On October 23rd the National Institute of Standards and Technology (NIST) released their report “Preliminary Cybersecurity Framework” which is a guide for helping organizations improve their cybersecurity and respond to cybersecurity threats. The report is a response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
NIST will take comments to the report from the public until December 24, 2013. NIST requires comments be submitted using the formats available here. The comments may be submitted by email to NISTIR.7628.Rev1@nist.gov, or by traditional mail to:
The Information Technology Laboratory
ATTN: Adam Sedgewick
National Institute of Standards and Technology
100 Bureau Drive, Stop 8930
Gaithersburg, MD 20899-8930.
NIST has committed to posting all comments online on their entirety here.
The report outlines three areas of risk to be addresses:
- The Core – represents five activities that should be performed in identifying an organizations risk. The activities detailed are: Identify, Protect, Detect, Respond, and Recover.
- The Profile – aligns the Functions, Categories, Subcategories and industry standards and best practices with the business requirements, risk tolerance, and resources of the organization.
- The Implementation Tiers – describes how an organization manages its cybersecurity risk.
The official framework meeting the executive order will be released in February 2014. At this time adoption and compliance of the framework is set to be voluntary.