KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM EContentMag Faulkner Information Services Fulltext Sources Online InfoToday Europe Internet@Schools Intranets Today KMWorld Library Resource Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed

U.S. Government Releases Proposed Cybersecurity Framework
Posted On November 7, 2013
PAGE: 1 2

The next component is a Framework Profile, described as “a tool to enable organizations to establish a roadmap for reducing cybersecurity risk” within broader sector goals, legal and regulatory requirements, and industry best practices. Profiles can describe either or both the current level of cybersecurity within an organization and/or the target level of security.

The final component consists of four Implementation Tiers that allow individual organizations to identify a “degree of rigor and sophistication in cybersecurity risk management practices” that are most consistent with the organization’s current or target profile, organizational goals, and degree of risk. The lowest tier is labeled as Partial and presumes less formalized, more ad hoc and reactive cybersecurity risk management. At the next level is Risk-Informed, where the organization has approved risk management practices but the implementation is not integrated into organizationwide processes. The next tier builds on that as Risk-Informed and Repeatable, wherein the organization does have an organizationwide approach to risk that is consistently implemented and updated. At the highest tier is Adaptive, wherein the organization is fully capable of rapidly adapting its cybersecurity practices in both proactive and reactive manners to respond to emerging and evolving threats. Organizations would move up and down the tiers depending on the needs, activities, and resources of the organization.

The original executive order also required cybersecurity responses to “incorporate strong privacy and civil liberties protections.” The framework responds to that concern by providing an extensive outline of specific methodologies that will aid organizations in respecting privacy and civil liberties as they implement or upgrade their cybersecurity risk management programs. Based on a voluntary system of fair information practice principles that have been in place for a number of years, the chart corresponds to the Framework Core’s functions and categories to provide methodologies for identifying and addressing personally identifiable information and the organization’s constitutional, legal, and contractual requirements for protecting or securing that information at each step of cybersecurity risk management implementation.

The goal and purpose of the framework is to provide a basis for common approaches across organizations and industries to managing cybersecurity risk. If adopted, the framework may become mandatory for federal government agencies. Within the private sector, it is expected that the government will encourage and provide incentives for implementation. Organizations that extensively interact with government agencies that adopt the framework, as well as organizations identified by the Department of Homeland Security as being “high risk,” will very likely be expected to implement the framework.

NIST is seeking public comments on the proposed framework. The comment period runs through mid-December 2013. Following the comment period, NIST expects to review the comments and, if appropriate, make changes in the framework. NIST hopes to release the final Cybersecurity Framework in February 2014.

PAGE: 1 2

George H. Pike is the director of the Pritzker Legal Research Center and a senior lecturer at the Northwestern University School of Law. He teaches legal research, intellectual property, and privacy courses at the School of Law in both the J.D. and Northwestern’s innovative Master of Science in Law program. Prof. Pike is a frequent lecturer on issues of First Amendment, copyright, and Internet law for library and information professionals. He is also a regular columnist and writer for Information Today, publishing a monthly column on legal issues confronting information producers and consumers. Previously, Prof. Pike was director of the Law Library at the University of Pittsburgh School of Law, and held professional positions at the Lewis and Clark Law School and at the University of Idaho School of Law, and was a practicing attorney in Idaho Falls, Idaho. Prof. Pike received his B.A. degree from the College of Idaho, his law degree from the University of Idaho, and his Masters in Library Science from the University of Washington. He is a member of the American and Idaho State Bar Associations, the American Association of Law Libraries, and the American Intellectual Property Lawyers Association.

Email George H. Pike

Related Articles

8/6/2012Cybersecurity and Privacy Concerns at the Highest Levels of Government
2/4/2013A Cyber War Is Brewing
7/16/2013PRISM and the First Amendment: A Critical Issue
12/5/2013Internet Security Providers Team Up
1/7/2014Five Enterprise Options for BYOD
8/19/2014Revising FOIA for Improved Access to Government Information
11/25/2014New Resource Explains Challenges and Opportunities for Information Governance
2/3/2015New U.S. Laws Impact Information Gathering and Security
10/20/2015The Federal Government Turns To Silicon Valley for Tech Support
1/12/2016New Cybersecurity-Training Company Debuts
2/2/2016Department of Commerce Launches Data Usability Project

Comments Add A Comment

              Back to top