A new framework for improving the cybersecurity of critical IT infrastructure was released yesterday by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST).
Following an executive order issued last year by President Barack Obama, the framework is meant to provide a structure to help organizations, regulators and customers create, guide, assess or improve comprehensive cybersecurity programs, according to the announcement of the framework.
“The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” said Patrick D. Gallagher, under secretary of Commerce for Standards and Technology and director of NIST. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”
The framework was designed around three main elements: core, tiers and profiles. Core consists of five functions that organizations should carry out in order to understand and shape their cybersecurity infrastructure: identify, protect, detect, respond and recover. Tiers define the condition of a company’s cybersecurity risk management, while profiles are meant to help organizations align and design their security plans.
“This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge,” Obama said in a statement.
Also released with the framework was a road map that laid out NIST’s next steps with the framework, identifying and addressing key areas of cybersecurity development, alignment and collaboration.
The full Framework for Improving Critical Infrastructure Cybersecurity version 1.0 can be found here.