Two recent actions by the federal government address concerns about the vulnerability of the nation’s critical infrastructure to cyber attacks.
First, the National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity. Shortly afterward, the Department of Homeland Security (DHS) launched its Critical Infrastructure Cyber Community C3 (pronounced “C cubed”) Voluntary Program. The C3 Program is intended to promote and expedite the use of the framework and generally urge organizations to manage cybersecurity as part of a hazards approach to enterprise risk management.
The DHS has identified 16 infrastructure sectors as critical—chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.
Executive Order
In 2003, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which included a directive to the NIST to develop the framework. According to the NIST, the framework—labeled Version 1.0 and described as a "living" document—“provides a consensus description of what's needed for a comprehensive cybersecurity program.”
The framework
The three main elements described in the framework document are the framework core, tiers, and profiles. The core presents five functions—identify, protect, detect, respond, and recover—that, taken together, allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization's cybersecurity risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
The NIST also released a roadmap document to accompany the framework. It lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment, and collaboration. It describes NIST’s intention to continue to serve as a convener and coordinator to work with industry and other government agencies to help organizations understand, use, and improve the framework. This will include leading discussions of models for future governance of the framework, such as potential transfer to a nongovernment organization.
C3 Program
DHS’s C³ voluntary program focuses on three major activities:
- Supporting use—Assist stakeholders with understanding the use of the framework and other cyber risk management efforts, and support development of general and sector-specific guidance for framework implementation. The voluntary program will also work with the 16 critical infrastructure sectors to develop sector-specific guidance, as needed, for using the framework.
- Outreach and communications—The voluntary program will serve as a point of contact and customer relationship manager to assist organizations with framework use and guide interested organizations and sectors to the DHS and other public and private sector resources to support the use of the framework.
- Feedback—The program encourages feedback from stakeholder organizations about their experiences using program resources to implement the framework. Feedback about the framework will be shared with the NIST to help guide the development of the next version of the framework and similar efforts.
Framework for Improving Critical Infrastructure Cybersecurity
NIST roadmap
Information on DHS’s C3 voluntary program