26 February 2013
NIST Framework to Improve Critical Infrastructure Cybersecurity
[Federal Register Volume 78, Number 38 (Tuesday, February 26, 2013)]
[Notices]
[Pages 13024-13028]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-04413]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket Number 130208119-3119-01]
Developing a Framework To Improve Critical Infrastructure
Cybersecurity
AGENCY: National Institute of Standards and Technology, U.S. Department
of Commerce.
ACTION: Notice; Request for Information (RFI).
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST) is
conducting a comprehensive review to develop a framework to reduce
cyber risks to critical infrastructure \1\ (the ``Cybersecurity
Framework'' or ``Framework''). The Framework will consist of standards,
methodologies, procedures, and processes that align policy, business,
and technological approaches to address cyber risks.
---------------------------------------------------------------------------
\1\ For the purposes of this RFI the term ``critical
infrastructure'' has the meaning given the term in 42 U.S.C.
5195c(e), ``systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of
such systems and assets would have a debilitating impact on
security, national economic security, national public health or
safety, or any combination of those matters.''
---------------------------------------------------------------------------
This RFI requests information to help identify, refine, and guide
the many interrelated considerations, challenges, and efforts needed to
develop the Framework. In developing the Cybersecurity Framework, NIST
will consult with the Secretary of Homeland Security, the National
Security Agency, Sector-Specific Agencies and other interested agencies
including the Office of Management and Budget, owners and operators of
critical infrastructure, and other stakeholders including other
relevant agencies, independent regulatory agencies, State, local,
territorial and tribal governments. The Framework will be developed
through an open public review and comment process that will include
workshops and other opportunities to provide input.
DATES: Comments must be received by 5:00 p.m. Eastern time on Monday,
April 8, 2013.
ADDRESSES: Written comments may be submitted by mail to Diane
Honeycutt, National Institute of Standards and Technology, 100 Bureau
Drive, Stop 8930, Gaithersburg, MD 20899. Submissions may be in any of
the following formats: HTML, ASCII, Word, RTF, or PDF. Online
submissions in electronic form may be sent to cyberframework@nist.gov.
Please submit comments only and include your name, company name (if
any), and cite
[[Page 13025]]
``Developing a Framework to Improve Critical Infrastructure
Cybersecurity'' in all correspondence. All comments received by the
deadline will be posted at http://csrc.nist.gov without change or
redaction, so commenters should not include information they do not
wish to be posted (e.g., personal or confidential business
information).
FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact:
Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue
NW., Washington, DC 20230, telephone (202) 482-0788, email
Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST's Office
of Public Affairs at (301) 975-NIST.
SUPPLEMENTARY INFORMATION: The national and economic security of the
United States depends on the reliable functioning of critical
infrastructure, which has become increasingly dependent on information
technology. Recent trends demonstrate the need for improved
capabilities for defending against malicious cyber activity. Such
activity is increasing and its consequences can range from theft
through disruption to destruction. Steps must be taken to enhance
existing efforts to increase the protection and resilience of this
infrastructure, while maintaining a cyber environment that encourages
efficiency, innovation, and economic prosperity, while protecting
privacy and civil liberties.
Under Executive Order 13636 \2\ (``Executive Order''), the
Secretary of Commerce is tasked to direct the Director of NIST to
develop a framework for reducing cyber risks to critical infrastructure
(the ``Cybersecurity Framework'' or ``Framework''). The Framework will
consist of standards, methodologies, procedures and processes that
align policy, business, and technological approaches to address cyber
risks. The Department of Homeland Security, in coordination with
sector-specific agencies, will then establish a voluntary program to
support the adoption of the Cybersecurity Framework by owners and
operators of critical infrastructure and any other interested entities.
---------------------------------------------------------------------------
\2\ ``Executive Order 13636--Improving Critical Infrastructure
Cybersecurity'' 78 FR 11739 (February 19, 2013).
---------------------------------------------------------------------------
Given the diversity of sectors in critical infrastructure, the
Framework development process is designed to initially identify cross-
sector security standards and guidelines that are immediately
applicable or likely to be applicable to critical infrastructure, to
increase visibility and adoption of those standards and guidelines, and
to find potential gaps (i.e., where standards/guidelines are
nonexistent or where existing standards/guidelines are inadequate) that
need to be addressed through collaboration with industry and industry-
led standards bodies. The Framework will incorporate voluntary
consensus standards and industry best practices to the fullest extent
possible and will be consistent with voluntary international consensus-
based standards when such international standards will advance the
objectives of the Executive Order. The Framework would be designed to
be compatible with existing regulatory authorities and regulations.
