Commerce.gov is getting a facelift soon. See the new design.
Syndicate content

Blog Category: Cybersecurity Framework

NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) today released its Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications. In the coming days, NIST will open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014, as called for in Executive Order 13636—Improving Critical Infrastructure Cybersecurity

In February 2013, President Obama directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks, recognizing that U.S. national and economic security depends on the reliable functioning of critical infrastructure. Through a request for information and a series of workshops held throughout 2013, NIST engaged with more than 3,000 individuals and organizations on standards, best practices and guidelines that can provide businesses, their suppliers, their customers and government agencies with a shared set of expected protections for critical information and IT infrastructure. 

The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals. 

Protecting the Nation’s Critical Infrastructure

NIST logo

Guest blog post by Patrick Gallagher, Under Secretary  of Commerce for Standards and Technology and Director, National Institute of Standards and Technology

Just about everything these days—from banking to health care to the electricity powering our homes—is rooted in cyberspace. This any time, any where interconnected world unfortunately brings with it a constantly evolving set of security challenges. 

That’s why President Obama directed the National Institute of Standards and Technology (NIST) to work with industry on a voluntary cybersecurity framework for better protecting the nation’s critical infrastructure.

The idea is to use existing standards, guidelines and best practices to reduce cyber risk across sectors and develop capabilities to address the full-range of quickly changing threats. The framework will provide a flexible toolkit any business or other organization can use to gauge how well prepared it is to manage cyber risks and what can be done to strengthen its defenses.

It is vital that companies understand their digital assets and accurately assess the maturity of their cyber protections so they can properly allocate resources.  These needs stretch across a spectrum from maintaining awareness of existing threats to preventing, detecting, and responding to attacks to recovering from them.

A Chance to Comment on Commerce’s Report on Cybersecurity Incentives

Cybersecurity (keyboard with a key silhouette on it)

As part of the Executive Order  signed by President Obama last month directing agencies to use their existing authorities and work with the private sector to better protect our nation’s power, water, and other critical systems, the Commerce Department is preparing a report on ways to incentivize companies and organizations to improve their cybersecurity.  To better understand what stakeholders –  such as companies, trade associations, academics and others – believe would best serve as incentives, the Department has released a series of questions to gather  public comments in a Notice of Inquiry published today.

The national and economic security of the United States depends on the strength of our nation’s critical infrastructure. The cyber threat to critical infrastructure is growing, and represents one of the most serious national security challenges that the United States must confront. As the President stated in the Executive Order, “repeated cyber intrusions into America’s critical infrastructure demonstrate a need for improved cybersecurity.”

As a first step toward protecting critical infrastructure, the Executive Order tasks the Department of Homeland Security (DHS) to identify the systems that could be affected by a cybersecurity incident which could in catastrophic regional or national effects on public health or safety, economic security, or national security.  Second, the National Institute of Standards and Technology (NIST) will develop a framework consisting of a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. This Cybersecurity Framework will provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to improving cybersecurity, which will help owners and operators of critical infrastructure identify, assess and mange cyber risk. Third, DHS will work with sector-specific agencies to develop the Critical Infrastructure Cybersecurity Program to promote voluntary adoption of the Framework.

The Department of Commerce's Role in Improving Critical Infrastructure Cybersecurity

Deputy Secretary Rebecca Blank at Cybersecurity announcement

Last week, President Obama signed an Executive Order to strengthen the cybersecurity of this nation’s critical infrastructure. Threats from cyber attacks that could disrupt our power, water, and other critical systems are one of the most pressing risks facing both our nation’s security and our nation’s economy in the 21st century. So, in the absence of legislation to mitigate these threats to our infrastructure, the Executive Order directs federal agencies to use their existing authorities and work with the private sector to better protect our nation’s critical systems. 

We at the Commerce Department have an important role to play when it comes to strengthening the nation’s cybersecurity. In accordance with the president’s Executive Order, Commerce’s National Institute of Standards and Technology (NIST) will be leading the development of one of the Executive Order’s principle outcomes: a voluntary Cybersecurity Framework to reduce cyber risks.