The Obama Administration launched the Cybersecurity Framework, which is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity.
The framework is a deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union.
Through the development of this framework, industry and government aim to strengthen the security and resiliency of critical infrastructure in a model of public-private cooperation.
Over the past year, individuals and organizations have provided their thoughts on the kinds of standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity. The Department of Commerce's National Institute of Standards and Technology (NIST) consolidated that input into the voluntary Cybersecurity Framework.
The framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks. For organizations that don’t know where to start, the framework provides a road map. For organizations with more advanced cybersecurity, the framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks.
Each of the framework components (the Framework Core, Profiles, and Tiers) is designed to reinforce the connection between business drivers and cybersecurity activities.
The framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
- The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions—identify, protect, detect, respond, recover—that provide a high-level view of an organization’s management of cyber risks.
- The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
- The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.