NIST Issues Draft Cybersecurity Framework

October 18, 2013

The National Institute of Standards and Technology (NIST) has developed their voluntary framework for organizations to improve their cybersecurity for the nation’s infrastructure.  The framework is the next step from the White House’s 2013 executive order on agency cybersecurity, which was discussed in a previous blog entry.  While the framework is not universal for all agencies, it provides common language for agencies to:

  • Describe current cybersecurity measures
  • Describe the target state for their cybersecurity
  • Identify and prioritize opportunities for improvement in risk management
  • Assess progress toward the target state
  • Foster communications between internal and external stakeholders

NIST has also stated that the framework does not replace current cybersecurity risk management processes, but can complement or enhance a current framework, or provide a basis for a new one if needed.  Once the framework is finalized for agencies, government contractors can expect the requirements of the framework to be in place for their businesses in order to meet or exceed the requirements of the agencies they do business with.

The proposed draft framework is open for public review and comments here through October 2013 (but is likely to be extended pending resolution of the government shutdown).  The expected finalized framework is early 2014.

Aronson is hosting a webinar on a similar topic regarding government contractors and IT FISMA compliance on November 13, 2013.  If you have any questions regarding these security issues or other compliance related questions, please contact Jeff Cook of Aronson’s IT Audit and Advisory Services Group at 301.231.6220.