Today the Obama Administration is announcing the launch of the Cybersecurity Framework, which is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union.
Through the development of this Framework, industry and government are strengthening the security and resiliency of critical infrastructure in a model of public-private cooperation. Over the past year, individuals and organizations throughout the country and across the globe have provided their thoughts on the kinds of standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity. The National Institute of Standards and Technology (NIST) consolidated that input into the voluntary Cybersecurity Framework that we are releasing today.
The Framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks. For organizations that don’t know where to start, the Framework provides a road map. For organizations with more advanced cybersecurity, the Framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks. Organizations outside the United States may also wish use the Framework to support their own cybersecurity efforts.
Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
· The Framework Core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions -- Identify, Protect, Detect, Respond, Recover -- that provide a high-level view of an organization’s management of cyber risks.
· The Profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
· The Tiers provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.
Though the adoption of the Framework is voluntary, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of the Cybersecurity Framework. The C3 Voluntary Program will connect companies, as well as federal, state, local, tribal, and territorial partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks. Participants will be able to share lessons learned, get assistance, and learn about free tools and resources that can help them.
Federal executive branch civilian agencies are evaluating how they will use the Framework to enhance the protection of their systems, and State and local governments are also looking at how they can leverage capabilities found in the Framework to assist managing their cybersecurity risk. DHS is developing the Voluntary Program to respond to state and local government needs, and it is examining incentives tailored to these stakeholders.
Statement by the President on the Cybersecurity Framework
Cyber threats pose one the gravest national security dangers that the United States faces. To better defend our nation against this systemic challenge, one year ago I signed an Executive Order directing the Administration to take steps to improve information sharing with the private sector, raise the level of cybersecurity across our critical infrastructure, and enhance privacy and civil liberties.
Since then, the National Institute of Standards and Technology has worked with the private sector to develop a Cybersecurity Framework that highlights best practices and globally recognized standards so that companies across our economy can better manage cyber risk to our critical infrastructure. Today I was pleased to receive the Cybersecurity Framework, which reflects the good work of hundreds of companies, multiple federal agencies, and contributors from around the world. This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge.
While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity. America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.
I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties. Meanwhile, my Administration will continue to take action, under existing authorities, to protect our nation from this threat.