Patrick Gallagher, center, director of the National Institutes of Standards and Technology (NIST), provides a tour Aug. 2 to Commerce Secretary Penny Pritzker, second from right, of a laboratory at NIST headquarters in Gaithersburg, Md. The NIST is developing a set of voluntary cybersecurity standards for the private sector. (Commerce Department)
“Thanks to a tremendous amount of industry input, the voluntary framework provides a flexible, dynamic approach to matching business needs with improving cybersecurity,” said NIST Director Patrick Gallagher.
The public will have 45 days to submit comments to the agency. NIST plans to release an official framework in February.
“We encourage organizations to begin reviewing and testing the preliminary framework to better inform the version we plan to release in February,” Gallagher said.
The draft framework includes:
■ Guidelines for developing strategies on how to identify, protect, detect, respond and recover from cyberattacks and cyber incidents;
■ Methodologies for protecting privacy and civil liberties while securing data and access to networks; and
■ Guidelines for how to manage cybersecurity risk and how to create different levels of implementation that allow companies to build upon and improve previous cybersecurity efforts.
Gallagher said many of the guidelines in the framework will not be surprising to most, since NIST gathered best practices to include in the draft.
But he said the framework does not guarantee that cyberattacks will stop or that companies will be fully protected.
“This is not a magic bullet here,” Gallagher said. “This is not about eliminating cyber risk — the framework is about managing it effectively.”