Cybersecurity framework will include controls and metrics
The cybersecurity framework for private sector critical infrastructure called for by President Obama's executive order on Feb. 12 will specify "information security measures and controls" but not "particular technological solutions or specifications," says the National Institute of Standards and Technology.
The executive order calls on NIST to develop within a year a framework of standards and best practices for adoption among operators of critical infrastructure; adoption is meant to be voluntary, but could be mandatory in some cases.
In a request for information posted online Feb. 26, NIST says the framework will include metrics and methods for use in assessing and monitoring the effectiveness of deployed cybersecurity controls.
NIST is already responsible under the Federal Information Security Management Act for developing and maintaining a cybersecurity risk framework and set of controls (the latter known as SP 800-53) for federal agencies.
NIST also plans on holding a workshop on the private sector framework on April 3.