"Today the Obama administration is announcing the launch of the Cybersecurity Framework, which is the result of a yearlong private-sector-led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity," a White House statement said.
In a separate statement, Obama said, "Cyberthreats pose one of the gravest national security dangers that the United States faces. To better defend our nation against this systemic challenge, one year ago I signed an executive order directing the administration to take steps to improve information sharing with the private sector, raise the level of cybersecurity across our critical infrastructure, and enhance privacy and civil liberties.
"Since then, the National Institute of Standards and Technology has worked with the private sector to develop a Cybersecurity Framework that highlights best practices and globally recognized standards so that companies across our economy can better manage cyber risk to our critical infrastructure."
The president urged "Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties. Meanwhile, my administration will continue to take action, under existing authorities, to protect our nation from this threat."
The White House statement identified three framework components -- the framework core, profiles and tiers:
-- "The framework core is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions -- identify, protect, detect, respond, recover -- that provide a high-level view of an organization's management of cyberrisks.
-- "The profiles can help organizations align their cybersecurity activities with business requirements, risk tolerances and resources. Companies can use the profiles to understand their current cybersecurity state, support prioritization and to measure progress towards a target state.
-- "The tiers provide a mechanism for organizations to view their approach and processes for managing cyberrisk. The tiers range from partial [Tier 1] to adaptive [Tier 4] and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs and its integration into an organization's overall risk management practices."