By John Miller, director of Cybersecurity Policy for Intel
Today is the anniversary date of the Executive Order President Obama signed last year to reduce cybersecurity risks to the nation’s critical infrastructure. Today also marks the release of a prominent component of the President’s plan – the Cybersecurity Framework (the “Framework”). The Framework is the culmination of a year-long process, convened by the National Institute of Standards and Technology (NIST), to develop in partnership with industry a framework of standards, guidance and best practices to provide both a risk-based tool and common language to help organizations large and small better address our collective cybersecurity challenges.
“Improving cybersecurity in ways that promote innovation and protect citizens’ privacy is the only way to preserve the promise of the Internet as a driver of global economic development and social interaction,” said Intel President Renee James. “Intel applauds the Administration and the National Institute of Standards and Technology for constructing the cybersecurity framework hand-in-hand with industry and other stakeholders, building a model of a voluntary, risk-based tool that can be utilized by a broad array of organizations. We look forward to further work together to help the framework gain traction and see cybersecurity practices elevated around the world.”
There is much to like about the Framework. The new Executive Summary provides clear guidance and crisp messaging to help make both the security and business case to executives, stressing that the Framework is intended as a broadly applicable tool and living document (indeed, it is marked “1.0”). Helpful language reinforces that the Framework is founded on global, consensus based technology-neutral standards, intended to preserve technology innovation and enable cybersecurity technology business development. There is stronger implementation guidance, making clear the Framework is not intended to replace an organization’s existing cybersecurity policies, standards and practices, but rather as a tool an organization can tailor to their particular cybersecurity practices, risk profiles and business constraints. The Framework also includes a much improved privacy and civil liberties methodology, which articulates well how organizations should consider privacy as a fundamental element of any cybersecurity program.
Intel has been there every step of the way throughout the Framework’s development – from our initial RFI comments, through participation in five workshops across the country, to our public comments on the Preliminary Framework, to the White House event to formally launch the Framework that ended just a short while ago. Malcolm Harkins, Intel Vice President and Chief Security and Privacy Officer, attended the launch event to help celebrate this milestone achievement, representing the new Intel Security business unit and signaling our commitment to furthering both the Framework and the continued partnership activities needed to put the complementary pieces of the cybersecurity puzzle in place.
Stay tuned to the Intel Policy Blog for a deeper analysis of the Framework and for future blogs on topics including how the Framework protects privacy, how customers and companies can maximize the value of the Framework, how the Framework might be leveraged internationally, and what’s next for Intel, the Framework, and its supporting programs. We would like to hear from you as the conversation continues.