The Cybersecurity Framework will provide a prioritized, flexible,
repeatable, performance-based, and cost-effective approach, including
information security measures and controls to help owners and operators
of critical infrastructure and other interested entities to identify,
assess, and manage cybersecurity-related risk while protecting business
confidentiality, individual privacy and civil liberties. To enable
technical innovation and account for organizational differences, the
Cybersecurity Framework will not prescribe particular technological
solutions or specifications. It will include guidance for measuring the
performance of an entity in implementing the Cybersecurity Framework
and will include methodologies to identify and mitigate impacts of the
Framework and associated information security measures and controls on
business confidentiality and to protect individual privacy and civil
liberties.
As a non-regulatory Federal agency, NIST will develop the Framework
in a manner that is consistent with its mission to promote U.S.
innovation and industrial competitiveness through the development of
standards and guidelines in consultation with stakeholders in both
government and industry. While the focus will be on the Nation's
critical infrastructure, the Framework will be developed in a manner to
promote wide adoption of practices to increase cybersecurity across all
sectors and industry types. In its first year, the emphasis will be on
finding commonality within and across the affected sectors. It will
seek to provide owners and operators the ability to implement security
practices in the most effective manner while allowing organizations to
express requirements to multiple authorities and regulators. Issues
relating to harmonization of existing relevant standards and
integration with existing frameworks will also be considered in this
initial stage.
In accordance with the Executive Order, the Secretary of Commerce
has directed the Director of the National Institute of Standards and
Technology (the Director) to coordinate the development of a Framework
to reduce the cyber risks to critical infrastructure. The Cybersecurity
Framework will incorporate existing consensus-based standards to the
fullest extent possible, consistent with requirements of the National
Technology Transfer and Advancement Act of 1995,\3\ and guidance
provided by Office of Management and Budget Circular A-119, ``Federal
Participation in the Development and Use of Voluntary Consensus
Standards and in Conformity Assessment Activities.'' \4\ Principles
articulated in the Executive Office of the President memorandum M-12-08
``Principles for Federal Engagement in Standards Activities to Address
National Priorities'' \5\ will be followed. The Framework should also
be consistent with, and support the broad policy goals of, the
Administration's 2010 ``National Security Strategy,'' 2011 ``Cyberspace
Policy Review,'' ``International Strategy for Cyberspace'' of May 2010
and HSPD-7 ``Critical Infrastructure Identification, Prioritization,
and Protection.''
---------------------------------------------------------------------------
\3\ Public Law 104-113 (1996), codified in relevant part at 15
U.S.C. 272(b).
\4\ http://standards.gov/a119.cfm.
\5\ http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-08_1.pdf.
---------------------------------------------------------------------------
The goals of the Framework development process will be: (i) To
identify existing cybersecurity standards, guidelines, frameworks, and
best practices that are applicable to increase the security of critical
infrastructure sectors and other interested entities; (ii) to specify
high-priority gaps for which new or revised standards are needed; and
(iii) to collaboratively develop action plans by which these gaps can
be addressed. It is contemplated that the development process will have
requisite stages to allow for continuing engagement with the owners and
operators of critical infrastructure, and other industry, academic, and
government stakeholders.
In December 2011, the United States Government Accountability
Office (GAO) issued a report titled ``CRITICAL INFRASTRUCTURE
PROTECTION: Cybersecurity Guidance Is Available, but More Can Be Done
to Promote Its Use.'' \6\ In its report, GAO found similarities in
cybersecurity guidance across sectors, and recommended
[[Page 13026]]
promoting existing guidance to assist individual entities within a
sector in ``identifying the guidance that is most applicable and
effective in improving their security posture.'' \7\
---------------------------------------------------------------------------
\6\ http://www.gao.gov/assets/590/587529.pdf.
\7\ Id., at page 46.
---------------------------------------------------------------------------
NIST believes the diversity of business and mission needs
notwithstanding, there are core cybersecurity practices that can be
identified and that will be applicable to a diversity of sectors and a
spectrum of quickly evolving threats. Identifying such core practices
will be a focus of the Framework development process.
In order to be effective in protecting the information and
information systems that are a part of the U.S. critical
infrastructure, NIST believes the Framework should have a number of
general properties or characteristics. The Framework should include
flexible, extensible, scalable, and technology-independent standards,
guidelines, and best practices, that provide:
A consultative process to assess the cybersecurity-related
risks to organizational missions and business functions;
A menu of management, operational, and technical security
controls, including policies and processes, available to address a
range of threats and protect privacy and civil liberties;
A consultative process to identify the security controls
that would adequately address risks \8\ that have been assessed and to
protect data and information being processed, stored, and transmitted
by organizational information systems;
---------------------------------------------------------------------------
\8\ Organizational risk responses can include, for example, risk
acceptance, risk rejection, risk mitigation, risk sharing, or risk
transfer.
