Measuring the effectiveness of the NIST Framework in the real world

The release of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014 proved to be a pivotal event in the history of U.S. cybersecurity. Here at Intel and Intel Security, we were actively involved in the public-private partnership that helped produce the first version of the Framework. As we noted when it first came out, the Framework’s focus on collaboration and assessment rather than compliance and regulation creates a better environment for the private and public sectors to identify and protect their assets, detect incidents, and respond to and recover from threats.

Intel’s work with the Framework didn’t end in 2014, however. We understood conceptually why it would work, but we wanted to ensure that the Framework also would be effective in a real-world environment. To test it, a team from Intel Security and Intel implemented the Framework across Intel’s Office and Enterprise IT infrastructure.

The findings of this use case were catalogued in a white paper released to coincide with the one-year anniversary of the Framework. The results have been summarized in another blog, so I’ll simply say that even in a security-conscious organization such as Intel, we learned a lot from the Framework: It brought further clarity to our cybersecurity posture and what was needed to harmonize risk management across the enterprise.

Based on the results of this use case, we’re more certain than ever about the Framework’s value, and we plan to promote its implementation in organizations of all sizes. The Framework will continue to evolve beyond its current form as stakeholders in government and industry gain more insight into its effectiveness and identify potential gaps. But while improvements are being made, it’s important for industry to support this effort and for critical infrastructure stakeholders to take notice. The NIST Framework’s emphasis on collaboration and risk management offers the best opportunity at this moment for industry to improve its cybersecurity posture.  And we’re not just speculating about this; we’ve demonstrated it.

Leave a Comment

15 + 2 =