NIST set to release its final ‘Cybersecurity Framework’ document

The National Institute of Standards and Technology (NIST) plans to issue on Feb. 18 its long-awaited “Cybersecurity Framework,” which is aimed at reducing cyber risks at the nation’s critical infrastructure.

The Framework can be seen on the NIST Web site by clicking here.

“Given the diversity of sectors in critical infrastructure, the Framework development process was designed to initially identify cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure, to increase visibility and adoption of those standards and guidelines, and to find potential areas for improvement (i.e., where standards/guidelines are nonexistent or where existing standards/guidelines are inadequate) that need to be addressed through future collaboration with industry and industry-led standards bodies,” explains a notice issued by NIST in the Federal Register.

The Framework — which is a requirement outlined in Executive Order 13636, Improving Critical Infrastructure Cybersecurity — has been in development for nearly one year, based on a Request for Information (RFI) published on Feb. 26, 2013; a series of five public workshops; and a 45-day public comment period.

The Framework does not prescribe “particular technological solutions or specification,” explains the NIST notice. Instead, the Framework includes “guidance for measuring the performance of an entity…”

While the Framework was specifically developed to address the security needs of critical infrastructure, NIST expects that the Framework will also help promote the wide adoption of practices that it believes can increase cybersecurity across all sectors and industry types.

Further information about the Framework is available from Diane Honeycutt, of NIST, at diane.honeycutt@nist.gov.