Government Releases Draft Cybersecurity Framework -- Redmondmag.com

Government Releases Draft Cybersecurity Framework

The goal of the document is to bring both the public and private sectors to the same level of security so that information pertaining to threats can be easily shared between the two.

By Chris Paoli
10/23/2013

On Tuesday the National Institute of Standards and Technology (NIST) released its primary cybersecurity framework (PDF) aimed at both private enterprises and infrastructure networks.

The document's goal is to provide a voluntary how-to for organizations to protect themselves from outside attacks from hackers and how to guard against internal leaks and was part of President Obama's cybersecurity executive order issued in February.

"The Framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations in managing their cybersecurity risk," read the document. "By relying on those practices developed, managed, and updated by industry, the Framework will evolve with technological advances and business requirements."

The government-created framework focuses on five "cores" that organizations should be following to adequately manage and react to risks. They include:

Identify: "Develop the institutional understanding to manage cybersecurity risk to organizational systems, assets, data, and capabilities." According to the NIST, this involves understanding both the motivation behind an attack and clearly defining a risk strategy.
Protect: This tenant involves developing and implementing strong safeguards without interrupting the flow of critical infrastructure services.
Detect: This core focuses on fully identifying an issue and analyzing the threat to provide timely counteractions and to strengthen safeguards for future attacks.
Respond: Once an issue is detected, an effective plan should be formulated and actions prioritized to limit the amount of damage or infection.
Recover: According to the document, this step should "Develop and implement the appropriate activities, prioritized through the organization's risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event."

While the framework's cores lay out a very basic and obvious security plan, the goal more than educating organizations on how to fully protect themselves is to get both the public and private sectors on the same page so that information can be more easily shared between the two, as evident with Obama's initial announcement of the executive order earlier this year.

"Greater information sharing within the government and with the private sector can and must be done while respecting privacy and civil liberties," read the order. "Federal departments and agencies shall ensure that all existing privacy principles, policies, and procedures are implemented consistent with applicable law and policy and shall include senior agency officials for privacy in their efforts to govern and oversee information sharing properly."

So far, one of the bigger criticisms I can see with this framework is that the fact that corporations are not forced to comply with the recommendations, there is no incentive to follow it by the letter -- something this administration needs to occur to have the information sharing process flow smoothly. However, forcing these recommendations upon organizations will bring strong cries against unwanted or unnecessary regulation.

Further, I'm not quite sure who the framework benefits. While terminology may differ among the private and public sectors, the five core tenants put forth in the document are both basic and vague, and you would be hard-pressed to find any modern company not following a similar guideline today.

However, criticisms like these are exactly what the NIST wants to see with this draft before the final submission is handed over early next year.

"The goal of the framework is to bring together existing standards, policies and best practices into a tool organizations can use to ensure effective cybersecurity," NIST said in a statement. "We put out an early discussion draft to ensure that we got feedback -- including positive and negative -- on the framework as currently presented. We hope to get active participation from all stakeholders."

What's your thoughts? Is a comprehensive cybersecurity framework that stretches across both public and private sectors necessary? Does this document look to get us a step closer to that or is it a big waste of time? Let me know in the comments below.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.