Jump to content
Kristen LeClere

Why The Cybersecurity Framework was Created

Recommended Posts

It is widely known that the risks of cybersecurity threats are ever increasing. When it comes to critical infrastructure, the effects of cybersecurity threats can be far reaching, impacting the fundamental lifeline of our nation such as water, power, energy. On February 12, 2013, the President of the United States issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” calling for the development of a voluntary, risk-based Cybersecurity Framework to improve the cybersecurity of the national critical infrastructure.



In response to the President’s Executive Order, on February 12, 2014, the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) based on extensive public input through a series of NIST-hosted workshops. The Framework provides a comprehensive while flexible approach that can be easily integrated with other recognized risk management frameworks. It is not intended as a “one-size-fits-all” framework but rather provides flexible components that an organization can adapt to their own existing cyber risk management program. Organizations with robust cybersecurity programs can easily fold in the use of the Framework while those organizations with inconsistent risk management practices or limited resources can take a step in the right direction. 



The issuance of the Cybersecurity Framework is truly groundbreaking; it is the first time guidance exists for leveraging industry and government recognized cybersecurity standards and best practices for improved cybersecurity posture.


For the first time, the Framework:

-          Provides a common vocabulary for communicating cybersecurity risk management at all levels in an organizations

-          Provides cybersecurity guidance that can apply to organizations of every size (small, medium, and large) as well as international organizations

-          Is adaptable to organizational resource constraints since not all cybersecurity initiatives can be done at once

-          Can fold into existing risk managements practices and regulations, not creating the additional burden of complying to a new process


Next week’s post will discuss the Framework Core

Share this post

Link to post
Share on other sites

My understanding from Administration's comments at the time of the release of the Cyber Executive Order (Cyber EO) was that the reason for the Cyber EO and the consequent development of the Framework was because of Congress' inability to pass any cybersecurity legislation for critical infrastructure:

  • Specifically, the Obama Administration backed the failed Senate legislation, Cybersecurity Act of 2012 (S.3414), on Aug 2, 2012, in an attempt to improve the cyber security across the 16 identified critical infrastructures.
  • The goal of the Senate S.3414 was to consolidate the oversight and regulation of the private sector cyberspace of critical infrastructure within the Dept of Homeland Security (DHS) as recommended in the Cyber Policy Review in 2009, but the legislation was rejected because opponents said it would lead to undue government regulations of the private sector.  Since then, there is little expectation that new cybersecurity legislation would be passed (although there has been some recent progress).  

  • Hence, the Cyber EO implements parts of the S.3414 legislation that can be done within the Administration, but is limited because only legislation can change or create new regulatory authority.   

  • And, because some cyber infrastructures are not currently regulated, the Cyber EO approach will be voluntary for non-regulated critical infrastructures.

  • Therefore, the Cyber EO differs from S.3414 primarily by seeking a multi-agency regulatory solution - coordinating all agencies with regulatory control over critical infrastructures, rather than a centralized regulatory solution.

The reason this origin of the Framework is important is because the EO required the affected regulatory agencies to report by 8 Jan 2014 on whether or not they have authority to use the Framework and how it can be used. The contents of these agency reports have not been released, but the Administration comments are that there is consensus that the Framework can be aligned with existing regulatory authority and activities.  Because of the broad deployment by the affected regulatory agencies, the Framework is likely to become a new cybersecurity standard for regulated critical infrastructures.  Because of the features listed above, it promises to even become a standard for non-regulated industries as well. 

One comment on the voluntary nature of the Framework: From mid-2013, the Administration has stated that the use of Framework will be voluntary, but many think the affected regulatory agencies will adopt the Framework as a way to reduce costs in the long run through simplification and standardization of the compliance process.

I look forward to future postings!


Share this post

Link to post
Share on other sites