The National Institute of Standards and Technology has released a “Discussion Draft of the Preliminary Cybersecurity Framework” (pdf). A February executive order, “Improving Critical Infrastructure Cybersecurity,” included instructions to NIST “to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” (Read the full executive order to learn more details about what President Obama required of NIST.) Such technological requirements could affect individuals’ privacy rights.
NIST will soon post at its site instructions on how the public can comment on the preliminary framework. Here’s more from the draft’s introduction:
The focus of the Framework is to support the improvement of cybersecurity for the Nationâ€™sÂ Critical Infrastructure using industry-known standards and best practices. The FrameworkÂ provides a common language and mechanism for organizations to: 1) describe currentÂ cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritizeÂ opportunities for improvement within the context of risk management; 4) assess progress towardÂ the target state; 5) foster communications among internal and external stakeholders.
The Framework complements, and does not replace, an organizationâ€™s existing business orÂ cybersecurity risk management process and cybersecurity program. Rather, the organization canÂ use its current processes and leverage the framework to identify opportunities to improve anÂ organizationâ€™s cybersecurity risk management. Alternatively, an organization without an existingÂ cybersecurity program can use the Framework as a reference when establishing one.