This publication and the abstract below was published by NIST on December 5, 2017. ICIT strongly encourages you to visit the NIST Publication Library to search for additional information security resources which are freely available.

Framework for Improving Critical Infrastructure Cybersecurity

The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

To better address these risks, the Cybersecurity Enhancement Act of 20141 71 (CEA) statutorily updated the role of the National Institute of Standards and Technology (NIST) to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. Through CEA, NIST must identify “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks.” This formalized NIST’s previous work developing Framework version 1.0 under Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (February 2013), and provided guidance for future Framework evolution. The Framework that was developed under EO 13636 and continues to evolve according to CEA uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.