Читать книгу Cybersecurity Risk Management - Cynthia Brumfield - Страница 12

In the face of growing concerns over the prospect of a devastating cyberattack on US critical infrastructure, President Barack Obama issued on February 12, 2013, Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity.”¹ The EO aimed to create a “partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.” To achieve that objective, the EO mandated that NIST develop within one year “a voluntary risk-based Cybersecurity Framework, a set of industry standards and best practices to help organizations manage cybersecurity risks.”

To hammer out the Framework, NIST hosted five workshops at multiple universities involving thousands of domestic and international private- and government-sector participants. Finally, on February 12, 2014, NIST issued the Framework for Improving Critical Infrastructure Cybersecurity.² The Department of Homeland Security (DHS) currently considers 16 sectors to be critical infrastructure sectors, encompassing information technology, financial services, energy, communications, manufacturing, and many other central services.³ However, NIST hopes that the Framework will be helpful to all organizations and anticipates that its application will extend beyond critical infrastructure.

Underscoring the “living” nature of the Framework, on April 16, 2018, NIST issued an update, Version 1.1.⁴ The updated Framework features several additional subcategories, including an expansive new set of subcategories dealing with Supply Chain Risk, a timely addition as the protection of digital supply chains has taken center stage due to some recent damaging and high-profile supply chain attacks.

In developing the Framework, NIST wanted to ensure maximum flexibility of application. The final document is industry- and technology-neutral. It encompasses hundreds of standards. It is also international in scope.

NIST stresses that the Framework is not intended to replace any organization’s existing cybersecurity program but is a tool to strengthen existing practices. Suppose an organization does not have a cybersecurity risk management program or set of cybersecurity practices in place? In that case, the Framework should serve as a good starting point for developing that program or those practices.