The National Institute of Standards and Technology is circulating a draft of voluntary standards it is developing for the critical infrastructure of IT security. The framework, when fully developed, will outline security functions and standards based on a risk-management approach in five areas, summed up by the adage “Know, Prevent, Detect, Respond, Recover.”
In large part the framework is geared toward helping organizational IT leaders understand how they can prevent cyber attacks or find, stop and recover from one.
In February, President Barack Obama signed an executive order directing NIST, under the Department of Commerce, to develop a framework that would let critical infrastructure organizations use common IT security standards — “critical infrastructure” being defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”
In the wake of the Department of Veterans Affairs’ apparent hacking by Chinese and other foreign organizations, and after several hospitals lost power during Hurricane Sandy, helping organizations from electricity utilities to health systems improve cybersecurity is a small but significant federal priority.
NIST’s draft standards are still a work in progress, the agency wrote in a document opened to review ahead of workshops being hosted in San Diego later this month.