In February 2014, the National Institute of Standards and Technology released a set of voluntary guidelines called the Cybersecurity Framework. The document is designed to help organizations in sectors such as finance, healthcare, and government services manage risks to critical infrastructure more consistently.
Compiled with significant input from the private sector, the Cybersecurity Framework isn’t a prescriptive compliance document and instead gives companies significant leeway in how they use it to inform their security strategies. As a relatively new source of guidance, its implications for regulated industries aren’t clear yet. However, it could spark interest in measures such as cyberinsurance that only make sense to implement when stakeholders have a good grasp of the kinds of risk they face.
The main details of the Cybersecurity Framework
The NIST’s Cybersecurity Framework is structured around a five core functions, each of which contains categories and subcategories:
- Identify pertains to areas such as asset management and governance.
- Protect covers processes for data security, protective technology, and maintenance.
- Detect addresses continuous monitoring and network anomalies.
- Respond deals with mitigation, analysis, and planning.
- Recover includes recovery planning, improvement, and communications.
Together, these functions and their derivatives provide guidance on how to gauge risk. Ideally, once organizations are more informed, they’ll improve their cybersecurity processes and properly distribute responsibility across the organization.
“With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, enabling organizations to make informed decisions about cybersecurity expenditures,” stated the framework authors. “Implementation of risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs.”
The Cybersecurity Framework includes four tiers of prioritization for risk management so that organizations can quantify and segment cybersecurity risks. It also raises the stakes for senior managers, whom it holds most accountable for meeting requirements and informed decision making. Goals can be codified with profiles that establish a target improved state and help organizations measure their progress.
The possible effects of the Cybersecurity Framework
As BakerHostetler’s Gerald Ferguson suggested, the Cybersecurity Framework may establish a standard vocabulary that organizations can use to consistently assess each other’s risks. For organizations such as banks, implementation of the suggested practices could make more of them eligible for cyberinsurance.
This change would be welcome, given the rising exposure of financial institutions to cyberattacks. Similarly, the Cybersecurity Framework may give organizations a consistent set of guidelines for addressing issues such as mobile malware, data analytics management, and the rise of cloud computing.
For now, the Cybersecurity Framework is voluntary, separating it from more prescriptive standards such as PCI-DSS or congressional legislation. Still, its impact could be significant enough to motivate additional regulations down the road, so it makes sense for institutions to be as well-informed as possible.
“We believe that the framework stands on its own and can be an incredibly powerful tool for enabling the kinds of conversations that need to happen between boards of directors and between government and industry,” stated a senior Obama administration official, according to BankInfoSecurity. “The framework … can be leveraged to make real improvements, regardless of what happens [on legislation].”