Chris Hoover

EO 13636 and NIST Cybersecurity Framework CSF Update

Blog Post created by Chris Hoover Employee on Oct 30, 2013

One topic getting a lot of buzz lately is the Executive Order (EO) 13636 and the new NIST Cybersecurity Framework (CSF) that stems from it.


I blogged on this subject a few months ago and that post can be found here.


If you don’t want to read the previous post, the short version is the EO is trying to improve the Cybersecurity posture of critical infrastructure organizations. The government hopes to achieve this by sharing threat data with the private sector, developing a Cybersecurity framework for organizations that don’t have one of their own to use, and to “promote and incentivize the adoption of Cybersecurity practices”.


A few updates since that post:

Another NIST CSF workshop was held in Dallas. The inputs from that workshop were incorporated into a preliminary draft that was released earlier this month. That draft can be viewed here. The CSF is the piece of the EO that is getting the most attention. What will the framework look like? What will it do? Will it become a mandatory compliance burden? What will I have to do?


At its simplest, the framework provides a common language and mechanism for organizations to:

1) describe their current Cybersecurity posture;

2) describe their target state for Cybersecurity;

3) identify and prioritize opportunities for improvement within the context of risk management;

4) assess progress toward the target state;

5) foster communications among internal and external stakeholders


It is considered voluntary, though the language about “promoting and incentivizing” the framework does make people nervous.


One last thing – If you are interested in this subject …interested enough to participate directly…there is another NIST CSF workshop coming up in NC in the middle of November.

Thanks for reading! Stay tuned for more on this subject. As always, email me with any questions or comments