Executive Order 13636, Improving Critical Infrastructure Cybersecurity, has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. This cybersecurity framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement.
The third Cybersecurity Framework workshop was hosted July 10-12, 2013 in San Diego by the University of California, San Diego (UCSD) and the National Health Information Sharing and Analysis Center (NH-ISAC). At this workshop, NIST presented an annotated outline of the initial draft Cybersecurity Framework for discussion. Participants were asked to review posted materials (available on this site by June 28, 2013) prior to arrival at the Workshop and to come prepared to offer substantive input on the level of guidance, integration with existing standards, practices, and guidelines, and potential gaps.
Workshop Target Audience: Critical Infrastructure Owners and Operators and cybersecurity staff. Specifically those who have operational, managerial and policy experience and responsibilities for cybersecurity, technology and/or standards development for Critical Infrastructure companies.
DRAFT Outline - Preliminary Cybersecurity Framework, July 1, 2013
The purpose of this document is to define the overall Framework and provide guidance on its usage. The primary audiences for the document and intended users of the Framework are critical infrastructure owners and operators and their partners. However, it is expected that many organizations facing cybersecurity challenges may benefit from adopting the Framework. The Framework is being designed to be relevant for organizations of nearly every size and composition. It is also expected that many organizations that already are productively and successfully using appropriate cybersecurity standards, guidelines, and practices – including those who contributed suggestions for inclusion in this document – will continue to benefit by using those tools.
DRAFT - Framework Core
The Framework Core offers a way to take a high-level, overarching view of an organization's management of cybersecurity risk by focusing on key functions of an organization's approach to this security. These are then broken down further into categories. The Framework's core structure consists of:
- Five major cybersecurity functions and their categories and subcategories
- Three Framework Implementation Levels associated with an organization's cybersecurity functions and how well that organization implements the framework.
DRAFT - Compendium
The Framework's core also includes the compendium of informative references, existing standards, guidelines, and practices to assist with specific implementation.
The compendium of informative references that included standards, guidelines and best practices is provided as an initial data set to map specifics to sub-categories, categories and functions. The Framework's compendium points to many standards – including performance and process-based standards. These are intended to be illustrative and to assist organizations in identifying and selecting standards for their own use and for use to map into the core Framework. The compendium also offers practices and guidelines, including practical implementation guides.