[Federal Register Volume 78, Number 38 (Tuesday, February 26, 2013)]
[Pages 13024-13028]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-04413]



National Institute of Standards and Technology

[Docket Number 130208119-3119-01]

Developing a Framework To Improve Critical Infrastructure 

AGENCY: National Institute of Standards and Technology, U.S. Department 
of Commerce.

ACTION: Notice; Request for Information (RFI).


SUMMARY: The National Institute of Standards and Technology (NIST) is 
conducting a comprehensive review to develop a framework to reduce 
cyber risks to critical infrastructure \1\ (the ``Cybersecurity 
Framework'' or ``Framework''). The Framework will consist of standards, 
methodologies, procedures, and processes that align policy, business, 
and technological approaches to address cyber risks.

    \1\ For the purposes of this RFI the term ``critical 
infrastructure'' has the meaning given the term in 42 U.S.C. 
5195c(e), ``systems and assets, whether physical or virtual, so 
vital to the United States that the incapacity or destruction of 
such systems and assets would have a debilitating impact on 
security, national economic security, national public health or 
safety, or any combination of those matters.''

    This RFI requests information to help identify, refine, and guide 
the many interrelated considerations, challenges, and efforts needed to 
develop the Framework. In developing the Cybersecurity Framework, NIST 
will consult with the Secretary of Homeland Security, the National 
Security Agency, Sector-Specific Agencies and other interested agencies 
including the Office of Management and Budget, owners and operators of 
critical infrastructure, and other stakeholders including other 
relevant agencies, independent regulatory agencies, State, local, 
territorial and tribal governments. The Framework will be developed 
through an open public review and comment process that will include 
workshops and other opportunities to provide input.

DATES: Comments must be received by 5:00 p.m. Eastern time on Monday, 
April 8, 2013.

ADDRESSES: Written comments may be submitted by mail to Diane 
Honeycutt, National Institute of Standards and Technology, 100 Bureau 
Drive, Stop 8930, Gaithersburg, MD 20899. Submissions may be in any of 
the following formats: HTML, ASCII, Word, RTF, or PDF. Online 
submissions in electronic form may be sent to [email protected]. 
Please submit comments only and include your name, company name (if 
any), and cite

[[Page 13025]]

``Developing a Framework to Improve Critical Infrastructure 
Cybersecurity'' in all correspondence. All comments received by the 
deadline will be posted at http://csrc.nist.gov without change or 
redaction, so commenters should not include information they do not 
wish to be posted (e.g., personal or confidential business 

FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact: 
Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue 
NW., Washington, DC 20230, telephone (202) 482-0788, email 
[email protected]. Please direct media inquiries to NIST's Office 
of Public Affairs at (301) 975-NIST.

SUPPLEMENTARY INFORMATION: The national and economic security of the 
United States depends on the reliable functioning of critical 
infrastructure, which has become increasingly dependent on information 
technology. Recent trends demonstrate the need for improved 
capabilities for defending against malicious cyber activity. Such 
activity is increasing and its consequences can range from theft 
through disruption to destruction. Steps must be taken to enhance 
existing efforts to increase the protection and resilience of this 
infrastructure, while maintaining a cyber environment that encourages 
efficiency, innovation, and economic prosperity, while protecting 
privacy and civil liberties.
    Under Executive Order 13636 \2\ (``Executive Order''), the 
Secretary of Commerce is tasked to direct the Director of NIST to 
develop a framework for reducing cyber risks to critical infrastructure 
(the ``Cybersecurity Framework'' or ``Framework''). The Framework will 
consist of standards, methodologies, procedures and processes that 
align policy, business, and technological approaches to address cyber 
risks. The Department of Homeland Security, in coordination with 
sector-specific agencies, will then establish a voluntary program to 
support the adoption of the Cybersecurity Framework by owners and 
operators of critical infrastructure and any other interested entities.

