On July 1, 2013, the National Institute of Standards and Technology (“NIST”) issued a preliminary draft outline of the Cybersecurity Framework that is being developed pursuant to the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”).
President Obama issued the Executive Order in the aftermath of the 112th Congress’ failure to pass Administration-backed cybersecurity legislation in the Senate. The Executive Order addresses a number of issues, including information sharing, the identification of critical infrastructure for which a cybersecurity incident could have catastrophic consequences and the development and adoption of a Cybersecurity Framework to reduce cyber risk.
Section 7 of the Executive Order requires NIST to develop a Cybersecurity Framework using an open, public process that invites input from government agencies, owners and operators of critical infrastructure, and other stakeholders. It requires NIST to publish a preliminary version of the Cybersecurity Framework by October 12, 2013, and a final version by February 12, 2014.
NIST has moved aggressively in its work on the Framework. Shortly after the Executive Order was issued in February, NIST published a Request for Information in the Federal Register. The request received hundreds of comments from stakeholders. NIST also hosted public workshops (in Washington, D.C. in early April, and in Pittsburgh in late May), and will be hosting a workshop in San Diego on July 10-12, 2013. In addition to the preliminary draft outline of the Cybersecurity Framework, NIST also published a compendium of informative references that includes standards, guidelines and best practices.
The preliminary draft outline is five pages in length and it lists sections NIST expects will be included in the Cybersecurity Framework, including instructions for using the framework, a risk management approach, illustrative examples and information on the framework development process.