To help companies and organizations combat the escalating cybersecurity threats, the National Institute of Standards and Technology has developed and released a Framework for Improving Critical Infrastructure Cybersecurity. This Framework was developed at the behest of DHS under an Executive Order (13636). The Framework is to enhance the security and resilience of critical infrastructure through implementation of “a voluntary risk-based set of industry standards and best practices”. The Framework is supposed to apply to organizations within our critical infrastructure sectors but is also expected to “offer important guidance for other organizations confronting cybersecurity risks”.

It is important that no organization, business or group ignore the Framework since it is expected that regulators, the courts (lawyers) and Government acquisition groups will use this as a new benchmark to measure an organization’s cybersecurity program against – not withstanding its current “Voluntary” label. The Framework offers a risk-based approach to aid organizations of any size assess their existing cybersecurity policies and procedures and to develop an incident response plan that mitigates the significant legal, financial and reputational risks that follow data breaches.

The Framework brings together a useful set of Federally endorsed cybersecurity practices for private sector security. It establishes an important precedent by defining common security standards – created to help companies and organizations identify security risks, protect themselves against, respond to and recover from common cyber attacks and breaches. It also includes standards and approaches for industrial control systems. The Framework does NOT tell companies and organizations what to do or what tools to buy – it standardizes the questions all CEOs should ask about their companies’ security practices as well as those of their suppliers. partners and customers. And it then shows what the answers should look like.