Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed

U.S. Government Releases Proposed Cybersecurity Framework
Posted On November 7, 2013
PAGE: 1 2

The Obama administration is taking public comments on a proposed framework for improving cybersecurity in communication and other critical industries. In late October, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework as a significant element of an administrative-wide directive to respond to cybersecurity threats. The framework is intended to provide government, businesses, and industries with a series of cybersecurity standards, references, and best practices to identify, protect, respond, and recover from cybersecurity attacks.

Hacking and other cyberattacks have become so commonplace that it seems it is no longer a matter of if a particular system will be attacked, but when and how often. While some attacks result primarily in inconvenience to customers and expense to system owners and others result in data breaches and the risk of identity theft, the Obama administration and others have been particularly focused on the cyber-vulnerability of critical infrastructure systems. In February 2013, the administration issued executive order 13636 on Improving Critical Infrastructure Cybersecurity, which directed the executive branch to develop a comprehensive public-private action plan toward “network security and resilience” and enhancing the “efficiency and effectiveness of the U.S. government’s work to secure critical infrastructure. …”

Critical infrastructure is defined by the Department of Defense as “systems and assets, whether physical or virtual, [that are] so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This includes power, water, and communications infrastructures and no longer would be limited to traditional physical facilities such as power plants, dams, etc. Given the digital interconnectedness of these physical systems, the concern is that they are as, if not more, vulnerable to a cyberattack than to a physical attack.

The proposed framework is just that—a framework of common language and mechanisms for government, business, and industry to use to “1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities … ; 4) assess progress … ; 5) foster communications among internal and external stakeholders.” The framework proposes to work with existing and to-be-developed technologies and within the organization’s existing cybersecurity risk management practices, using the framework to seek improvement and standardization across industries. For those organizations without existing cybersecurity risk management practices, the framework is intended to serve as a reference point or set of best practices.

The framework has three major components to it. First is the Framework Core, described as a set of cybersecurity activities organized around particular outcomes. The Framework Core starts by outlining five major cybersecurity risk management functions: Identify, Protect, Detect, Respond, and Recover. In the context of cybersecurity, these are fairly self-explanatory. The core goes on to break these five functions into categories and subcategories, with informative references provided to NIST, ISO/IEC 27001, and other standards organizations. This multilevel structure encourages organizations to address cybersecurity on an organizationwide level.

By way of example, an appendix to the framework lists four main categories under the Identify function. These include understanding and prioritizing the business environment the organization operates in; managing personnel, devices, systems, data, and other assets; assessing the overall cybersecurity risk to the organization; and developing governance policies, procedures, and processes to inform, understand, and manage that risk. These activities would be addressed at the highest levels of the organization. Within each of these categories are subcategories that would be developed and implemented at multiple levels within the organization. The references assist the organization in identifying standards that can aid in their implementation process and ensure cross-industry commonality.

PAGE: 1 2

George H. Pike is the director of the Pritzker Legal Research Center and a senior lecturer at the Northwestern University School of Law. He teaches legal research, intellectual property, and privacy courses at the School of Law in both the J.D. and Northwestern’s innovative Master of Science in Law program. Prof. Pike is a frequent lecturer on issues of First Amendment, copyright, and Internet law for library and information professionals. He is also a regular columnist and writer for Information Today, publishing a monthly column on legal issues confronting information producers and consumers. Previously, Prof. Pike was director of the Law Library at the University of Pittsburgh School of Law, and held professional positions at the Lewis and Clark Law School and at the University of Idaho School of Law, and was a practicing attorney in Idaho Falls, Idaho. Prof. Pike received his B.A. degree from the College of Idaho, his law degree from the University of Idaho, and his Masters in Library Science from the University of Washington. He is a member of the American and Idaho State Bar Associations, the American Association of Law Libraries, and the American Intellectual Property Lawyers Association.

Email George H. Pike

Related Articles

8/6/2012Cybersecurity and Privacy Concerns at the Highest Levels of Government
2/4/2013A Cyber War Is Brewing
7/16/2013PRISM and the First Amendment: A Critical Issue
12/5/2013Internet Security Providers Team Up
1/7/2014Five Enterprise Options for BYOD
8/19/2014Revising FOIA for Improved Access to Government Information
11/25/2014New Resource Explains Challenges and Opportunities for Information Governance
2/3/2015New U.S. Laws Impact Information Gathering and Security
10/20/2015The Federal Government Turns To Silicon Valley for Tech Support
1/12/2016New Cybersecurity-Training Company Debuts
2/2/2016Department of Commerce Launches Data Usability Project
9/11/2018EfficientIP Studies Cyberthreats in Higher Education

Comments Add A Comment

              Back to top