By: Roberta D. Anderson, Bruce J. Heiman, David A. Bateman
On October 22nd, the National Institute of Standards and Technology (NIST) released its long-anticipated Preliminary Cybersecurity Framework for public review and comment. The Cybersecurity Framework was issued in accordance with President Obama’s February 19th Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which tasked NIST with developing a Cybersecurity Framework “to reduce cyber risks to critical infrastructure.” At a very high level, as its name indicates, the Cybersecurity Framework provides a framework for organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices, to identify gaps that should be addressed in order to progress towards a desired “target” state of cybersecurity risk management, and to internally and externally communicate efficiently about cybersecurity and risk management.
Although applying to organizations in critical infrastructure, the Cybersecurity Framework may be used by any organization as part of its effort to assess cybersecurity practices and manage cybersecurity risk. This Alert discusses the Cybersecurity Framework’s risk-based three-part approach, Framework implementation, and incentives.
To read the full alert, click here.