    \2\ ``Executive Order 13636--Improving Critical Infrastructure 
Cybersecurity'' 78 FR 11739 (February 19, 2013).

    Given the diversity of sectors in critical infrastructure, the 
Framework development process is designed to initially identify cross-
sector security standards and guidelines that are immediately 
applicable or likely to be applicable to critical infrastructure, to 
increase visibility and adoption of those standards and guidelines, and 
to find potential gaps (i.e., where standards/guidelines are 
nonexistent or where existing standards/guidelines are inadequate) that 
need to be addressed through collaboration with industry and industry-
led standards bodies. The Framework will incorporate voluntary 
consensus standards and industry best practices to the fullest extent 
possible and will be consistent with voluntary international consensus-
based standards when such international standards will advance the 
objectives of the Executive Order. The Framework would be designed to 
be compatible with existing regulatory authorities and regulations.
    The Cybersecurity Framework will provide a prioritized, flexible, 
repeatable, performance-based, and cost-effective approach, including 
information security measures and controls to help owners and operators 
of critical infrastructure and other interested entities to identify, 
assess, and manage cybersecurity-related risk while protecting business 
confidentiality, individual privacy and civil liberties. To enable 
technical innovation and account for organizational differences, the 
Cybersecurity Framework will not prescribe particular technological 
solutions or specifications. It will include guidance for measuring the 
performance of an entity in implementing the Cybersecurity Framework 
and will include methodologies to identify and mitigate impacts of the 
Framework and associated information security measures and controls on 
business confidentiality and to protect individual privacy and civil 
    As a non-regulatory Federal agency, NIST will develop the Framework 
in a manner that is consistent with its mission to promote U.S. 
innovation and industrial competitiveness through the development of 
standards and guidelines in consultation with stakeholders in both 
government and industry. While the focus will be on the Nation's 
critical infrastructure, the Framework will be developed in a manner to 
promote wide adoption of practices to increase cybersecurity across all 
sectors and industry types. In its first year, the emphasis will be on 
finding commonality within and across the affected sectors. It will 
seek to provide owners and operators the ability to implement security 
practices in the most effective manner while allowing organizations to 
express requirements to multiple authorities and regulators. Issues 
relating to harmonization of existing relevant standards and 
integration with existing frameworks will also be considered in this 
initial stage.
    In accordance with the Executive Order, the Secretary of Commerce 
has directed the Director of the National Institute of Standards and 
Technology (the Director) to coordinate the development of a Framework 
to reduce the cyber risks to critical infrastructure. The Cybersecurity 
Framework will incorporate existing consensus-based standards to the 
fullest extent possible, consistent with requirements of the National 
Technology Transfer and Advancement Act of 1995,\3\ and guidance 
provided by Office of Management and Budget Circular A-119, ``Federal 
Participation in the Development and Use of Voluntary Consensus 
Standards and in Conformity Assessment Activities.'' \4\ Principles 
articulated in the Executive Office of the President memorandum M-12-08 
``Principles for Federal Engagement in Standards Activities to Address 
National Priorities'' \5\ will be followed. The Framework should also 
be consistent with, and support the broad policy goals of, the 
Administration's 2010 ``National Security Strategy,'' 2011 ``Cyberspace 
Policy Review,'' ``International Strategy for Cyberspace'' of May 2010 
and HSPD-7 ``Critical Infrastructure Identification, Prioritization, 
and Protection.''

    \3\ Public Law 104-113 (1996), codified in relevant part at 15 
U.S.C. 272(b).
    \4\ http://standards.gov/a119.cfm.
    \5\ http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-08_1.pdf.

