NIST issued a voluntary cybersecurity framework yesterday per last year's executive order from President Obama. Here is the NIST press release announcing the new framework: http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm
On first read, a few thoughts:
- "Partial," "Risk Informed," "Repeatable," and "Adaptive" are useful tiers for evaluation. But don't expect many companies in the "Partial" tier to use a voluntary framework.
- Because it's a framework, not a standard, it is not very explicit in defining when an outcome is met. Organizations will need to rely on their preferred standard(s) to figure out where they stand.
- But NIST tries to make this easier by referencing well-accepted standards (ISO/IEC 27001, COBIT, NIST SP 800-53, etc.) in line with the target outcomes of the framework.
- The Framework Core sections (Identify, Protect, Detect, Respond, Recover) are fairly comprehensive and consistent with best practices espoused by the security industry for years.
- The framework mentions protection of privacy and civil liberties when conducting cybersecurity activities, but it's not a significant focus of the framework core.
- There's not much said about the need for better monitoring and intelligence gathering for threats outside the network. It would have been good to see that discussed more. Much of the push for better and more actionable threat intelligence is being driven by "Adaptive" security teams that are now looking for ways to get an edge on their adversaries.
Overall, the new framework is a good step in the right direction and it will be interesting to see its impact over time. Given that it's voluntary, how strong will adoption be? Does it set the stage for mandatory federal requirements, or stronger penalties, down the road? How will the myriad of federal regulatory bodies use it? Will it serve as a good baseline for state regulations?