Last month, the National Institute of Standards and Technology released the first official version of the nation’s Cybersecurity Framework. The framework was developed in response to Executive Order 13636 [PDF], Improving Critical Infrastructure Cybersecurity, issued by President Obama in February 2013.
Agencies already guided by the Federal Information Security Management Act (FISMA) and NIST’s Risk Management Framework, among other IT security standards and practices, may wonder how the new Cybersecurity Framework applies to them. In a nutshell: It applies to all organizations, but it shouldn’t be a burden.
“‘Framework’ is one of our favorite words. It’s like ‘ecosystem.’ It can mean everything and yet nothing,” said Matthew Scholl, deputy chief of NIST’s computer security division, at the 2014 Symantec Government Symposium in Washington, D.C.
The good news, Scholl and others said, is that the Cybersecurity Framework does not require a radical rethinking of agencies’ existing security practices.
“When I talk about the framework, I usually start not by saying what it is, but what it is not,” said Jeff Greene, senior policy counsel for Symantec and former senior counsel for the Senate Homeland Security and Governmental Affairs Committee. “The framework is not a checklist. It is not an out-of-the-box, plug-and-play cybersecurity solution. It’s not a new standard … . It really is a framework.”
Scholl explained that NIST’s job was to build a collection of existing information-security standards, guidelines and best practices that organizations have found effective in reducing cyber risk. “NIST was not to make new standards, but was to look at existing effective bodies,” he said.
The resulting framework comprises guidance from across the information-security spectrum, including NIST’s Risk Management Framework, Capability Maturity Model Integration (CMMI), COBIT and ISO 27000. Organizations can use it to complement their risk-management procedures and create their own cybersecurity programs. Or they can use the framework to analyze their current program to identify possible gaps.
“If you have something effective that is reducing your risk … you should not have to pull that out and do something new,” Scholl said. “But you should be able to see your program in this framework.”
In addition, Scholl said, the framework provides cybersecurity professionals with a common language for addressing cross-sector challenges. “You can save a week of conversation because this is a kind of Rosetta Stone,” he said. “This becomes extraordinarily effective when you look at cross-infrastructure issues.”
In Lieu of Legislation
Rob Knake, director of cybersecurity policy in the Executive Office of the President, said that a framework turned out to be the best way to go because cybersecurity legislation had a hard time gaining traction. The administration wanted to encourage agencies and other organizations to implement better cybersecurity measures without requiring it.
“When we started looking at the Executive Order, one of the things we thought we could do was to say, ‘OK, how are we going to get all the basic common practices that we know can prevent almost all cyberattacks … done by more people?’” Knake said.
As White House officials examined major cybersecurity breaches, Knake said, they felt that if organizations had implemented accepted practices, they could have thwarted most attacks. A framework would give them the tools to do so.
Scholl said NIST has now transitioned into listening mode, ready to receive feedback from organizations and learn how they implement the framework. He said NIST has already identified certain gaps in the framework, chiefly around supply-chain security, privacy engineering and international engagement, and will hold workshops later this year to help fill those gaps.
The Homeland Security Department recently launched what it calls the Critical Infrastructure Cyber Community (C3) program to help organizations use the framework.
Greene said the newest version of Symantec’s Control Compliance Suite, due in April, would include the Cybersecurity Framework. Symantec has been using the framework internally since it came out in draft form last fall.