After four months of gathering input from industry, academia and government employees, the National Institute for Standards and Technology released the first draft of its cybersecurity framework to assess and reduce the risks to the nation’s critical infrastructure.
NIST is developing the framework in response to the president’s executive order aimed at improving cybersecurity policy, metrics and information sharing. This initial outline proposes a framework for assessing one’s cyberrisks.
“It explains how to use the framework so that organizations can answer the fundamental question, ‘How are we doing?’” the draft reads. “Then, they can move in a more informed way to strengthen their cybersecurity using a risk-based approach.”
NIST developed the outline based, in part, on input from two large workshops it held, one in April, one in May. Both brought together industry, government and academia for open-ended discussions live streamed and made available after the fact. The first only spanned a single day in D.C., but the second stretched over three days at Carnegie Mellon University, one of the leading cybersecurity research institutions. Next week, NIST will hold a third workshop to gather West Coast input over three more days at the University of California, San Diego.
“We believe that both large and small organizations will be able use the final framework to reduce cyberrisks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management,” said Adam Sedgewick, senior information technology policy adviser at NIST.
The draft was released this week so interested parties could browse through and bring comments to next week’s workshop, also being live streamed.
“We are pleased that many private-sector organizations have put significant time and resources into the framework development process,” Sedgewick said.
The official draft of the cybersecurity framework will be released for public comment in October 2013.