The Obama administration has launched the first version of its cybersecurity framework, a voluntary program designed to help protect critical infrastructure in the country from cyberattacks.
The launch of the cybersecurity framework is the culmination of a year-long effort between government and private sector organizations, which helped to inform a set of best practices and guidelines for organizations with a range of expertise.
After launching the draft cybersecurity guidelines in October 2013, the National Institute of Standards and Technology finalized the document to incorporate feedback from the public.
The framework builds on a presidential directive on cybersecurity announced in February 2013 during the State of the Union address. The plan had two main components: information sharing between private and public sector, and a framework developed by NIST, which was launched on Wednesday.
Many have criticized the framework for being too vague, but others argue it is better than nothing as there is no legislation addressing this challenge. Since the framework is voluntary, it will be difficult to measure its effectiveness and adoption among critical infrastructure providers.
The framework is broken down into three components: the Framework Core, a set of activities and references common across critical infrastructure sectors; Profiles, which can help businesses align cybersecurity activities with business requirements and resources; and Tiers “provide a mechanism for organizations to view their approach and processes for managing cyber risk.”
While adopting the framework is done so on a voluntary basis, the Department of Homeland Security has established the Critical Infrastructure Cyber Community Voluntary Program to increase adoption of the framework. It is designed to connect companies to DHS and other federal government programs to offer assistance. Last year, the White House discussed how it might incentivize the program to encourage adoption.
There is no doubt that cybersecurity continues to be a pressing issue at the federal level, and this framework had to be delivered in order to address some of the concerns around the escalation of these threats. While participation in the program is voluntary, encouraging awareness around cybersecurity can benefit organizations of all sizes to invest in protecting their infrastructure.
Web hosts and service providers that offer security solutions have the opportunity to fill in the gaps left by the framework, and create their own best practices to share with customers in the private or public sector. Last week, Nominet launched a pilot program to understand if a support and advice service would help SMBs combat cyber threats.