On May 11, President Trump signed a long-delayed and much-discussed Executive Order—Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
A day later, NIST (the National Institute of Standards and Technology) issued draft guidance—The Cybersecurity Framework—Implementation Guidance for Federal Agencies—outlining cybersecurity best practices for federal agencies. The purpose of the NIST Guidance is to help Federal agencies comply with the new Executive Order by incorporating the Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) issued by NIST in 2014 into their existing risk management practices and improve their cybersecurity risk management programs. The Cybersecurity Framework is a set of voluntary guidelines that encourage organizations to use a risk-management model of cybersecurity.
While the NIST Guidance has a much lower profile than the Executive Order, the Guidance gains significance because the Executive Order for the first time requires that executive agencies use the previously voluntary Cybersecurity Framework to manage their agencies’ cyber risk. And, although the NIST Guidance by its terms applies only to Federal agencies, based on the broad acceptance and adoption of the Cybersecurity Framework by a wide range of other public-sector organizations, critical infrastructure operators and private entities and businesses, it seems likely that adoption of the Guidance, once finalized, will reach far beyond the Federal government.
In a world where cyber systems are constantly challenged by more frequent and often more creative and sophisticated attacks, it is vital that agency personnel – from the most senior executives to line staff – manage their assets and cybersecurity risks wisely. To do that well, they need the most capable, up-to-date, and easy-to-use approaches and tools, including a holistic approach to risk management.
EXECUTIVE SUMMARY, DRAFT GUIDANCE
The NIST Guidance provides eight examples, based on experience with the Cybersecurity Framework, demonstrating how Federal agencies can use the Framework to develop, implement and improve their cybersecurity risk management. Among other things, it illustrates how agencies can use the Cybersecurity Framework to vet the cybersecurity of their technology vendors, allocate cybersecurity responsibilities within their organizations and help assess compliance with data privacy laws.
Comments on the Draft Guidance are due by June 30. Thereafter, NIST will add content based on agency implementation, refine current guidance and identify additional guidance to provide the information that is most helpful to agencies before finalizing the Guidance. NIST also expects to update other of its guidance documents based on input relating to the Guidance.
To achieve the state-of-the-art cybersecurity that NIST Guidance and the Executive Order recommend, Assured has engineering-based solutions which are reliable, measurable and dynamic, including TripleHelix℠, the most comprehensive cyber risk assessment system available. TripleHelix℠ offers a roadmap, a CyberScore® and all your required compliance and regulatory reports in a customized Regulatory Compliance Dossier.