White House Announces Voluntary Cybersecurity Framework
The Obama administration has released a voluntary framework developed by hundreds of companies, several federal agencies and many international contributors as a how-to cybersecurity guide for organizations in the business of running the nation’s critical infrastructure.
Such assets include facilities for generating and transmitting electricity, producing and distributing oil and gas, and for managing telecommunications, drinking and waste water, agriculture, food production, heating, public health, transportation and financial and security services.
“Cyber threats pose one the gravest national security dangers that the United States faces,” President Barack Obama said yesterday in a statement released by the White House.
The framework is a key deliverable from the president’s Executive Order on Improving Critical Infrastructure Cybersecurity, announced in his 2013 State of the Union address.
“To better defend our nation against this systemic challenge,” he said, “one year ago I signed an executive order directing the administration to take steps to improve information sharing with the private sector, raise the level of cybersecurity across our critical infrastructure, and enhance privacy and civil liberties.”
Scientists and engineers at the National Institute of Standards and Technology have since worked with the private sector to develop a framework that highlights best practices and globally recognized standards for managing cyber risk to critical infrastructure.
“This voluntary framework is a great example of how the private sector and government can and should work together to meet this shared challenge,” the president said.
For organizations that don’t know where to start in improving cybersecurity, the framework provides a roadmap. For those with more advanced cybersecurity capability, it offers a way to better communicate with their chief executives and their suppliers about managing cyber risks, according to a framework fact sheet. International organizations also can use the framework to support their cybersecurity efforts.
The framework has three components — the framework core, profiles and tiers.
The core is a set of cybersecurity activities and references that are common across critical-infrastructure sectors. They cover identifying, protecting, detecting, responding to and recovering from cyber intrusions, and they give an organization a high-level view of its cyber-risk management.
Profiles can help an organization align its cybersecurity activities with business requirements, risk tolerances and resources, and tiers allow an organization to view its approach to and processes for managing cyber risk.
The framework also offers guidance on privacy and civil liberties considerations arising from cybersecurity activities.
The Department of Homeland Security has established the Critical Infrastructure Cyber Community, or C3, Voluntary Program as a public-private partnership to boost framework use.
The program connects companies and federal, state, local, tribal and territorial partners to DHS and other federal government programs and resources for helping manage their cyber risks.
Participants will be able to share lessons learned, get help and learn about free tools and resources.
Obama said he believes the framework marks a turning point but more work must be done to enhance the nation’s cybersecurity.
“America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet,” the president said.
“Our critical infrastructure continues to be at risk from threats in cyberspace and our economy is harmed by the theft of our intellectual property,” he said, adding that he believes addressing the challenges effectively will ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.
Obama also urged Congress to move forward on cybersecurity legislation that protects the nation and the privacy and civil liberties of U.S. citizens.
- Special Report: The Cyber Domain: Security and Operations
- Cyber Security Framework
- Executive Order on Improving Critical-Infrastructure Cybersecurity
- Critical Infrastructure Cyber Community (C3) Voluntary Program
By Cheryl Pellerin – American Forces Press Service