    The goals of the Framework development process will be: (i) To 
identify existing cybersecurity standards, guidelines, frameworks, and 
best practices that are applicable to increase the security of critical 
infrastructure sectors and other interested entities; (ii) to specify 
high-priority gaps for which new or revised standards are needed; and 
(iii) to collaboratively develop action plans by which these gaps can 
be addressed. It is contemplated that the development process will have 
requisite stages to allow for continuing engagement with the owners and 
operators of critical infrastructure, and other industry, academic, and 
government stakeholders.
    In December 2011, the United States Government Accountability 
Office (GAO) issued a report titled ``CRITICAL INFRASTRUCTURE 
PROTECTION: Cybersecurity Guidance Is Available, but More Can Be Done 
to Promote Its Use.'' \6\ In its report, GAO found similarities in 
cybersecurity guidance across sectors, and recommended

[[Page 13026]]

promoting existing guidance to assist individual entities within a 
sector in ``identifying the guidance that is most applicable and 
effective in improving their security posture.'' \7\

    \6\ http://www.gao.gov/assets/590/587529.pdf.
    \7\ Id., at page 46.

    NIST believes the diversity of business and mission needs 
notwithstanding, there are core cybersecurity practices that can be 
identified and that will be applicable to a diversity of sectors and a 
spectrum of quickly evolving threats. Identifying such core practices 
will be a focus of the Framework development process.
    In order to be effective in protecting the information and 
information systems that are a part of the U.S. critical 
infrastructure, NIST believes the Framework should have a number of 
general properties or characteristics. The Framework should include 
flexible, extensible, scalable, and technology-independent standards, 
guidelines, and best practices, that provide:
     A consultative process to assess the cybersecurity-related 
risks to organizational missions and business functions;
     A menu of management, operational, and technical security 
controls, including policies and processes, available to address a 
range of threats and protect privacy and civil liberties;
     A consultative process to identify the security controls 
that would adequately address risks \8\ that have been assessed and to 
protect data and information being processed, stored, and transmitted 
by organizational information systems;

    \8\ Organizational risk responses can include, for example, risk 
acceptance, risk rejection, risk mitigation, risk sharing, or risk 

     Metrics, methods, and procedures that can be used to 
assess and monitor, on an ongoing or continuous basis, the 
effectiveness of security controls that are selected and deployed in 
organizational information systems and environments in which those 
systems operate and available processes that can be used to facilitate 
continuous improvement in such controls; \9\

    \9\ Assessments determine whether the security controls selected 
by an organization are implemented correctly, operating as intended, 
and producing the desired results in order to enforce organizational 
security policies.

