The National Institute of Standards and Technology has released a “Discussion Draft of the Preliminary Cybersecurity Framework” (pdf). A February executive order, “Improving Critical Infrastructure Cybersecurity,” included instructions to NIST “to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” (Read the full executive order to learn more details about what President Obama required of NIST.) Such technological requirements could affect individuals’ privacy rights.
NIST will soon post at its site instructions on how the public can comment on the preliminary framework. Here’s more from the draft’s introduction:
The focus of the Framework is to support the improvement of cybersecurity for the Nation’s Critical Infrastructure using industry-known standards and best practices. The Framework provides a common language and mechanism for organizations to: 1) describe current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; 5) foster communications among internal and external stakeholders.
The Framework complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program. Rather, the organization can use its current processes and leverage the framework to identify opportunities to improve an organization’s cybersecurity risk management. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference when establishing one.