The National Institute of Standards and Technology (NIST) is continuing its efforts along with the Department of Homeland Security (DHS) under the President’s Executive Order 13636 to develop a Cybersecurity Framework for the private sector, including municipal and private water and wastewater service providers. The Framework will be a set of voluntary cybersecurity standards and practices for business and infrastructure owners and operators and is intended to reduce cyber risks to critical infrastructure.
Since February, when the Executive Order was signed, NIST and DHS have solicited feedback online and through a working group and regional workshops.
NIST says a draft preliminary version will be released for comment by late August. The final framework is due next February.
In testimony before the Senate Commerce Committee in July, NIST Director Patrick Gallagher provided a summary of how NIST is approaching the Framework. According to Gallagher, NIST plans for the preliminary Framework to:
- Be an adaptable, flexible, and scalable tool for voluntary use,
- Assist in assessing, measuring, evaluating, and improving an organization’s readiness to deal with cybersecurity risks,
- Be actionable across an organization,
- Be prioritized, flexible, repeatable, performance-based, and cost-effective,
- Rely on standards, guidelines and practices that align with policy, business, and technological approaches to cybersecurity,
- Complement, rather than conflict with, current regulatory authorities,
- Promote, rather than to constrain, technological innovation in this dynamic arena,
- Focus on outcomes,
- Raise awareness and appreciation for the challenges of cybersecurity but also the means for understanding and managing the related risks, and
- Be built upon international standards and other standards, best practices and guidelines that are used globally.
At the next workshop – on September 11-13 in Richardson, Texas – NIST will present the draft preliminary Framework. (See separate article below.)
Performance Goals
On August 8, DHS released a deliberative draft of the Framework’s performance goals, which can be used by the private sector and the government as a guide for measuring progress toward improved cyber security. However, DHS has been careful to note that the Department “has no intention …of directly measuring the extent to which organizations have adopted these goals.” DHS urges users to view the goals as guideposts to encourage movement in a common direction. The draft goals are:
- Critical systems and functions are identified and prioritized and cyber risk is understood as part of a risk management plan.
- Risk-informed actions are taken to protect critical systems and functions.
- Adverse cyber activities are detected and situational awareness of threats is maintained.
- Resources are coordinated and applied to triage and respond to cyber events and incidents in order to minimize impacts to critical systems and functions.
- Following a cyber incident, impacted critical systems and functions are reconstituted based on prior planning.
- Security and resilience are continually improved based on lessons learned consistent with risk management planning.
For more information, visit the Framework website or contact AMWA’s Michael Arceneaux.