NIST, the National Institute of Standards and Technology, held its fifth public workshop last week in Raleigh, North Carolina on a comprehensive cybersecurity framework mandated in a February 2012 executive order.
The framework is designed to improve cybersecurity across sixteen critical infrastructure industries and build up from a basic core of functions based around the structure of Identify, Protect, Detect, Respond and Recover. From there, the framework gets more specific in categories, subcategories and finally informative references, which are standards, guidelines and practices common among critical infrastructure sectors that illustrate how to meet the guidelines in each category.
The preliminary framework defines “critical infrastructure” as:
“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
A common concern expressed by industry experts about the framework is how much of challenge it will be for small and medium-sized businesses to implement.
“There are twenty-two categories and ninety-seven subcategories. That’s a lot for small and medium-sized businesses,” said Cox Communications CISO Phil Agcaoili during a panel discussion at the workshop.