Demystifying NIST – What the New Cybersecurity Framework Means to You
In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order called for the development of a voluntary, risk-based Cybersecurity Framework - a set of existing standards, guidelines and practices to help organizations manage cyber risks. The executive order designated the National Institute of Standards and Technology (NIST) to coordinate and lead this initiative.
NIST recently released a highly anticipated framework, providing a common language to address and manage cyber risk cost-effectively. The framework is designed to help organizations develop information security protection programs based on business needs. It offers best practices for voluntary use across critical infrastructure sectors including government, healthcare, financial services and transportation industries.
A few short months after the release of the new framework, many unanswered questions remain, including: how will the new policy affect the security of critical infrastructure, comparative standards and those areas not currently classified as critical infrastructure? Below are some of my thoughts on what you really need to know about the cybersecurity framework and its trickle-down effects. This is the first of a three-part series on this topic.
PART 1 - IMPACT
Q. How will the framework affect businesses? What is the business incentive to adopt the guidance and will there eventually be a certification attesting adoption of the framework?
The framework attempts to be a focal point of all the standards and leading practices. However, the guidance is optional at this point. I envision there will be a push from the insurance communities and the vendor communities to provide some sort of "certification" or "attestation" to your adherence/implementation of the framework. This could result in the reduction of premiums for those that apply the framework to their business, or establish a case for security negligence if the framework is not implemented. Regardless of any need or requirement to implement the framework in a business, the NIST report represents a positive collaboration between public and private sectors. A common risk-based approach to security can add additional layers of protection. Why not implement it?
Q. What industries will it impact the most and why? What industries are directly impacted and which ones have indirect implications (e.g., providers, suppliers, private sector, Information technology, communications sectors and commercial technology products and services groups).
As the framework was intended to address entities denoted as critical infrastructure, I believe it will be applicable to all if both the public and private sector agree on a lifecycle-based security paradigm. If it's applicable for government entities (critical infrastructure, national security), it will logically also stretch to those organizations that conduct business with government entities. From there, I see it continuing to spread down the proverbial food chain.
Given the origin of the framework, I believe all organizations will be put in the position to discuss "Why not implement it?" If your current program is built on some of the underlying standards, you may be closer than you think to implementation. In this case, the framework may simply provide a standardize mechanism for you to discuss your program and manage continuous improvement.
Q. Will it have any effect and protect critical infrastructure and enterprise from cyberattacks?
I believe the framework will have a positive effect on both enterprise and critical infrastructure alike. The positive effects will be driven from two vectors: through both the introduction and the implementation of the framework. I'll explain more in the next blog post addressing NIST Implementation.
Q. Will the framework have serious impact on the security of critical infrastructure? What are the issues that remain that could stifle the favorable movement of the country's security posture.
I believe it will be a pillar in our nation's security plan. That said, the government will be focusing on industries connected to national security. Items and industries not tagged with this designation will have less pressure to adopt the framework. To use this framework to its maximum benefit, those outside of national security must also embrace and map their security business processes to the framework.