There’s no disputing the importance of a reliable and well-functioning critical infrastructure when it comes to our daily lives—in fact, our national and economic security depend on it. Because our critical infrastructure systems are becoming increasingly complex and connected, we need to understand the real risk of cybersecurity threats and how these threats can impact the nation’s economy, security, public safety and overall health. Cybersecurity threats can also impact companies, reputations and the ability to innovate.
Basically, it’s kind of a big deal!
NIST developed the Cybersecurity Framework to enhance the security and resilience of the nation’s critical infrastructure. The voluntary risk-based Framework integrates a set of industry standards and best practices to help organizations manage cybersecurity risks. NIST worked alongside other government agencies and the private sector to establish the resulting Framework, which uses a common language to address and manage cybersecurity risk. The process of engaging the private and public sectors in developing the Framework went so well that Congress added that responsibility to NIST’s role through the Cybersecurity Enhancement Act of 2014(link is external).
What else do we need to know?
We will soon be releasing a second draft of the Framework (version 1.1) for public comment. With a large part of the update process behind us, we anticipate this draft will be finalized in a relatively short time. Why are we doing an update? Well, to keep pace with trends in threats and technology, we believe the Framework must be a living document. NIST works with stakeholders to determine which best practices that apply to specific sectors or communities—such as the legal and insurance sectors and cloud communities—might also apply to all Framework users. NIST gathers that input from its stakeholders via request-for-information (RFI) responses, as well as conversations at meetings and workshops.
Through our years of work on the Framework at NIST—and through our collaborative efforts with cybersecurity stakeholders around the globe—we have come across a lot of best practices and work products that have both helped guide our way and inspired us to keep doing what we do. You can find lots of great examples, including the ones below, on our website.
So, without further ado and in honor of the conculsion of National Cybersecurity Awareness Month, we present you a select list of critical infrastructure resources that describe sector best practices,* which we have grouped and sorted alphabetically by area or sector for ease of use.
- Federal Communications Commission (FCC) Communications, Security, Reliability and Interoperability Council’s (CSRIC) Cybersecurity Risk Management and Best Practices Working Group 4: Final Report(link is external)
- Department of Energy‘s Energy Sector Cybersecurity Framework Implementation Guidance(link is external)
- Ontario Energy Board’s Implementation for Non-Bulk Electric Distribution(link is external)
- Securities Industry and Financial Markets Association’s Small Firms Cybersecurity Guidance: How Small Firms Can Better Protect Their Business(link is external)
- The Financial Industry Regulatory Authority Report on Cybersecurity Practices(link is external)
- Federal Financial Institutions Examination Council’s Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework(link is external)
- Financial Services Sector Coordinating Council’s Customization and Profile
- The Joint HPH Cybersecurity Working Group’s Healthcare Sector Cybersecurity Framework Implementation Guide(link is external)
- Food and Drug Administration’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
- Health and Human Services’ HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework(link is external)
- HITRUSTs Healthcare Model Approach to Critical Infrastructure Cybersecurity White Paper (link is external)
- An Intel Use Case for the Cybersecurity Framework in Action(link is external)
- Department of Homeland Security’s Critical Manufacturing Sector Cybersecurity Framework Implementation Guidance(link is external)
- NIST’s Manufacturing Profile(link is external)
- United Nations‘ International Maritime Organization Interim Guidelines on Maritime Cyber Risk(link is external)
- United States Coast Guard’s Navigation and Vessel Inspection Circular 05-17: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities(link is external)
As we finalize Version 1.1 of the Framework and work on future versions in collaboration with our stakeholders, we will continue the conversation about which best practices are best suited for inclusion in the Framework. And if you have sector and community resources you think should be considered,please send them to us(link sends e-mail).
In the future, check out our Framework website for updates and news about what we’re up to. We look forward to more sharing, communicating and collaborating.
Source : NIST