Hacking and other cyberattacks have become so commonplace that it seems it is no longer a matter of if a particular system will be attacked, but when and how often. While some attacks result primarily in inconvenience to customers and expense to system owners and others result in data breaches and the risk of identity theft, the Obama administration and others have been particularly focused on the cyber-vulnerability of critical infrastructure systems. In February 2013, the administration issued executive order 13636 on Improving Critical Infrastructure Cybersecurity, which directed the executive branch to develop a comprehensive public-private action plan toward “network security and resilience” and enhancing the “efficiency and effectiveness of the U.S. government’s work to secure critical infrastructure. …”

Critical infrastructure is defined by the Department of Defense as “systems and assets, whether physical or virtual, [that are] so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This includes power, water, and communications infrastructures and no longer would be limited to traditional physical facilities such as power plants, dams, etc. Given the digital interconnectedness of these physical systems, the concern is that they are as, if not more, vulnerable to a cyberattack than to a physical attack.

The proposed framework is just that—a framework of common language and mechanisms for government, business, and industry to use to “1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities … ; 4) assess progress … ; 5) foster communications among internal and external stakeholders.” The framework proposes to work with existing and to-be-developed technologies and within the organization’s existing cybersecurity risk management practices, using the framework to seek improvement and standardization across industries. For those organizations without existing cybersecurity risk management practices, the framework is intended to serve as a reference point or set of best practices.

The framework has three major components to it. First is the Framework Core, described as a set of cybersecurity activities organized around particular outcomes. The Framework Core starts by outlining five major cybersecurity risk management functions: Identify, Protect, Detect, Respond, and Recover. In the context of cybersecurity, these are fairly self-explanatory. The core goes on to break these five functions into categories and subcategories, with informative references provided to NIST, ISO/IEC 27001, and other standards organizations. This multilevel structure encourages organizations to address cybersecurity on an organizationwide level.

By way of example, an appendix to the framework lists four main categories under the Identify function. These include understanding and prioritizing the business environment the organization operates in; managing personnel, devices, systems, data, and other assets; assessing the overall cybersecurity risk to the organization; and developing governance policies, procedures, and processes to inform, understand, and manage that risk. These activities would be addressed at the highest levels of the organization. Within each of these categories are subcategories that would be developed and implemented at multiple levels within the organization. The references assist the organization in identifying standards that can aid in their implementation process and ensure cross-industry commonality.