Seeking Comments on the Preliminary Cybersecurity Framework

America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. 

- President Obama, February 12, 2013

U.S. national and economic security depends on the reliable functioning of critical infrastructure. In recognition of that dependence, President Obama issued an executive order in February 2013 to increase our critical infrastructure’s capabilities to manage cyber risk; the order focuses on information sharing, privacy, and the adoption of cybersecurity practices. In support of this goal, the order directed the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) to convene industry and other stakeholders to develop a voluntary framework for reducing cyber risks.

Today we are pleased to announce the start of the 45-day public comment period for the Preliminary Cybersecurity Framework. This announcement represents an important milestone in this collaborative effort to develop the framework, and the feedback received during this period will inform the final version.

Already over the past eight months, individuals and organizations throughout the country have provided their thoughts on the standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity. Some have already begun leveraging drafts of the framework to communicate with their executives and have provided feedback from their experience. Once implemented, the framework would provide businesses, their suppliers, their customers, and government agencies a common language and methodology for determining how they can best protect themselves. 

The framework aligns practices from existing standards and guidelines by organizing desired cybersecurity outcomes into functions that aid in communications, align with existing methodologies for incident management, and can be used to help show the impact of investments in cybersecurity. Organizations can use the framework to describe their current cybersecurity posture, as well as their target state for cybersecurity. It can also help companies identify and prioritize opportunities for improvement and assess progress toward their goals.

Thanks to the tremendous amount of input received, we believe the Preliminary Framework provides a flexible, dynamic approach to securing critical infrastructure services by strengthening capabilities to manage cyber risks. While this represents a big step in our efforts to better protect critical infrastructure from cybersecurity threats, there’s still much work to do. We ask for your continued engagement to support further revisions, and invite you to review and test the Preliminary Framework over the 45-day comment period. Your feedback is critical to helping improve the next version of the framework.  

NIST will hold a workshop to discuss the Preliminary Framework—including its implementation and future governance—Nov. 14 and 15, 2013, at North Carolina State University. Visit http://www.nist.gov/itl/csd/5th-cybersecurity-framework-workshop-november-14-15-2013.cfm for more information and to register.