The Framework for Critical Infrastructure is a useful tool for managing cybersecurity risk, but will not replace risk management programs. Gartner views the Framework positively as a legal foundation for aligning IT/OT risk.
On 12 February 2014, the U.S. Department of Commerce released the NIST Framework for Improving Critical Infrastructure version 1.0 — commonly known as the Cybersecurity Framework (CSF) — along with a gap-defining road map. These documents were made in response to President Barack Obama’s Executive Order 13636, which called for a voluntary framework to guide cybersecurity risk for critical infrastructure services. Federal, industry and academic resources all offered input on the CSF and road map.
The CSF serves as taxonomy for risk management of critical infrastructure in a cybersecurity context. Cybersecurity, as defined by Gartner, includes a broad range of practices, tools and concepts addressing both information technology and operational technology (IT/OT) security. The CSF is not designed to replace large-scale cybersecurity risk programs or existing operational frameworks such as COBIT or ISO 2700x. The CSF is an absolute minimum of guidance for new or existing cybersecurity risk programs, and is a legal framework for aligning IT to OT security.
Gartner views the introduction of privacy and civil liberties methodology in the CSF positively — especially in IT/operational technology (IT/OT) environments where privacy and civil-liberty concerns are new risk management territory. Privacy is not defined in the CSF, but it does indicate privacy should be defined in the operating context of each enterprise. Gartner contends that the mapping of resources to functions offered in the CSF will allow IT/OT security teams to identify gaps in existing programs. The core, tiers and profile elements address combined cybersecurity risks for IT/OT by providing a single approach — one Gartner believes is urgently needed. The CSF has been rendered necessarily basic and generic by using those functions, activities and practices common across multiple critical infrastructures.
The CSF is not regulatory guidance nor is it a checklist for regulatory compliance; CSF adherence and use is voluntary. It is not related to the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulatory standards — though Gartner expects such efforts to eventually converge. Technology procurement or risk assessment is not required; however, organizations may benefit from its guidance.
Gartner cautions that adoption issues could arise through misuse of the CSF. Attempts to use the CSF to sell specific consulting or integrator services could result in compliance problems if industry-specific regulation follows the CSF. Gartner believes the voluntary nature of the guidance leaves government or industry with little power to mandate changes in cybersecurity risk management, and pending U.S. legislation may supersede or substantially modify the CSF.
Use the CSF as a legal framework to map your IT/OT risks.
Avoid making long-term procurement- or compliance-based decisions from the CSF's guidance in its current state as it is missing key components. Use the CSF road map to pinpoint gaps in the CSF and to monitor the evolution of future CSF versions.
Continue to apply standards that are well-accepted by your respective industries.
Critical infrastructure companies with existing cybersecurity risk programs:
Use the CSF to validate program completeness.
Enterprises with nascent cybersecurity risk management programs:
Use the CSF as a starting point for cybersecurity risk planning, as a self-assessment tool and as a reference to weigh consulting offerings.
Companies with considerable IT/OT assets:
Use the CSF as an aid to align and integrate cybersecurity risk management across corporate and industrial control/automation requirements.