     A comprehensive risk management approach that provides the 
ability to assess, respond to, and monitor information security-related 
risks and provide senior leaders/executives with the kinds of necessary 
information sets that help them to make ongoing risk-based decisions;
     A menu of privacy controls necessary to protect privacy 
and civil liberties.
    Within eight months, the Executive Order requires NIST to publish 
for additional comment a draft Framework that clearly outlines areas of 
focus and provides preliminary lists of standards, guidelines and best 
practices that fall within that outline. The draft will also include 
initial conclusions for additional public comment. The draft Framework 
will build on NIST's ongoing work with cybersecurity standards and 
guidelines for the Smart Grid, Identity Management, Federal Information 
Security Management Act (FISMA) implementation, the Electricity 
Subsector Cybersecurity Capability Maturity Model, and related 
    NIST intends to engage with critical infrastructure stakeholders, 
through a voluntary consensus-based process, to develop the standards, 
guidelines and best practices that will comprise the Framework. This 
will include interactive workshops with industry and academia, along 
with other forms of outreach. NIST believes that the Framework cannot 
be static, but must be a living document that allows for ongoing 
consultation in order to address constantly evolving risks to critical 
infrastructure cybersecurity. A voluntary consensus standards-based 
approach will facilitate the ability of critical infrastructure owners 
and operators to manage such risks, and to implement alternate 
solutions from the bottom up with interoperability, scalability, and 
reliability as key attributes.
    A standards-based Framework will also help provide some of the 
measures necessary to understand the effectiveness of critical 
infrastructure protection, and track changes over time. DHS and Sector 
Specific Agencies will provide input in this area based on their 
engagement with sector stakeholders. This standards-based approach is 
necessary in order to be able to provide and analyze data from 
different sources that can directly support risk-based decision-making. 
A Framework without sufficient standards and associated conformity 
assessment programs could impede future innovation in security efforts 
for critical infrastructure by potentially creating a false sense of 
    The use of widely-accepted standards is also necessary to enable 
economies of scale and scope to help create competitive markets in 
which competition is driven by market need and products that meet that 
market need through combinations of price, quality, performance, and 
value to consumers. Market competition then promotes faster diffusion 
of these technologies and realization of many benefits throughout these 
    It is anticipated that the Framework will: (i) Include 
consideration of sustainable approaches for assessing conformity to 
identified standards and guidelines; (ii) assist in the selection and 
development of an optimal conformity assessment approach; and (iii) 
facilitate the implementation of selected approach(es) that could cover 
technology varying in scope from individual devices or components to 
large-scale organizational operations. The decisions on the type, 
independence and technical rigor of these conformity assessment 
approaches should be risk-based. The need for confidence in conformity 
must be balanced with cost to the public and private sectors, including 
their international operations and legal obligations. Successful 
conformity assessment programs provide the needed level of confidence, 
are efficient and have a sustainable and scalable business case.
    This RFI is looking for current adoption rates and related 
information for particular standards, guidelines, best practices, and 
frameworks to determine applicability throughout the critical 
infrastructure sectors. The RFI asks for stakeholders to submit ideas, 
based on their experience and mission/business needs, to assist in 
prioritizing the work of the Framework, as well as highlighting 
relevant performance needs of their respective sectors.
    For the purposes of this notice and the Framework, the term 
``standards'' and the phrase ``standards setting'' are used in a 
generic manner to include both standards development and conformity 
assessment development. In addition to critical infrastructure owners 
and operators, NIST invites Federal agencies, state, local, territorial 
and tribal governments, standard-setting organizations,\10\ other 
members of industry, consumers, solution providers, and other 
stakeholders to respond.

    \10\ As used herein, ``standard-setting organizations'' refers 
to the wide cross section of organizations that are involved in the 
development of standards and specifications, both domestically and 

Request for Comment

    The following questions cover the major areas about which NIST 
seeks comment. The questions are not intended to limit the topics that 
may be addressed. Responses may include any topic believed to have 
implications for the development of the Framework

[[Page 13027]]

regardless of whether the topic is included in this document.
    While the Framework will be focused on critical infrastructure, 
given the broad diversity of sectors that may include parts of critical 
infrastructure, the evolving nature of the classification of critical 
infrastructure based on risk, and the intention to involve a broad set 
of stakeholders in development of the Framework, the RFI will generally 
use the broader term ``organizations'' when seeking information.
    Comments containing references, studies, research, and other 
empirical data that are not widely published should include copies of 
the referenced materials. Do not include in comments or otherwise 
submit proprietary or confidential information, as all comments 
received by the deadline will be made available publically at http://csrc.nist.gov/.

Current Risk Management Practices

    NIST solicits information about how organizations assess risk; how 
cybersecurity factors into that risk assessment; the current usage of 
existing cybersecurity frameworks, standards, and guidelines; and other 
management practices related to cybersecurity. In addition, NIST is 
interested in understanding whether particular frameworks, standards, 
guidelines, and/or best practices are mandated by legal or regulatory 
requirements and the challenges organizations perceive in meeting such 
requirements. This will assist in NIST's goal of developing a Framework 
that includes and identifies common practices across sectors.
    1. What do organizations see as the greatest challenges in 
improving cybersecurity practices across critical infrastructure?
    2. What do organizations see as the greatest challenges in 
developing a cross-sector standards-based Framework for critical 
    3. Describe your organization's policies and procedures governing 
risk generally and cybersecurity risk specifically. How does senior 
management communicate and oversee these policies and procedures?
    4. Where do organizations locate their cybersecurity risk 
management program/office?
    5. How do organizations define and assess risk generally and 
cybersecurity risk specifically?
    6. To what extent is cybersecurity risk incorporated into 
organizations' overarching enterprise risk management?
    7. What standards, guidelines, best practices, and tools are 
organizations using to understand, measure, and manage risk at the 
management, operational, and technical levels?
    8. What are the current regulatory and regulatory reporting 
requirements in the United States (e.g. local, state, national, and 
other) for organizations relating to cybersecurity?
    9. What organizational critical assets are interdependent upon 
other critical physical and information infrastructures, including 
telecommunications, energy, financial services, water, and 
transportation sectors?
    10. What performance goals do organizations adopt to ensure their 
ability to provide essential services while managing cybersecurity 
    11. If your organization is required to report to more than one 
regulatory body, what information does your organization report and 
what has been your organization's reporting experience?
    12. What role(s) do or should national/international standards and 
organizations that develop national/international standards play in 
critical infrastructure cybersecurity conformity assessment?

