This publication and the abstract below was published by US-CERT in 2015. ICIT strongly encourages you to visit the US-CERT Publication Library to search for additional information security resources which are freely available.
Commercial Facilities Sector Cybersecurity Framework Implementation Guidance
The National Institute of Standards and Technology (NIST) released the voluntary Framework for Improving Critical Infrastructure Cybersecurity (Framework) in February 2014 to provide a common language that critical infrastructure organizations can use to assess and manage their cybersecurity risk. The Framework enables an organization—regardless of its sector, size, degree of risk, or cybersecurity sophistication—to apply the principles and effective practices of cyber risk management to improve the security and resilience of its critical infrastructure. It recommends an approach that enables organizations to prioritize their cybersecurity decisions based on individual business needs without additional regulatory requirements.
Given the broad nature of the Framework, organizations cannot simply be “compliant” with the Framework or “adopt” it. Organizations have unique cybersecurity risks, including different threats, vulnerabilities, and tolerances, all of which affect benefits from investing in cybersecurity risk management. Rather, organizations must apply the principles, best practices, standards, and guidelines to their specific context and implement practices based on their own needs.