The National Institute of Standards and Technology (NIST) today released its final version of a national framework for improving critical infrastructure cybersecurity. The “living” document will be updated as industry reports back on its implementation.

The “Framework for Improving Critical Infrastructure Cybersecurity” is essentially composed of a core, tiers, and profiles. The core presents five functions—identify, protect, detect, respond, and recover—that taken together should “allow any organization to understand and shape its cybersecurity program,” NIST said. The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the framework and range from “informal, reactive responses to agile and risk-informed.” The profiles help organizations progress from a current level of cybersecurity sophistication to a target-improved state that meets business needs.

NIST also released a nine-pageRoadmap that is composed partly of the “Areas of Improvement” section of the preliminary framework. These issues may be dealt with in future versions of the framework. They include promoting the usability of authentication approaches, identifying private sector conformity assessment activities, and urgently filling gaps in the skilled cybersecurity workforce.

A “Consensus Description,” Not Another Standard

The Cybersecurity Framework is not another standard. It is a high-level concept developed in response to Executive Order 13636 that brings together relevant standards and sets them in an appropriate context. “The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” explained Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher in a statement today.

The framework document, labeled “Version 1.0,” follows a long collaborative process, including a series of five workshops, that vets more than 245 responses from asset owners, product vendors, and consultants from all industry sectors. NIST issued a draft of the framework at the end of October 2013. The final version, issued today, will require ongoing maintenance and upkeep to reflect changing circumstances and feedback from users.

Legislative Action on Cybersecurity Possible in 2014

After Congress failed to pass cybersecurity legislation, President Obama in February 2013 signed the executive order that lays out the administration’s cybersecurity plans to protect the nation’s critical infrastructure. It directs NIST, in collaboration with industry, to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. But it also orders federal agencies to use their existing authorities to provide better cybersecurity for the nation through increased collaboration with the private sector, and it requires federal agencies to produce unclassified reports of threats to U.S. companies.

Industry observers say legislative activity is possible in 2014 to promote information sharing between the government and private sector and to increase preparedness for cybersecurity incidents. According law firm Van Ness Feldman LLP, however, the Edward Snowden affair and National Security Agency (NSA) disclosures have decreased the likelihood of reforms to speed the security clearance processes. “The classified documents released by Snowden shed light on what many believe to be the government’s offensive use of cyber vulnerabilities, a concern for many persons sharing information on vulnerabilities with government agencies,” it says.

“In 2014, we expect additional disclosures of cybersecurity risks resulting from the disclosure of NSA documents, additional legislative initiatives to focus on information sharing and liability protection and to provide some financial grants and other incentives for electric, natural gas, hydropower, and oil pipeline infrastructure to increase cybersecurity protection for critical assets,” Van Ness Feldman said in January. 

A bipartisan cybersecurity bill was introduced in the Senate in 2012, even though sponsors watered down the legislation to make minimum security standards voluntary. A 2013 version, backed by industry, passed the House in April, but though approved by the Senate Committee on Commerce, Science, and Transportation, it stalled thereafter.

Meanwhile, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corp. (NERC) last year issued the fifth version of the cybersecurity standards for FERC-jurisdictional electric utilities and expanded the scope of assets subject to mandatory reliability requirements in Critical Infrastructure Protection (CIP) Version 5.

Addressing Concerns

It is unclear how the final NIST Cybersecurity Framework version addresses the vast number of concerns submitted by stakeholders. For example, comments to NIST on the framework submitted jointly by eight major power and gas industry groups—including the American Public Power Association, the Edison Electric Institute, and the GridWise Alliance—call for the focus of the framework to be limited to systems and assets essential to critical infrastructure functions to ensure that available resources are targeted at reducing critical infrastructure cybersecurity risk.

At the same time, the body of the framework should make it clear that the use or applicability of the subcategories may vary by organization. “For example, the Energy Sector not only includes organizations of various size and ownership structures, but also organizations that are a part of other critical infrastructures,” they wrote. “Establishing new protective cybersecurity technological or procedural controls can also undermine existing protections if not executed in a thoughtful, coordinated manner.”

Significantly, they also urge NIST to revise Appendix B to focus on protecting privacy and civil liberties implicated by critical infrastructure cybersecurity activities. Appendix B instead “appears to recommend independent privacy protections unrelated to the protection of critical infrastructure,” said the groups.

Other major industry players underscore NIST’s reported reluctance to be responsible for the Cybersecurity Framework’s development process over the long term. A number of companies, including Intel Corp. and its subsidiary McAfee, have said they would support takeover of the long-term governance of the framework by an “industry-driven nonprofit organization.” In its “Roadmap” document released today, NIST says it “will continue to serve in the capacity of “convener and coordinator” at least through Version 2.0 to ensure the framework advances steadily.

For an in-depth look at the framework and how it could help your organization, see POWER’s February 2014 feature: “NIST Cybersecurity Framework Aims to Improve Critical Infrastructure.”

Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)