Delayed by the recent government shutdown, the release opens a 45-day period during which the National Institute of Standards and Technology (NIST) will accept public comments on the framework, with plans to release the official guidance in February 2014.
The expected final release will come approximately one year after President Barack H. Obama ordered the NIST Cybersecurity Framework as part of Executive Order 13636, which tasked the non-regulatory agency to work with the critical infrastructure community and stakeholders to create, according to the order, "a prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess and manage cyber risk."
The framework is meant to help harden critical infrastructure organizations against the cybersecurity threats that are increasingly affecting national and economic security. NIST noted that the framework is intended to complement, not replace, whatever security and risk management programs organizations already have in place.
NIST said it worked with more than 3,000 individuals and organizations to form its recommendations, which can be implemented at any company interested in improving its security posture. There is no obligation on the part of U.S. businesses to adopt the practices outlined in the framework.
"We encourage organizations to begin reviewing and testing the preliminary framework to better inform the version we plan to release in February," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher, in a press release.
As for the recommendations actually outlined in the framework, many are nonspecific and deal with the general concepts of understanding and managing risk, a choice that was seemingly made to encourage organizations to adopt security best practices that remain adaptable within specific contexts, rather than following a specific set of rules. In the framework, NIST attempted to provide "common language" for organizations so they can, among other things, detail their security posture, identify opportunities to improve their security state, and foster communications with internal and external stakeholders.
Gallagher emphasized that framework is meant to help organizations manage risk, rather than eliminate risk completely. "There is not a magic bullet here," he noted.
The NIST Cybersecurity Framework detailed four implementation "tiers" that serve as a measuring stick for the general state of an organization's cybersecurity risk management program. Tier 1 described businesses that have "limited awareness of cybersecurity risk at the organizational level," and that implement security policies on an "irregular, case-by-case basis due to varied experience or information gained from outside sources." At the opposite end of the spectrum, a Tier 4 organization "adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous cybersecurity activities" and includes security as "part of the organizational culture."
NIST plans to host a workshop on Nov. 14th and 15th at North Carolina State University to discuss the preliminary Cybersecurity Framework and topics such as implementation, research and development, framework ecosystem development, and considerations for small- and medium-sized businesses.