The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday. These standards are part of an executive order that President Obama proposed in February.
The aim of NIST's framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce.
The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches.
"The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally," reads the draft standards. "The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk."
Obama's executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency's surveillance program was revealed.
Some of the components in Obama's order included: expanding "real time sharing of cyber threat information" to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a "review of existing cybersecurity regulation."
Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years. For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a "cyber 9/11" could happen "imminently" -- crippling the country's power grid, water infrastructure, and transportation networks -- hackers hit the US Department of Energy. While no data was compromised, it did show that hackers were able to breach the computer system.
- Cybersecurity forces align as FireEye acquires Mandiant
- NSA slapped malware on 50,000+ networks, says report
- NSA searched phone records in violation of court requirements, documents say
- Amid NSA uproar, encryption-standards body defends process
- White House to offer companies cybersecurity incentives
While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework. According to Reuters, some companies are worried that the standards could turn into requirements.
In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations. These proposed incentives are a preliminary step for the government's cybersecurity policy and have not yet been finalized.
NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.