Federal Agency Sets Cybersecurity Framework for Critical Groups


The National Institute of Standards and Technology (NIST) has finalised its cybersecurity framework for the US critical infrastructure community. The voluntary guide is intended to make financial, energy, healthcare and other critical industries more resistant to cyberattacks.

Commissioned by President Obama a year ago, the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 attempts to help businesses better manage cyber risk without additional regulatory requirements.


Framework Outline

The framework offers a set of core actions companies can take to address cybersecurity risk:

  • Identification: Develop the understanding to manage cybersecurity risk to systems, assets, data and capabilities.
  • Protection: Implement appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detection: Identify a cybersecurity event.
  • Response: Take action after a cybersecurity event is detected.
  • Recovery: Restore the capabilities of critical infrastructure that were impaired by a cybersecurity event.

The framework also provides implementation tiers which characterise an organisation’s cybersecurity risk management practices over a range, from partial (Tier 1) to adaptive (Tier 4). “These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed,” NIST wrote.

The third part of framework consists of profiles that allow an organisation to align its cybersecurity activities with its business requirements, risk tolerances and resources. The profiles should help companies progress from their current level of cybersecurity to their target level.

Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director, said in a statement that the framework provides a consensus description of what is needed for a comprehensive cybersecurity program. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk,” he said. “It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”

NIST also released a roadmap to accompany the framework. The roadmap lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration.



The framework has received praise from several organisations. Craig Silliman, Verizon senior vice president, public policy for Verizon, applauded the Obama Administration for bringing together a wide range of stakeholders to create “a useful tool for companies as they consider the right mix of cyberdefenses to protect themselves and their customers.”

Others had mixed reactions. (ISC)², a large nonprofit membership body of certified information and software security professionals, expressed its support for the framework but acknowledged that implementation of its practices could be a problem. “The experts at NIST have put together a comprehensive, yet flexible, plan for organisations to effectively manage cyber risk under the increasing pressure of the nation’s evolving threat landscape,” said W. Hord Tipton, CISSP, executive director of (ISC)² and former CIO for the U.S. Department of Interior. “Unfortunately, the lack of qualified information security professionals with the skills and knowledge to create, understand, and implement such programs remains an area of improvement that must be further addressed.”

Paul Rosenzwieg, founder of Red Branch Consulting PLLC and senior advisor to The Chertoff Group, questioned the framework’s effectiveness. He wrote on his blog that the framework will likely drive the private sector toward the NIST security model through common law liability. “If we layer on top of that other Federal incentives (like grants, or preferential access to threat and vulnerability information) the pressure to conform will be significant,” he noted. “And, yet, the security model is very ‘status quo’ and probably will not significantly improve security at the top end of the threat spectrum.”


Related reading