As part of the development, future planning and engagement on Information Security and Cyber Risk NIST has produced a Roadmap’ to the Framework for Improving Critical Infrastructure Cybersecurity. This Framework discusses the next steps and identifies key areas of development, alignment, and collaboration.
Central to these plans is the input and feedback from stakeholders through the Framework development process particularly on the “Areas for Improvement” section of the Preliminary Framework, which has been moved to this document.
Since Executive Order 13636 was issued, NIST hashad a convening role in developing the Framework, drawing heavily on standards, guidelines, and best practices already available to address key cybersecurity needs. As part of this work NIST also relied on organizations and individuals with experience in reducing cybersecurity risk and managing critical infrastructure.
Moving forward, NIST is committed to help organizations understand and use the Framework. Organizations that are part of the critical infrastructure can use the Framework to better manage and reduce its cybersecurity risks.
NIST intends to conduct a variety of activities to help organizations to use the Framework such as industry groups, associations, and non-profits that can be key vehicles for strengthening awareness of the issues around Cybersecurity. NIST will encourage these organizations to become even more actively engaged in cybersecurity and to promote – and assist in the use of – the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks.
Developing & Strengthening Private Sector Involvement in Future Governance of the Framework
As NIST continues to support and improve the Framework, it will solicit input on options for long-term governance of the Framework including transitioning responsibility for the Framework to a non-government organization. Any transition must minimize or prevent potential disruption for organizations that are using the Framework.
The ideal transition partner (or partners) would have the capacity to work closely and effectively with international organizations, in light of the importance of aligning cybersecurity standards, guidelines, and practices globally.
This is significant as Cyber and Information Risk is an International issue and while the work of NIST is important the Framework references globally accepted standards, guidelines and practice. The organizations that need to act on the risks posed are operating around the world. The NIST Framework can contribute many positives, but also needs to recognise and adapt to the international perspectives to avoid introducing unnecessary and avoidable complexity and vitally deliver a consistency and effectiveness across a range of regulatory and legislative landscapes.
A purely parochial US view in the planning and activity generally associated with the Framework could impact on the efficiency in operations globally. However, broad use of the Framework will serve as a model approach to strengthening the critical infrastructure, while discouraging a fragmentation of policies and procedures caused end up that hampering interoperability and innovation, and limit the efficient and effective use of resources.
Business across the US, the UK and the rest of the world can play a big part in the development of Cybersecurity and the Roadmap makes clear government and standards bodies cannot do it alone.
CRIF will continue to work with government and standards bodies to highlight the importance of the wider Risk Management dimensions, including the role insurance can play, and the direct connections to wider Business Risk, productivity and profits.