Recent Posts

Recent Blog Posts

The PhishLabs Blog

NIST releases new cybersecurity framework - initial thoughts

Posted by Stacy Shelley on Feb 13, '14

NIST issued a voluntary cybersecurity framework yesterday per last year's executive order from President Obama. Here is the NIST press release announcing the new framework: http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm

On first read, a few thoughts:

  • "Partial," "Risk Informed," "Repeatable," and "Adaptive" are useful tiers for evaluation. But don't expect many companies in the "Partial" tier to use a voluntary framework.
  • Because it's a framework, not a standard, it is not very explicit in defining when an outcome is met. Organizations will need to rely on their preferred standard(s) to figure out where they stand.
  • But NIST tries to make this easier by referencing well-accepted standards (ISO/IEC 27001, COBIT, NIST SP 800-53, etc.) in line with the target outcomes of the framework.
  • The Framework Core sections (Identify, Protect, Detect, Respond, Recover) are fairly comprehensive and consistent with best practices espoused by the security industry for years.
  • The framework mentions protection of privacy and civil liberties when conducting cybersecurity activities, but it's not a significant focus of the framework core. 
  • There's not much said about the need for better monitoring and intelligence gathering for threats outside the network. It would have been good to see that discussed more. Much of the push for better and more actionable threat intelligence is being driven by "Adaptive" security teams that are now looking for ways to get an edge on their adversaries.

NIST_Framework
Click to view the new NIST Framework for Improving Critical Infrastructure Cybersecurity

Overall, the new framework is a good step in the right direction and it will be interesting to see its impact over time. Given that it's voluntary, how strong will adoption be? Does it set the stage for mandatory federal requirements, or stronger penalties, down the road? How will the myriad of federal regulatory bodies use it? Will it serve as a good baseline for state regulations? 

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all