Now that the US National Institute of Standards and Technology (NIST) has released the official version of its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, meant to promote public-private information sharing, the question becomes how to spur along implementation by organizations. To help ease the process, the Information Security Forum (ISF) has created a mapping between the framework and its annual Standard of Good Practice for IT security professionals.
As cybersecurity increasingly becomes a national security issue and one that impacts critical infrastructure like utilities, oil and gas, the water supply and industrial control systems, governments are taking a more active role in defining responses to cyber-threats. In an initiative first mandated via an executive order issued by President Barack Obama, NIST has released the first version of the Cybersecurity Framework, which is meant to provide a voluntary, methodical approach for organizations of all types to use to create, guide, assess or improve their cybersecurity plans for critical infrastructure.
In total, it comprises five functions of cybersecurity activity, with a strong focus on incident response. These functions are further divided into categories, which correspond to various domains of information security; and subcategories, which express various outcomes or control objectives within these domains.
The ISF’s standard is aimed at enabling organizations to meet those control objectives, but also, it says, extend well beyond the topics defined in the framework to include coverage of essential and emerging topics, such as information security governance, supply chain management (SCM), data privacy, cloud security, information security audit and mobile device security.
“With the newly created mapping between the NIST Cybersecurity Framework and the Standard, ISF members can now determine which of their current controls satisfy the corresponding control objectives in the NIST Cybersecurity Framework, and thus demonstrate their alignment with it,” said Steve Durbin, managing director for the ISF, in a statement. “Using the NIST Cybersecurity Framework, together with the Standard and other information risk management tools, enables organizations of all sizes to effectively demonstrate to their stakeholders the progress they’ve made in building a robust cyber-resilience approach.”
Updated annually to reflect the latest findings from the ISF’s research program, input from global member organizations, trends from the ISF Benchmark and major external developments including new legislation and other requirements, the Standard is meant to act as a primary reference for information security. As such, it’s critical to align the two initiatives for a standardized taxonomy, Durbin noted.
“Although the NIST Cybersecurity Framework is voluntary and intended for guidance rather than as a formal standard, one of its goals was to provide security practitioners with a common language for cybersecurity,” he said. “This common language makes use of familiar topics in information security and clearly-expressed control objectives within those topics.”
The initiative by the ISF is timely: The framework was developed with industry in a collaborative and open process over the course of a year. Now, six months since its initial release, NIST is seeking public feedback on the framework. The idea is to work closely with industry groups, associations, non-profits, government agencies and international standards bodies to strengthen awareness of the framework and to promote its use as a basic, flexible and adaptable tool for managing and reducing cybersecurity risks.