National Institute of Standards and Technology, NIST Boulder Building 1 (Geoffrey Wheeler / National Institute of Standards)
The government is one step closer to finalizing what will become a framework of best practices and voluntary standards for securing critical infrastructure systems.
The National Institute of Standards and Technology on Wednesday released a preliminary draft of the framework , which includes a host of standards and guidelines for companies to measure how well they know what systems to protect, based on priority and impact to the company’s mission, and how well they can detect, prevent, respond to and recover from a cyber attack. The framework advises critical infrastructure companies to:
■ Inventory and track physical devices, systems and software applications and platforms within the organization.
■ Protect remote access to organizational networks to include telework guidance, mobile devices access restrictions and cloud computing policies and procedures.
■ Reduce potential for abuse of authorized privileges by eliminating unnecessary assets, separation of duties procedures and least privilege requirements.
■ Integrate cybersecurity practices and procedures with human resources management, such as personnel screenings, departures and transfers.
■ Perform personnel and system monitoring activities over external service providers.
“The Framework complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program,” according to the document. The goal is to ensure the framework can be adapted to meet the unique threats facing a company, is cost-effective to implement, focuses on outcomes and complements rather than conflicts with current regulatory authorities.
NIST has been working with industry to construct the framework. Under the president’s cybersecurity executive order released in February, NIST has until October to publish a draft framework that includes those standards. A final version of the framework is due in February.
Companies that adhere to the voluntary standards could be rewarded with preferences in obtaining federal grants, lower insurance rates or public recognition, Michael Daniel, White House cybersecurity coordinator said in a blog post this month. The Department of Homeland Security and other agencies have been directed to suggest ways to encourage companies to adopt the standards.
The document released Wednesday is a discussion draft NIST is using to solicit feedback from the public before finalizing the draft framework. Specifically, NIST wants to know if the preliminary draft, as presented, is inclusive of, and not disruptive to, effective cybersecurity practices; adequately defines outcomes that strengthen cybersecurity and supports business objectives; and provides sufficient guidance and resources to aid businesses of all sizes.
NIST expects implementation of the framework will vary by company because each uses information technology and operational technology differently.
The document also includes a methodology for protecting privacy and civil liberties, such as identifying all personally identifiable information a company collects or retains that may be accessible and auditing access to databases that contain PII.