The US Department of Commerce’s National Institute of Standards and Technology (NIST) has released a draft form of a cyber security framework that is intended to help critical infrastructure owners and operators reduce cyber security risks.
In February, President Obama had directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks for the owners and operators who are from industries such as power generation, transport and telecommunications.
He believed that this would benefit both US national and economic security in the long-term.
NIST has since held workshops throughout the year, engaging with more than 3,000 individuals and organisations on standards and best practices that, it says, could provide businesses, suppliers, customers and government departments with a standardised set of guidelines to protect critical information and IT infrastructure.
The framework, NIST added, will be flexible in that it can match the business needs of private, public, small or large organisations.
The Institute said that the framework would offer a common language and mechanism for organisations to determine their current cyber security state, target improvements while balancing any risks and assessing progress towards their goals.
The focus is on outcomes rather than any particular technology, it claimed, to encourage innovation.
“We want to turn today’s best practices into common practices, and better equip organisations to understand that good cybersecurity risk management is good business,” said NIST director, Patrick Gallagher.
“The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies,” he explained.
The framework will soon be open to a 45-day public comment period, in order to have enough time to make any suggested adjustments before it is made official in February 2014 – as the White House had called for in its executive order.
NIST explained that while the framework is designed for those organisations that deal with critical national infrastructure, it can be applied by all companies from varying industries in order to improve their own cyber resilience.