Cybersecurity Framework Now At Discussion Draft Stage

By David Bruggeman

September 16, 2013

While cybersecurity legislation slowly inches forward in Congress, the National Institute of Standards and Technology (NIST) is moving faster in implementing its responsibilities under the recent Executive Order on cybersecurity. Last month we noted that NIST circulated a draft outline of the Cybersecurity Framework (H/T Nextgov).

Now there’s a discussion draft of the actual Framework. Developed in time for the latest public workshop on the Framework, the discussion draft is intended to help firms and others involved in critical infrastructure cybersecurity. Besides compiling relevant best practices, standards and guidelines, the framework provides tools for companies to measure where they are in terms of cybersecurity and where they need to go.

NIST identified several areas for improvement for future iterations of the Framework:

Authentication
Automated Indicator Sharing
Conformity Assessment
Data Analytics
International Aspects, Impacts, and Alignment
Privacy
Supply Chains and Interdependencies

To get the quickest snapshot of how the Framework might work, check out Appendix A, the Framework Core. It describes functions, categories, subcategories, and informative references that NIST sees as crossing across all sectors of critical infrastructure.

The timeline remains unchanged. A final draft is due next February, and a draft with formal comment should be released in the fall.