High voltage power lines are seen near the Burbank Water and Power natural gas-fueled power plant on June 24 in Burbank, Calif. (Kevork Djansezian/Getty Images)
The National Institute of Standards and Technology on Tuesday released a draft outline of what will become a framework of best practices and voluntary standards for securing critical infrastructure systems.
Under the president’s cybersecurity executive order released in February, industry will create the voluntary security standards for critical infrastructure companies, with oversight from NIST. The agency will publish a draft cybersecurity framework by October that includes those standards and will work with the Department of Homeland Security to publish a final version of the framework within a year.
According to the draft outline, the framework will help senior executives evaluate how prepared they are to deal with potential cybersecurity-related impacts on their systems and their ability to deliver products and services. Currently, the framework will include five major cybersecurity functions and subcategories for executives to measure how well they know what systems need to protected, based on priority and impact to the company’s mission, and how well they can detect, prevent, respond to and recover from an attack.
The framework is intended for companies that own and operate critical systems, such as the electric grid and chemical plants, and that agree to follow voluntary standards under the framework. Although industry is supposed to play a central role in developing the standards, NIST said it needs more information about “standards, guidelines, and practices to address privacy and civil liberties issues” and stressed the scarcity of helpful metrics for determining the effectiveness of a company’s cyber practices.
The draft will be discussed at an upcoming NIST workshop July 10-12 at the University of California, San Diego.