The National Institute of Standards and Technology (NIST) today released version 1.0 of the "Framework for Improving Critical Infrastructure Cybersecurity" in compliance with President Barack Obama's February 2013 order directing its development.
The 41-page framework is meant to help operators of critical infrastructure develop comprehensive cybersecurity policies. The Obama Administration described the document as a "how-to" guide for the critical infrastructure community.
"The framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks," the White House said in a prepared announcement. "For organizations that don’t know where to start, the framework provides a road map. For organizations with more advanced cybersecurity, the framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks."
Like this story? If so, subscribe to Government Technology's daily newsletter.
The framework got an immediate thumbs up from NASCIO, the organization of state government CIOs. And Virginia Gov. Terry McAuliffe announced that his state will incorporate the NIST framework into the existing Commonwealth risk framework. "Virginia has an award-winning cybersecurity program in place," said McAuliffe in a prepared statement, "but must continue to advance our ability to keep our families and businesses safe and make the commonwealth the national hub for the cybersecurity industry and the jobs that come with it."
NASCIO applauded the framework for being both consensus-based and voluntary, saying it provides states with a common platform and a common language for all levels of government and private-sector partners. A statement released by the organization said that three-quarters of states already base their own cybersecurity efforts on NIST standards and that state CIOs want to continue working with NIST to help create a "state and local government overlay" for the cybersecurity framework that will provide specifics on federal requirements for which state and local governments must comply.
NASCIO also called for Congress and the Administration to work on reforming the Federal Information Security Management Act of 2002 (FISMA) to focus on goals rather than checklists.