A few weeks ago, the White House announced the launch of the Cybersecurity Framework, a year-long effort to develop a “how-to” guide for critical infrastructure organizations to enhance their cybersecurity. Critical infrastructure refers to the 16 industries and services necessary to keep the country running, and includes the energy grid and the financial sector. The framework
The Cybersecurity Framework also helps organizations at all levels of maturity to understand, communicate, and manage their cyber risks. For the beginners or organizations that don’t know where to start, the Framework provides a road map. More advanced organizations will find the Framework, “offers a way to better communicate with their CEOs and with suppliers about management of cyber risks.” And as expected, the framework is based on the Department of Commerce’s National Institute of Standards and Technology (NIST). NIST has also emphasized that the Framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.”
In overview, the Framework provides a common taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
- Assess progress toward the target state
- Communicate among internal and external stakeholders about cybersecurity risk.
Rsam has been assisting organizations and government agencies with NIST-based risk management programs to help them protect key assets for quite some time. And although the Framework is voluntary, from our experience in working with organizations at all ends of this spectrum, we’ve found that NIST-based programs to be a solid core foundation to a risk-based approach to security operations.
We applaud the White House’s endorsement a continuous monitoring methodology and the ongoing evolution of frameworks to ensure the security of critical operations, and advocate communication with suppliers as a key process component. Communication is an increasingly common theme across all industry; when your data is shared or operations are dependent on partners, your responsibility for monitoring critical infrastructure protection extends beyond your own organization.