The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. ...19 May 2016
NIST Releases Preliminary Cybersecurity Framework; Comment Period to Start Shortly
The Framework's foundational elements and approach remain unchanged from the discussion draft released in August (which we covered previously): the Framework still includes three parts (Framework Core, Framework Profile, and Framework Implementation Tiers), and the subdivisions within the Framework Core still list the various activities that comprise a cybersecurity program (including, at the broadest level, five Functions: Identify, Protect, Detect, Respond, and Recover).
The Preliminary Cybersecurity Framework nonetheless includes several changes from the August discussion draft. Substantial changes include the following:
- Section 1.2, Risk Management and the Cybersecurity Framework, has been substantially rewritten to explain how the Framework uses risk management processes (including an understanding of risk tolerance) to facilitate cybersecurity decisionmaking.
- Section 2.1, Framework Core, includes an expanded definition for Functions.
- Section 3.1, Basic Overview of Cybersecurity Practices, has been added and provides additional detail on how use of the Framework comports with risk management.
- Section 3.2, Establishing or Improving a Cybersecurity Program, has been revamped and now includes steps for conducting a risk assessment (Step 3) and determining, analyzing, and prioritizing gaps (Step 5).
- Appendix A, Framework Core, includes substantial revisions throughout and includes new subcategories within the following Categories:
- Business Environment (BE)
- Governance (GV)
- Risk Assessment (RA)
- Risk Management (RM)
- Information Protection Processes and Procedures (IP)
- Maintenance (MA)—new category
- Detection Processes (DP)
- Appendix B, Methodology to Protect Privacy and Civil Liberties for a Cybersecurity Program, now includes references to other privacy standards/guidelines and adds new substantive content to several Categories (e.g., Risk Management, Information Protection Processes and Procedures, Security Continuous Monitoring, Mitigation).
- Appendix C (formerly Section 4), Areas for Improvement for the Cybersecurity Framework, adds a new subsection on cybersecurity workforce (C.4) and expands on privacy (C.7).
- Appendix E, Glossary, changes several definitions (e.g., Risk, Risk Management) and adds a definition for Personally Identifiable Information.
NIST also announced that it will hold a fifth Cybersecurity Framework Workshop on November 14–15 in Raleigh, NC. Registration is open, but the workshop materials (including the draft agenda) are not yet available on the NIST website.
When finalized, the Cybersecurity Framework is likely to be highly influential within and beyond the United States, and beyond the critical infrastructure industries it is intended primarily to address. Organizations of all types would be advised to consider whether and how their cybersecurity programs align with relevant elements of the emerging Framework, and to provide input as appropriate to inform the final phase of its development.
Paul Otto, an associate in our Washington office, contributed to this entry.
The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016