NIST's power. “A lot of the criticisms out there are really directed at the fact that NIST doesn’t have the legal authority to do more,” he points out. “They’re not a regulator, they can’t have any mandates, and the executive branch doesn’t have the legal authority to give good incentives.” Greene adds that while he does not discount those criticisms, they aren’t criticisms of the framework, but rather are “criticisms of the legal and political environment that we live in inside the cyber world.”

NIST stated in its press release that the first version of the framework is a “living’ document that will need to be updated to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use.” Stine of NIST points out to Security Management that the guidelines will inevitably change over time. “As technologies and threats evolve, the framework will need to evolve as well,” he says.