NIST Issues "Framework for Improving Critical Infrastructure Cybersecurity"; SIFMA Event to Follow (with Wainstein and Clearfield Comment)

The National Institute of Standards and Technology ("NIST") issued its "Framework for Improving Critical Infrastructure Cybersecurity," which provides a structure for organizations, regulators and customers to use to create, guide, assess or improve comprehensive cybersecurity programs.

In February 2013, President Barack Obama issued Executive Order 13636, which called for the development of a voluntary, risk-based cybersecurity framework. The resulting framework document issued by NIST is listed as "Version 1.0" and described as a "living" document that will need to be updated to keep pace with changes in technology, threats and other factors, as well as incorporate the lessons learned from its use.

The three main elements described in the NIST document are the framework core, tiers, and profiles. The core presents five functions: to identify, protect, detect, respond, and recover. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework, and the profiles help organizations reach a target improved state of cybersecurity.

NIST also released a "Roadmap" document to accompany the framework, which lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration.

SIFMA CEO and President Kenneth Bentsen commented on the Cybersecurity Framework release, stating that SIFMA appreciates NIST's "open and inclusive process in developing its framework." Bentsen said that SIFMA will work with members to promote a greater understanding of the NIST framework and its implementation, and noted that SIFMA will hold an educational event, "Cybersecurity Standards: Exploring the NIST Framework," on March 18, 2014.

Wainstein Comment: This framework is an important resource for all businesses seeking to establish the processes and protections to defend against the cyber intrusions that are increasingly becoming a fact of life in today's economy.

Clearfield Comment: Cybersecurity is an emerging challenge for many pieces of key infrastructure, the financial markets included. As the world becomes more dependent on technology and automation, and systems become more connected, vulnerabilities will emerge from unexpected corners.

While exercises like SIFMA's Quantum Dawn II, and NIST's voluntary cybersecurity framework are steps in the right direction, the devil is in the details. Consider that the theft of credit card data from Target was enabled by a network-connected heating system, and that the increase in connected devices may cause additional vulnerabilities for key infrastructure networks. To paraphrase Robert Frost, to keep the promises of the President's executive order to improve cybersecurity, we have miles to go before we sleep.

See: NIST Framework for Improving Critical Infrastructure Cybersecurity; NIST Roadmap for Improving Cybersecurity; NIST Press Release.
See also: SIFMA Statement on the Framework.