NIST revealing next steps to bolster cyber securityReprints
The National Institute of Standards and Technology, which proposed a voluntary cyber security framework for critical U.S. infrastructure last year, plans to issue a report next month on its intended next steps.
Adam Sedgewick, senior information technology policy adviser at the Gaithersburg, Maryland-based agency, said the report will be based on the more than 50 comments it received following a “request for information” it issued in August, as well as on the sixth Cybersecurity Framework workshop it sponsored late last month in Tampa.
The NIST proposal, issued in October 2013, was in response to President Barack Obama's May 2013 executive order, a component of a broader effort to strengthen the cyber security of the nation's infrastructure.
The standards, widely regarded as a good first step, identified five core functions: to identify, protect, detect, respond and recover from cyber risks and breaches.
Among the themes that have emerged from the comments and workshop, Mr. Sedgewick said, is, “we're doing pretty well with awareness” of cyber security risks, but “there's a need for some targeted work around small and medium businesses, and also a need to get outside critical infrastructure expertise and try to get to other business leaders who may not be aware of cyber security.”
Mr. Sedgewick said sectors “that have existing processes already in place have been quicker to adopt the framework.” These include the electric utility, telecommunications and financial sectors. “Those sectors are very well organized and have done the most initial work,” he said.
Meanwhile, the agency earlier this month issued a draft “Guide to Cyber Threat Information Sharing” intended to give organizations the key practices they need to consider when planning, implementing and maintaining information-sharing relationships, the agency said. NIST is asking for comments on the draft by Nov. 28.