---------------------------------------------------------------------------
Metrics, methods, and procedures that can be used to
assess and monitor, on an ongoing or continuous basis, the
effectiveness of security controls that are selected and deployed in
organizational information systems and environments in which those
systems operate and available processes that can be used to facilitate
continuous improvement in such controls; \9\
---------------------------------------------------------------------------
\9\ Assessments determine whether the security controls selected
by an organization are implemented correctly, operating as intended,
and producing the desired results in order to enforce organizational
security policies.
---------------------------------------------------------------------------
A comprehensive risk management approach that provides the
ability to assess, respond to, and monitor information security-related
risks and provide senior leaders/executives with the kinds of necessary
information sets that help them to make ongoing risk-based decisions;
A menu of privacy controls necessary to protect privacy
and civil liberties.
Within eight months, the Executive Order requires NIST to publish
for additional comment a draft Framework that clearly outlines areas of
focus and provides preliminary lists of standards, guidelines and best
practices that fall within that outline. The draft will also include
initial conclusions for additional public comment. The draft Framework
will build on NIST's ongoing work with cybersecurity standards and
guidelines for the Smart Grid, Identity Management, Federal Information
Security Management Act (FISMA) implementation, the Electricity
Subsector Cybersecurity Capability Maturity Model, and related
projects.
NIST intends to engage with critical infrastructure stakeholders,
through a voluntary consensus-based process, to develop the standards,
guidelines and best practices that will comprise the Framework. This
will include interactive workshops with industry and academia, along
with other forms of outreach. NIST believes that the Framework cannot
be static, but must be a living document that allows for ongoing
consultation in order to address constantly evolving risks to critical
infrastructure cybersecurity. A voluntary consensus standards-based
approach will facilitate the ability of critical infrastructure owners
and operators to manage such risks, and to implement alternate
solutions from the bottom up with interoperability, scalability, and
reliability as key attributes.
A standards-based Framework will also help provide some of the
measures necessary to understand the effectiveness of critical
infrastructure protection, and track changes over time. DHS and Sector
Specific Agencies will provide input in this area based on their
engagement with sector stakeholders. This standards-based approach is
necessary in order to be able to provide and analyze data from
different sources that can directly support risk-based decision-making.
A Framework without sufficient standards and associated conformity
assessment programs could impede future innovation in security efforts
for critical infrastructure by potentially creating a false sense of
security.
The use of widely-accepted standards is also necessary to enable
economies of scale and scope to help create competitive markets in
which competition is driven by market need and products that meet that
market need through combinations of price, quality, performance, and
value to consumers. Market competition then promotes faster diffusion
of these technologies and realization of many benefits throughout these
sectors.
It is anticipated that the Framework will: (i) Include
consideration of sustainable approaches for assessing conformity to
identified standards and guidelines; (ii) assist in the selection and
development of an optimal conformity assessment approach; and (iii)
facilitate the implementation of selected approach(es) that could cover
technology varying in scope from individual devices or components to
large-scale organizational operations. The decisions on the type,
independence and technical rigor of these conformity assessment
approaches should be risk-based. The need for confidence in conformity
must be balanced with cost to the public and private sectors, including
their international operations and legal obligations. Successful
conformity assessment programs provide the needed level of confidence,
are efficient and have a sustainable and scalable business case.
This RFI is looking for current adoption rates and related
information for particular standards, guidelines, best practices, and
frameworks to determine applicability throughout the critical
infrastructure sectors. The RFI asks for stakeholders to submit ideas,
based on their experience and mission/business needs, to assist in
prioritizing the work of the Framework, as well as highlighting
relevant performance needs of their respective sectors.
For the purposes of this notice and the Framework, the term
``standards'' and the phrase ``standards setting'' are used in a
generic manner to include both standards development and conformity
assessment development. In addition to critical infrastructure owners
and operators, NIST invites Federal agencies, state, local, territorial
and tribal governments, standard-setting organizations,\10\ other
members of industry, consumers, solution providers, and other
stakeholders to respond.
---------------------------------------------------------------------------
\10\ As used herein, ``standard-setting organizations'' refers
to the wide cross section of organizations that are involved in the
development of standards and specifications, both domestically and
abroad.
---------------------------------------------------------------------------
Request for Comment
The following questions cover the major areas about which NIST
seeks comment. The questions are not intended to limit the topics that
may be addressed. Responses may include any topic believed to have
implications for the development of the Framework
[[Page 13027]]
regardless of whether the topic is included in this document.
While the Framework will be focused on critical infrastructure,
given the broad diversity of sectors that may include parts of critical
infrastructure, the evolving nature of the classification of critical
infrastructure based on risk, and the intention to involve a broad set
of stakeholders in development of the Framework, the RFI will generally
use the broader term ``organizations'' when seeking information.
Comments containing references, studies, research, and other
empirical data that are not widely published should include copies of
the referenced materials. Do not include in comments or otherwise
submit proprietary or confidential information, as all comments
received by the deadline will be made available publically at http://csrc.nist.gov/.
