Infrastructure protectionCybersecurity framework for critical infrastructure: analysis of initial comments

The National Institute of Standards and Technology (NIST) has posted an initial analysis of hundreds of comments submitted by industry and the public related to the president’s “Improving Critical Infrastructure Cybersecurity” executive order, issued 12 February 2013. A NIST release reports that NIST is making this initial analysis available as a status update and to help provide background for a workshop later this month to discuss the cybersecurity framework.

The executive order calls for NIST to work with industry to develop a voluntary framework to reduce cybersecurity risks to the nation’s critical infrastructure, which includes power, water, communication, and other critical systems. The first step toward drafting the framework was soliciting information on current risk management policies, existing standards and guidelines, and specific industry practices from stakeholders through a Request for Information (RFI). These comments were due 8 April 2013. NIST received more than 200 responses and posted them publicly (see the 5 March 2013 Tech Beat article, “NIST Solicits Views, Ideas from Stakeholders for Cybersecurity Framework for Critical Infrastructure”).

NIST’s approach to analyzing the input from the RFI, as well as identification of the common cybersecurity framework themes that emerged as a result of the analysis, is described in the paper, Initial Analysis of Cybersecurity Framework RFI Responses. In addition to identifying and describing the common themes, this paper provides questions for stakeholders to consider.

See here for additional information about the cybersecurity critical infrastructure framework project. is available at www.nist.gov/itl/cyberframework.cfm. Information on the 2nd Cybersecurity Framework Workshop, 29-31 May 2013, at Carnegie Mellon University can be found here.