Background on the NIST Cybersecurity Framework
On February 13, 2013, the Obama Administration released Executive Order 13636 calling for the development of a voluntary cybersecurity framework by the National Institute of Science and Technology (NIST) for “critical infrastructure” providers. (Critical infrastructure is defined in the Framework as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health and safety, or any combination of those matters.”)
What is NIST?
NIST is part of the U.S. Department of Commerce and the federal technology agency that works with industry to develop and apply technology, measurements, and standards.
What is the Core Framework?
The NIST Cybersecurity Framework seeks to protect the systems and assets most crucial to the safety of our country and ensure that all critical sectors uphold a certain level of cybersecurity.
- It provides stakeholders with a risk-based approach when determining their current cybersecurity readiness, in accordance to the specific needs and characteristics of each business sector.
- It is a summary of processes and best-practices that provides critical infrastructure providers with standard criteria for assessing the risks and liabilities posed by cyber threats.
- Risks are organized around five core activities that a company’s management and IT security teams routinely must perform when dealing with security risks: identify, protect, detect, respond, and recover.
Who Does the Framework Apply To?
As defined by the Department of Homeland Security, “critical infrastructure” sectors include financial services, communications, critical manufacturing, the defense industrial base, energy, emergency services, food and agriculture, healthcare, information technology, utilities, and transportation systems. Compliance with the Framework is voluntary.
How Is The Financial Services Sector Affected by the Framework?
Financial institutions are subject to rigorous and comprehensive cybersecurity regulations, supervisory guidance and are regularly examined by federal and state authorities. These include the Gramm-Leach-Bliley Act of 1999 (including the “Interagency Guidelines Establishing Information Security Standards” regulation), the Fair Credit Reporting Act, the Right to Financial Privacy Act as well as extensive regulations, and supervisory guidance from the Federal Financial Institutions Examination Council addressing information security, vendor management and business continuity risks. The Framework leverages the existing standards of the financial services sector and uses the current requirements as a model for other sectors. The Framework is consistent with these existing requirements but the Administration has asked the independent federal financial regulatory agencies to “align” and “harmonize” with the NIST Framework so we may see some adjustments to these requirements from the federal financial regulators at some point.
Author John Carlson is an Executive Vice President of BITS, FSR’s Technology Policy Division.
John’s blog was originally posted by the Financial Services Roundtable and was reposted with permission. To read the original article in it’s entirety, click here