For purposes of the Request for Information (“RFI”) the National Institute of Standards and Technology (“NIST”) defines “critical infrastructure” as:

systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Threats to critical infrastructures typically fall into two categories: (1) physical threats – physical threats to tangible property and (2) cyber threats – threats of electronic/computer-based attacks on the communications components that control critical infrastructures. Many of these critical infrastructures are owned and operated by the private sector. Therefore, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation. 

The National Institute of Standards and Technology is conducting a comprehensive review to develop a framework to reduce cyber risks to critical infrastructure (“Framework”). The Framework will consist of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks. The RFI requests information to help identify, refine and guide the many interrelated considerations, challenges and efforts needed to develop the Framework. Responding to the NIST RFI is one of many action items the private sector can take. Several companies have already filed their comments. Some of the questions asked in the RFI include:

  • What are the current regulatory and regulatory reporting requirements in the United States (e.g. local, state, national, and other) for organizations relating to cybersecurity?
  • What organizational critical assets are dependent upon other critical physical and information infrastructures, including telecommunications, energy, financial services, water and transportation sectors?
  • What do organizations see as the greatest challenges in improving cybersecurity practices across critical infrastructure?
  • Describe your organization’s policies and procedures governing risk generally and cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?
  • How do organizations define and assess risk generally and cybersecurity risk specifically?

Written comments, due by April 8, 2013, may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Submissions may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. Online submissions in electronic form may be sent to cyberframework@nist.gov. Please submit comments only and include your name, company name (if any), and cite “Developing a Framework to Improve Critical Infrastructure Cybersecurity” in all correspondence. All comments received by the deadline will be posted at http://csrc.nist.gov/ without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information).