NIST puts finishing touches on critical infrastructure cyber framework

Thursday - 9/26/2013, 6:23am EDT

Jared Serbu reports.

Download mp3

The National Institute of Standards and Technology says it's the "end of the beginning" for the drafting of the nation's first-ever cybersecurity framework for protecting critical infrastructure. The agency says the document is essentially finished, and should be ready for release by its due date in a few weeks.

The framework came about through President Barack Obama's February executive order on cybersecurity. It embodies the administration's view that private sector infrastructure operators that are critical to the nation's well-being should live up to a minimal level of cybersecurity practices.

Compliance with the framework is voluntary, but NIST says plenty of private-sector actors have stepped forward to help develop it; the agency counts 1,500 people who've attended workshops to help develop the framework this year and another 2,000 who've participated online.

Patrick Gallagher, the undersecretary of Commerce for standards and technology and NIST's director, said the preliminary version of the framework should be out by mid-October. NIST will spend three months gathering public comments, and a version 1.0 is targeted for February.

"There are really two major moving parts to the framework," he told the annual Billington Cybersecurity summit in Washington Wednesday. "One is a collection of existing standards and practices. You will recognize many of them. The other is a structure, a framework in the true sense of the word, that organizes those practices and provides really a set of tools that support the use and adoption of those standards and practices."

Gallagher said it was clear from the outset that the framework needed to be flexible enough to be adopted by companies of any size or cyber capability.

The initial version will be organized around three structures:

  • One breaking down five different types of cyber defense activity;
  • One addressing various levels of cybersecurity maturity within an organization;
  • Finally, a set of "profiles" designed to let companies assess how capable they are at defending against cyber attacks and improve from there.

"It identifies a set of implementation tiers," Gallagher said. "From an early- adopter, low maturity organization that may be very rule-based, to a highly-mature organization that has organized risk management at all levels. It's analogous to a cultural approach, much like what we've seen in safety management and other areas. A key construct here is that there is no threat-proofing. There is no magic bullet. This is not about eliminating the problem, this is about managing it."

Ensuring relevancy

With the initial drafting process now complete, Gallagher said NIST will move quickly into the implementation phase. He said the framework is not worth much if no one pays attention to it. He described three challenges ahead to make the framework relevant.

First, NIST and the industry members who helped develop the framework have to persuade companies to adopt it, not just within their IT offices, but throughout their organizations.

"They have to map it into their own situation, map out where they're at and use the practices. This can't just live on the shelf in the IT security department. It's vital that it permeate all levels of the organization," he said "And in principle we're primarily focused on engaging the C-suite leadership who have an overall responsibility in these companies. A large part of our effort now will focus on that outreach and that adoption."

Secondly, adoption within a given company isn't enough, Gallagher said. He said the framework needs to become part of the broader marketplace and align good cybersecurity practices with good business practices.

"This means it also has to be integrated into business-to-business transactions- contracts [and] service-level agreements. It also has to look at customer engagement, and it also means we have to look at global adoption. Our framework should be integrated into worldwide standards so it's compatible with activities around the world," he said. "This may include conformity assessment vehicles, things like conformance testing or certification or other types of product identification so that businesses understand and can identify conforming practices in the market. And it also includes incentives. Where are the barriers? Where are the places where the market doesn't behave, and how do we promote that?"

Finally, Gallagher said, just as the framework urges companies to continually improve their processes. NIST needs to annually build on the framework itself based on real world experience as companies put it into action.

"If this process we just did over the last eight months ends up being a once- through, then we've failed," he said. "The technology is too dynamic, and I don't believe the framework is perfect. We expect companies who adopt it and put it into use to identify places where it makes no sense and where there are gaps. We have to operationalize this collaboration we've built and turn it into a continuous process. So right away we have to start thinking about a 2.0 version. These early adopters that take up the challenge and put this into use are going to shape the framework, and I think they'll drive the governance of the process. This has to be an industry-led effort."