To help organizations protect their data assets from the increasing number of cyber attacks, the Commerce Department's National Institute of Standards and Technology this week released a cybersecurity framework groups can use to create, assess or improve comprehensive cybersecurity programs.

 

The framework released is in response to a February 2013 executive order issued by President Barack Obama that called for the development of a voluntary, risk-based cybersecurity framework -- a set of existing standards, guidelines and practices to help organizations manage cyber risks. The framework, officials say, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way, without placing additional regulatory requirements on businesses. 

 

[See also: FDA urges cybersecurity for devices and Mock cyberattacks coming to healthcare.]

 

"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher, in a Feb. 12 press statement. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."

 

Officials say groups can use the framework to determine their level of cybersecurity, set goals for cybersecurity in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. 

 

It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cybersecurity program.

 

While today's framework is the culmination of a year-long effort that brought together thousands of individuals and organizations from industry, academia and government, it is considered the first step in a continuous process to improve the nation's cybersecurity.

 

Officials describe the framework document as a "living" document that will need to be updated to keep pace with changes in technology, threats and other factors, and to incorporate lessons learned from its use.

 

"The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," added Gallagher. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel."

 

The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions -- identify, protect, detect, respond and recover -- when taken together allow groups to understand and shape a cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.