Cybersecurity framework for U.S. critical infrastructure to be developed


Patrick Gallagher,
Director, NIST
Gaithersburg, MD, U.S.A. — (METERING.COM) — February 15, 2013 – The National Institute of Standards and Technology (NIST) is to lead the development of a cybersecurity framework to reduce the cyber risks to power sector infrastructure and other critical infrastructure, such as financial, transportation and communications systems.

The cybersecurity framework was called for in the‘Improving Critical Infrastructure Cybersecurity’ Executive Order signed by President Obama earlier this week.

The framework will comprise a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers under their care.

To initiate this NIST will issue an RFI from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards setting organizations, other members of industry, consumers, solution providers and other stakeholders.

The input will be used to identify existing consensus standards, practices and procedures that have been effective and that can be adopted by industry to protect its digital information and infrastructure from the full range of cybersecurity threats. The framework will not dictate “one-size-fits-all” solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors.

“The process for developing the framework reflects a core component of NIST’s work,” said Under Secretary of Commerce for Standards and Technology and NIST director Patrick Gallagher. “By collaborating with industry to develop the framework, we will better protect our nation from the cybersecurity threat.”

In the RFI, organizations will be asked to share their current risk management practices, use of frameworks, standards, guidelines and best practices, and other industry practices. Additional information will also be collected on a number of core practices NIST views as applicable across industry, including encryption and key management, asset identification and management, and security engineering practices.

The framework will consist of a roadmap and structure for future efforts, including a recommended process for how the standards within each sector will be reviewed by each stakeholder community. It will include metrics and procedures for monitoring and assessment and a menu of management, operational and technical security controls.