The National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework) provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally to an organization. The Framework can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. The Framework uses a common language to address and manage cyber risk in a cost-effective way that does not place additional regulatory requirements on businesses.
The Framework enables organizations – regardless of size, cyber risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving cybersecurity and securing critical infrastructure. The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the Framework is put into practice, lessons learned will be integrated into future versions. This will ensure it is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions.
During the initial rollout of the Framework and stand-up of the C³ Voluntary Program, the Department of Homeland Security (DHS) will collaborate with stakeholders to understand how their organizations may use the Framework.
Drivers for Critical Infrastructure Cyber Resilience
The public and private sectors have a shared interest in ensuring the viability of critical infrastructure, and the provision of essential services, under all conditions. Executive Order (EO) 13636, signed February 2013, directs the Departments of Homeland Security, Commerce, and Treasury to provide recommendations to the President on cybersecurity incentives to reinforce use of the NIST Cybersecurity Framework and participation in the C³ Voluntary Program.
Effective incentives can help the private sector justify the costs of improved cybersecurity by balancing the short-term costs of additional investment with similarly near-term benefits. DHS recognizes the importance of market-based incentives in promoting change in business practices.
To support participation in the C³ Voluntary Program and reinforce the NIST Cybersecurity Framework, DHS will provide technical assistance; programs and resources are accessible through the C³ Voluntary Program US-CERT Gateway.
DHS will continue to serve as the lead Federal Government interface for public discussion on incentives, and leads the outreach and partnership with the critical infrastructure community for the Administration effort to conduct further analysis on incentives. Engagement with industry and the critical infrastructure community is critical and will inform the process.
Although some of the potential incentive areas identified may be linked to the C³ Voluntary Program, such as technical assistance, others may not be directly linked or are beyond the scope of the C³ Voluntary Program.
Read the White House blog about incentives by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator.
Read the DHS Incentives Report, which analyzes potential economic incentives that could be used to promote use of the Cybersecurity Framework.
|Access program resources at the C³ Voluntary Program US-CERT Gateway.|