Current Risk Management Practices
NIST solicits information about how organizations assess risk; how
cybersecurity factors into that risk assessment; the current usage of
existing cybersecurity frameworks, standards, and guidelines; and other
management practices related to cybersecurity. In addition, NIST is
interested in understanding whether particular frameworks, standards,
guidelines, and/or best practices are mandated by legal or regulatory
requirements and the challenges organizations perceive in meeting such
requirements. This will assist in NIST's goal of developing a Framework
that includes and identifies common practices across sectors.
1. What do organizations see as the greatest challenges in
improving cybersecurity practices across critical infrastructure?
2. What do organizations see as the greatest challenges in
developing a cross-sector standards-based Framework for critical
infrastructure?
3. Describe your organization's policies and procedures governing
risk generally and cybersecurity risk specifically. How does senior
management communicate and oversee these policies and procedures?
4. Where do organizations locate their cybersecurity risk
management program/office?
5. How do organizations define and assess risk generally and
cybersecurity risk specifically?
6. To what extent is cybersecurity risk incorporated into
organizations' overarching enterprise risk management?
7. What standards, guidelines, best practices, and tools are
organizations using to understand, measure, and manage risk at the
management, operational, and technical levels?
8. What are the current regulatory and regulatory reporting
requirements in the United States (e.g. local, state, national, and
other) for organizations relating to cybersecurity?
9. What organizational critical assets are interdependent upon
other critical physical and information infrastructures, including
telecommunications, energy, financial services, water, and
transportation sectors?
10. What performance goals do organizations adopt to ensure their
ability to provide essential services while managing cybersecurity
risk?
11. If your organization is required to report to more than one
regulatory body, what information does your organization report and
what has been your organization's reporting experience?
12. What role(s) do or should national/international standards and
organizations that develop national/international standards play in
critical infrastructure cybersecurity conformity assessment?
Use of Frameworks, Standards, Guidelines, and Best Practices
As set forth in the Executive Order, the Framework will consist of
standards, guidelines, and/or best practices that promote the
protection of information and information systems supporting
organizational missions and business functions.
NIST seeks comments on the applicability of existing publications
to address cybersecurity needs, including, but not limited to the
documents developed by: international standards organizations; U.S.
Government Agencies and organizations; State regulators or Public
Utility Commissions; Industry and industry associations; other
Governments, and non-profits and other non-government organizations.
NIST is seeking information on the current usage of these existing
approaches throughout industry, the robustness and applicability of
these frameworks and standards, and what would encourage their
increased usage. Please provide information related to the following:
1. What additional approaches already exist?
2. Which of these approaches apply across sectors?
3. Which organizations use these approaches?
4. What, if any, are the limitations of using such approaches?
5. What, if any, modifications could make these approaches more
useful?
6. How do these approaches take into account sector-specific needs?
7. When using an existing framework, should there be a related
sector-specific standards development process or voluntary program?
8. What can the role of sector-specific agencies and related sector
coordinating councils be in developing and promoting the use of these
approaches?
9. What other outreach efforts would be helpful?
Specific Industry Practices
In addition to the approaches above, NIST is interested in
identifying core practices that are broadly applicable across sectors
and throughout industry.
NIST is interested in information on the adoption of the following
practices as they pertain to critical infrastructure components:
Separation of business from operational systems;
Use of encryption and key management;
Identification and authorization of users accessing
systems;
Asset identification and management;
Monitoring and incident detection tools and capabilities;
Incident handling policies and procedures;
Mission/system resiliency practices;
Security engineering practices;
Privacy and civil liberties protection.
1. Are these practices widely used throughout critical
infrastructure and industry?
2. How do these practices relate to existing international
standards and practices?
3. Which of these practices do commenters see as being the most
critical for the secure operation of critical infrastructure?
4. Are some of these practices not applicable for business or
mission needs within particular sectors?
5. Which of these practices pose the most significant
implementation challenge?
6. How are standards or guidelines utilized by organizations in the
implementation of these practices?
7. Do organizations have a methodology in place for the proper
allocation of business resources to invest in, create, and maintain IT
standards?
8. Do organizations have a formal escalation process to address
cybersecurity risks that suddenly increase in severity?
[[Page 13028]]
9. What risks to privacy and civil liberties do commenters perceive
in the application of these practices?
10. What are the international implications of this Framework on
your global business or in policymaking in other countries?
11. How should any risks to privacy and civil liberties be managed?
12. In addition to the practices noted above, are there other core
practices that should be considered for inclusion in the Framework?
Dated: February 21, 2013.
Patrick Gallagher,
Under Secretary of Commerce for Standards and Technology.
[FR Doc. 2013-04413 Filed 2-25-13; 8:45 am]
BILLING CODE 3510-13-P
|
