IT Security: NIST's Cybersecurity Framework

The national and economic security of the United States depends on the reliable functioning of critical infrastructure, but what happens when this infrastructure is at risk? Recognizing the importance of infrastructure reliability, the President (under the Executive Order “Improving Critical Infrastructure Cybersecurity”) has directed the National Institute of Standards (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.

Over the next few months, NIST will complete the selection of initial components for the Cybersecurity Framework and publish a preliminary draft for review. It is widely anticipated that the Cybersecurity Framework will improve upon the current shortcomings of FISMA by adopting several controls for continuous monitoring and by allowing agencies to move away from compliance-based assessments towards a real-time risk-based approach. Over the next 18 months, there will be a gradual shift to the Cybersecurity Framework, but significant challenges do remain. 

Challenges Ahead

First, the program is voluntary and it remains to be seen what the adoption rate will be for industry, especially for companies that don't consider themselves critical infrastructure.

Second, a main goal of the Cybersecurity Framework, as outlined by Executive Order 13636, is to promote information sharing between organizations. However, significant challenges exist in order to implement an information sharing program, especially when it comes to classified agencies sharing threat information with non-classified agencies and industry.

Lastly, there may be unintended side effects for industry and technology providers as part of the Cybersecurity Framework. Currently, the definition of critical infrastructure, as outlined by the Cybersecurity Framework is exceptionally broad. Subjecting industry and technology partners that support government agencies to increased regulation may stifle innovation and ultimately result in increased costs to the federal government.

Welcome Update

Recent conversations with CISOs across several federal agencies have revealed that the new Cybersecurity Framework is a welcome update to existing models (such as the current version of FISMA and even CAESARS). Although CISOs are open to the new framework, significant challenges need to be addressed in order for the program to gain widespread adoption and positively impact the security of our nation's critical infrastructure.

Lee Vorthman, Cyber Practice Lead, NetApp U.S. Public Sector

Read how NetApp Public Sector Cyber Alliance Gains Momentum with Addition of Leading Security Firms here