The Obama administration on Wednesday released a long-awaited framework for cybersecurity that is intended to nudge businesses toward strengthening their networks against attacks.
The voluntary guidance, established by President Obama via executive order and developed by the Commerce Department’s National Institute of Standards and Technology, gives critical infrastructure companies a guidebook for ways to prevent and respond to the growing threat of cyberattacks.
The framework includes a “core” that outlines standards that companies can implement to identify, detect, respond to and recover from cyber threats.
“The goal is not to expand regulation,” one administration official said. “Our goal is to streamline existing regulations wherever possible.”
President Obama took executive action on cybersecurity last year after legislation stalled in Congress.
The official on Wednesday urged lawmakers to move forward with a legislative fix but said the framework “stands on its own.”
“Regardless of what happens between the administration and the Hill ... the cybersecurity framework is an incredibly powerful tool,” the official said.
The framework includes a description of four “tiers” of implementation that a company can use to compare its own cybersecurity practices to the standards set in the framework, as well as a description of how a company can evaluate its cybersecurity profile and identify areas to improve.
A draft of the framework was released in October, and NIST received thousands of public comments in the lead-up to the release of the document Wednesday.
While the document largely reflects the draft from October, one change noted by senior administration officials is the section on privacy and civil liberties. While the October draft had a lengthy appendix on the topic, those issues were incorporated into the framework released Wednesday.
Based on the public comments the NIST received, “there was not sufficient support for a standalone appendix,” the official said. “In response, that has been integrated into the main body of the framework.”
The officials touted input from the private sector and said the framework gives companies flexibility.
The initiative does not provide any incentives for companies to participate. The officials noted that companies have a business interest to best protect their networks.
One official said establishing incentives "is a key endeavor," and vowed to work with the industry and policymakers to consider them.
“The federal government is going to do its best to make the cost of using the framework lower and the benefits of using the framework higher.”
Under Obama's executive order, federal agencies that oversee critical infrastructure industries are also encouraged to streamline their cybersecurity requirements and recommendations with the framework.