Use of Frameworks, Standards, Guidelines, and Best Practices

    As set forth in the Executive Order, the Framework will consist of 
standards, guidelines, and/or best practices that promote the 
protection of information and information systems supporting 
organizational missions and business functions.
    NIST seeks comments on the applicability of existing publications 
to address cybersecurity needs, including, but not limited to the 
documents developed by: international standards organizations; U.S. 
Government Agencies and organizations; State regulators or Public 
Utility Commissions; Industry and industry associations; other 
Governments, and non-profits and other non-government organizations.
    NIST is seeking information on the current usage of these existing 
approaches throughout industry, the robustness and applicability of 
these frameworks and standards, and what would encourage their 
increased usage. Please provide information related to the following:
    1. What additional approaches already exist?
    2. Which of these approaches apply across sectors?
    3. Which organizations use these approaches?
    4. What, if any, are the limitations of using such approaches?
    5. What, if any, modifications could make these approaches more 
    6. How do these approaches take into account sector-specific needs?
    7. When using an existing framework, should there be a related 
sector-specific standards development process or voluntary program?
    8. What can the role of sector-specific agencies and related sector 
coordinating councils be in developing and promoting the use of these 
    9. What other outreach efforts would be helpful?

Specific Industry Practices

    In addition to the approaches above, NIST is interested in 
identifying core practices that are broadly applicable across sectors 
and throughout industry.
    NIST is interested in information on the adoption of the following 
practices as they pertain to critical infrastructure components:
     Separation of business from operational systems;
     Use of encryption and key management;
     Identification and authorization of users accessing 
     Asset identification and management;
     Monitoring and incident detection tools and capabilities;
     Incident handling policies and procedures;
     Mission/system resiliency practices;
     Security engineering practices;
     Privacy and civil liberties protection.
    1. Are these practices widely used throughout critical 
infrastructure and industry?
    2. How do these practices relate to existing international 
standards and practices?
    3. Which of these practices do commenters see as being the most 
critical for the secure operation of critical infrastructure?
    4. Are some of these practices not applicable for business or 
mission needs within particular sectors?
    5. Which of these practices pose the most significant 
implementation challenge?
    6. How are standards or guidelines utilized by organizations in the 
implementation of these practices?
    7. Do organizations have a methodology in place for the proper 
allocation of business resources to invest in, create, and maintain IT 
    8. Do organizations have a formal escalation process to address 
cybersecurity risks that suddenly increase in severity?

[[Page 13028]]

    9. What risks to privacy and civil liberties do commenters perceive 
in the application of these practices?
    10. What are the international implications of this Framework on 
your global business or in policymaking in other countries?
    11. How should any risks to privacy and civil liberties be managed?
    12. In addition to the practices noted above, are there other core 
practices that should be considered for inclusion in the Framework?

    Dated: February 21, 2013.
Patrick Gallagher,
Under Secretary of Commerce for Standards and Technology.
[FR Doc. 2013-04413 Filed 2-25-13; 8:45 am]