NIST Issues Standards for Critical Infrastructure Cyber Security

On February 12, 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cyber Security”, which called for a set of industry standards and best practices to help organizations manage cyber security risk.  Pursuant to this Order, on February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the “Framework for Improving Critical Infrastructure Cyber Security.”

Critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  Although compliance is voluntary, good risk management dictates compliance with the Framework.  The Framework focuses on considering cyber security risks as part of an organization’s risk management process.  The Framework also includes a methodology to protect individual privacy and civil liberties when organizations conduct cyber security activities.

The Framework is not intended to be a one size fits all set of standards.  Organizations will implement the standards based upon their industry, and their individual risks and vulnerabilities.  You can view the complete Framework by going to:  http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm