Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
Background – NIST Responsibilities
NIST will develop the Framework in a manner that is consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework will be developed by ongoing engagement with, and input from, stakeholders in government, industry, and academia, including an open public review and comment process, workshops and other means of engagement.
To develop the Framework, NIST will use a Request for Information (RFI) and ongoing stakeholder engagement to: (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) specify high-priority gaps for which new or revised standards are needed; and (iii) collaboratively develop action plans by which these gaps can be addressed.
The Framework will seek to promote the wide adoption of practices to increase cybersecurity across all sectors and industry types. It will seek to provide owners and operators a flexible, repeatable and cost effective risk-based approach to implementing security practices while allowing organizations to express requirements to multiple authorities and regulators.
Throughout the development of the Framework, NIST will host a series of events and workshops to gather additional input and develop the Framework. Look here for an updated schedule of events.
- Initial Workshop – TBD
NIST intends to issue a Request for Information (RFI) in the Federal Register to gather initial information on the many interrelated considerations, challenges, and efforts needed to develop the Framework.
To allow additional time for public review, the text of the RFI is included here. Once the Federal Register publishes the RFI, this page will be updated with a link to the notice and additional information on how to submit information in response to the RFI. It is anticipated that the RFI will allow 45 days for responses to be submitted. If you have any questions, please contact NIST at email@example.com.
As responses come in to the Request for Information, they will be publicly posted here to encourage wide review and public engagement.
For further information and/or questions about the Cybersecurity Framework, contact us at: firstname.lastname@example.org