Guest blog post by Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and Director, National Institute of Standards and Technology
Just about everything these days—from banking to health care to the electricity powering our homes—is rooted in cyberspace. This any time, any where interconnected world unfortunately brings with it a constantly evolving set of security challenges.
That’s why President Obama directed the National Institute of Standards and Technology (NIST) to work with industry on a voluntary cybersecurity framework for better protecting the nation’s critical infrastructure.
The idea is to use existing standards, guidelines and best practices to reduce cyber risk across sectors and develop capabilities to address the full-range of quickly changing threats. The framework will provide a flexible toolkit any business or other organization can use to gauge how well prepared it is to manage cyber risks and what can be done to strengthen its defenses.
It is vital that companies understand their digital assets and accurately assess the maturity of their cyber protections so they can properly allocate resources. These needs stretch across a spectrum from maintaining awareness of existing threats to preventing, detecting, and responding to attacks to recovering from them.
Development of the framework is a NIST-coordinated but industry-led effort that draws on standards and best practices already available. Any effort to better protect critical infrastructure must be supported and implemented by the owners and operators of that infrastructure.
Our task hinges on bringing the right people with the right expertise to the table. For the last several months, we’ve been soliciting information on the current state of cyber threats and security, how to identify and manage risk, what standards exist or are needed, and how the framework should address these issues.
Our first two meetings in Washington, D.C. and Pittsburgh were well attended, and represented an array of industries. We received more than 200 comments in response to our Request for Information. But we still need your input. We need to hear from you about what works and what additional tools you need.
As described in an update we’ve posted, we particularly want to hear more about foundational cybersecurity practices, ideas for how to manage privacy and civil liberties needs, and outcome-oriented metrics that leaders can use in evaluating the position and progress of their organizations’ cybersecurity status.
In a few weeks, we expect to post an outline of the preliminary cybersecurity framework, including existing standards and practices.
Then from July 10-12 we’ll be hosting our 3rd Cybersecurity Framework Workshop in San Diego, where the private sector will be able to help us fill in the framework in more detail. If your company or organization supports the critical infrastructure, I hope you will join us in person or online through our webcast. If you can’t join us in San Diego, please submit your ideas and suggestions to cyberframework[at]nist[dot]gov.
The framework will only be as good as the input we receive. So I urge you to get involved. Help us leverage the strengths of the private and public sectors and develop solutions in which both are invested.
The best way to ensure the security of the nation’s critical infrastructure is not by dictating solutions to industry. It’s by collaborating and encouraging innovation so that the private sector has effective, globally scalable practices that better protect against cyber threats and meet a wide range of business needs.