National Institute of Standards and Technology: Difference between revisions
Line 24: | Line 24: | ||
==Cybersecurity Framework== | ==Cybersecurity Framework== | ||
===Version 1.0=== | ===Version 1.0=== | ||
====History==== | |||
In February 2013, recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, President [[Barak Obama]] issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," ordering NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber-risks to [[Critical Infrastructure]]. On December 18, 2014, the Cybersecurity Enhancement Act of 2014 (CEA) authorized the Department of Commerce, through NIST, to develop voluntary standards to reduce cyber-risks to critical infrastructure.<ref>[https://itlaw.wikia.org/wiki/Cybersecurity_Enhancement_Act_of_2014 CEA, IT Law Wiki]</ref> The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Section 502 required the Director of NIST to ensure interagency coordination toward the development of international technical standards for IT security and transmit to Congress a plan. | In February 2013, recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, President [[Barak Obama]] issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," ordering NIST to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber-risks to [[Critical Infrastructure]]. On December 18, 2014, the Cybersecurity Enhancement Act of 2014 (CEA) authorized the Department of Commerce, through NIST, to develop voluntary standards to reduce cyber-risks to critical infrastructure.<ref>[https://itlaw.wikia.org/wiki/Cybersecurity_Enhancement_Act_of_2014 CEA, IT Law Wiki]</ref> The law also ordered the Office of Science and Technology Policy to develop a federal cybersecurity research and development plan. Section 502 required the Director of NIST to ensure interagency coordination toward the development of international technical standards for IT security and transmit to Congress a plan. | ||
=====Framework Development===== | |||
February 26, 2013: RFI to Develop a Framework to Improve Critical Infrastructure Cybersecurity - February 12, 2014: Framework 1.0 Publication. | |||
:One year after the release of Executive Order 13636 and following one RFI, five workshops, and one RFC, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity.<ref>[https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework History of Framework Creation]</ref> | |||
====Components==== | ====Components==== | ||
[[File:Coreofframework.png|right|Framework Core (Image from NIST)]]The resulting Cybersecurity Framework consists of voluntary standards, guidelines, and practices for promoting critical infrastructure protection. The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.<ref>[https://www.nist.gov/cyberframework/online-learning/components-framework Framework Components, NIST]</ref> | [[File:Coreofframework.png|right|Framework Core (Image from NIST)]]The resulting Cybersecurity Framework consists of voluntary standards, guidelines, and practices for promoting critical infrastructure protection. The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.<ref>[https://www.nist.gov/cyberframework/online-learning/components-framework Framework Components, NIST]</ref> | ||
Line 38: | Line 41: | ||
====C3==== | ====C3==== | ||
The Department of Homeland Security's Critical Infrastructure Cyber Community (C3) Voluntary Program helps owners and operators align their organizations with the framework and manage their cyber risks. | The Department of Homeland Security's Critical Infrastructure Cyber Community (C3) Voluntary Program helps owners and operators align their organizations with the framework and manage their cyber risks. | ||
===Version 2.0=== | ===Version 2.0=== | ||