US government sets out cyber security framework for business and industry

Voluntary framework to protect against cyber threats laid out by NIST and Barack Obama

The US government has released the final version of its cyber security framework, a set of standards designed to help protect businesses and industry from threats including cyber criminals and hackers.

Financial, energy and healthcare firms are among those targeted by the ‘Framework for improving critical infrastructure cyber security,' a document released by National Institute of Standards and Technology (NIST.)

It sets out voluntary standards and guidelines that organisations can use to assess and improve cyber security policies.

The framework's release comes exactly one year after Barack Obama signed an executive order directing NIST to compile minimum cyber security standards for critical infrastructure. The President argued that while the release of the document marks a step forward, more needs to be done to protect the US from cyber threats.

"While I believe today's framework marks a turning point, it's clear that much more work needs to be done to enhance our cybersecurity," said Obama.

"I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties," he continued. "Meanwhile, my Administration will continue to take action, under existing authorities, to protect our nation from this threat.

"This voluntary framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge," Obama added.

Under secretary of commerce for standards and technology and NIST director Patrick D Gallagher added he hoped the framework will jumpstart a much-needed discussion about the importance of proper cyber security policy in business and industry.

"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," he said.

"It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.

"The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders," Gallagher continued. "They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel."

Paul Martini, CEO at iboss Network Security labelled the cyber security framework "a great starting point" which will "inspire debate", but added that in order to remain protected firms must ensure cyber security policy is able to keep up with the latest developments in technology.

"Organisations need to recognise that technology enhancements driven by the likes of DropBox, Apple, and Google have fundamentally changed how our networks operate and how we interact with data," he said.

"It has meant that we need to revisit many of the legacy security architectures in our networks to assess if they are capable of adapting to these new technologies.

"We have to accept that the old way to approaching security is hopelessly behind in being able to address some of the most acute cyber problems," Martini concluded.