This post was written by Timothy J. Nagle.
The year-long process – led by the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) – of conducting outreach to the private sector, issuing drafts, receiving and evaluating input, and facilitating interagency coordination, ended with the publication last week of the “Framework for Improving Critical Infrastructure Cybersecurity” (Version 1.0). It is a comprehensive document that was initiated by Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”), and draws heavily from existing standards such as NIST 800-53, ISO 27001, COBIT and others. The Framework represents significant effort by NIST, sector-specific agencies, industry organizations and individual companies to provide an approach for managing cybersecurity risk “for those processes, information, and systems directly involved in the delivery of critical infrastructure services.” This last quote from the “Framework Introduction” section states the purpose and scope of the document. What remains to be seen is the process for implementation, extent and variety of adoption across sectors and industries, and assertion as a “standard” outside of the critical infrastructure context.
Please click here to read the issued Client Alert.