The Launch of the NIST Cybersecurity Framework

by John DiMaria, BSI

I was one of those invited to attended NIST Cybersecurity Framework launch yesterday at the White House. It was a very nice well organized and positive event.

“The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union”. – White House Press Release.

Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.

•The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions -- Identify, Protect, Detect, Respond, Recover -- that provide a high-level view of an organization’s management of cyber risks.

•The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.

•The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices. - White House Press Release

First, congratulations to Adam Sedgewick and his team for a great job spearheading this unprecedented collaboration between government and private sector. DHS has also done a good job of launching this program along with the publication of the Framework.

Also like to say thank you to all the great professionals that attended all 5 workshops. I had the honor to work with many of them. We forged some great new business relationships and had some laughs along the way. One personal take-away was that no matter how old we get or how experienced we think we are, if you have discussions with the intent on listening and not answering, you can learn something from everyone you meet.

I am sure there will still be the naysayers and “headline grabbers” out there that will formulate and dwell on negatives, but being in the standards business for more than 20 years at all levels (and this is not a standard), I can tell you no initial framework, guidance or standard will ever 100% right out of the box.

Even President Obama stated after the launch, “While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity”.

As it was mentioned at the launch, this is a "living document". A couple comments that stood out in my mind from the 3 CEO's at Pepco, Lockheed and AT&T:

"We are only as good as our weakest link" (working with the supply-chain and getting them to adopt the framework in critical) and "National Security and the economy depend on good cybersecurity and globally recognized standards". Time to pull together

As Benjamin Franklin said "If we do not hang together, we shall surely hang separately".

There will be an industry expert panel discussing the framework on March 6th.

https://cc.readytalk.com/cc/s/registrations/new?cid=g9gw7cm5asq3

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner, and Master HISP with over 28 years of experience in management systems and international standards. The views expressed in this blog are his own.