Main Nav

NIST Releases Final Framework for Improving Critical Infrastructure Cybersecurity

The National Institute of Standards and Technology (NIST) released the initial version of its Framework for Improving Critical Infrastructure Cybersecurity on Wednesday, February 12. The Framework provides owners of critical infrastructure and others with voluntary guidance on how to best protect information and assets from cyber attacks. The final Framework closely follows the Preliminary Framework NIST released in November 2013.

Broken down into three main elements—Core, Tiers, and Profiles—the Framework sets forth the best-practices commonly used throughout the critical infrastructure industries and sectors. The Core is broken down into five functions: identify, protect, detect, respond, and recover. Used together, these functions are designed to help organizations understand and mold their cybersecurity program into a more functional and efficient system. The Tiers allow organizations to analyze the degree to which their system meets goals set forth in the Framework. The Profiles help organizations reach a higher level of cybersecurity sophistication.

As previously reported the Framework was created in response to Executive Order 13636: Improving Critical Infrastructure Cybersecurity, mandated in February 2013, in which the President called for NIST to develop a “set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks” to critical infrastructure. The Department of Homeland Security has identified sixteen different industry sectors as part of critical infrastructure, including defense, communications, food and agriculture, healthcare, communications and, of course, information technology.

Labeled as Version 1.0, the Agency acknowledges the Framework must be dynamic to match the constantly evolving technology and demands of cybersecurity. Accordingly, NIST also released the NIST Roadmap for Improving Critical Infrastructure Cybersecurity, which provides the future path for updating and improving the Framework. As it develops new versions of the Framework, NIST hopes to remain at the center of the collaboration between industry and government agencies to help owners of critical infrastructure understand, implement, and improve the Framework.

As mentioned earlier, the Framework is entirely voluntary. The Departments of Homeland Security, Commerce, and Treasury are currently reviewing ways to create incentives that will encourage organizations to implement the guidance.

EDUCAUSE has been following the development of the framework since the Executive Order was issued (see our earlier blog posts herehere, and here) and submitted comments in response to NIST’s request for information.  While EDUCAUSE will continue to follow this issue and keep you posted on developments, campus cybersecurity professionals are encouraged to work with their general counsel’s office to assess what the framework may mean for the institution’s cybersecurity practices and responsibilities.