Through the development of this Framework, industry and government are strengthening the security and resiliency of critical infrastructure in a model of public-private cooperation. Over the past year, individuals and organizations throughout the country and across the globe have provided their thoughts on the kinds of standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity. The National Institute of Standards and Technology (NIST) consolidated that input into the voluntary Cybersecurity Framework that we are releasing today.
The Framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks. For organizations that don’t know where to start, the Framework provides a road map. For organizations with more advanced cybersecurity, the Framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks. Organizations outside the United States may also wish use the Framework to support their own cybersecurity efforts.
Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions -- Identify, Protect, Detect, Respond, Recover -- that provide a high-level view of an organization’s management of cyber risks.
The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.
Though the adoption of the Framework is voluntary, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of the Cybersecurity Framework. The C3 Voluntary Program will connect companies, as well as federal, state, local, tribal, and territorial partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks. Participants will be able to share lessons learned, get assistance, and learn about free tools and resources that can help them.
Federal executive branch civilian agencies are evaluating how they will use the Framework to enhance the protection of their systems, and State and local governments are also looking at how they can leverage capabilities found in the Framework to assist managing their cybersecurity risk. DHS is developing the Voluntary Program to respond to state and local government needs, and it is examining incentives tailored to these stakeholders.