On February 12, 2012, President Obama issued Executive Order 13636 calling for the development of a voluntary risk-based cybersecurity framework (“Framework”). The National Institute of Standards (“NIST”) is developing the Framework through an open process. Although it will serve as a uniform guide for developing cybersecurity programs, the Framework is expected to evolve with business needs and technological advances. On August 30, NIST issued an illustrative example for the electric industry.

Appendix A provides the proposed Cybersecurity Framework’s Core and is summed up as follows:

Identify – Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission and establish processes to achieve risk management goals.

Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the appropriate capabilities that were impaired through a cybersecurity event.

Meant to be a discussion draft, NIST would like comments from stakeholders. Here are some of the questions NIST would like reviewers to consider:

  • How can the Framework adequately:
    • Define outcomes that strengthen cybersecurity and support business objectives?
    • Enable cost-effective implementation?
    • Appropriately integrate cybersecurity risk into business risk?
    • Provide the tools for senior executives and boards of directors to understand risks and mitigations at the appropriate level of detail?
  • Will the Framework as presented be inclusive of, and not disruptive to, effective cybersecurity practices in use today?
  • Is the Framework presented at the right level of specificity?