A National Institute of Standards and Technology official has clarified that the agency’s voluntary cybersecurity framework is meant to offer private enterprises the “know-how” needed to protect their infrastructure, GovInfoSecurity reported Wednesday.
“Organizations should use this as they think about how to manage risk, but they shouldn’t treat it like every item is a must-do,” Adam Sedgewick, NIST senior policy adviser, told Information Security Media Group in a recent interview.
Eric Chabrow writes that Sedgewick said the framework should be seen as a critical tool for an organization’s business functions rather than as a budget-line expense.
The NIST also wants to ensure that critical infrastructure operators will leverage cyber products and service offerings that somewhat conform with the guidance, Sedgewick added, according to GovInfoSecurity.
He also addressed the agency’s potential role in making the framework easier for industry to adopt.
“There are a lot of organizations that are looking for additional detail,” he told Information Security Media Group.
“One of the things that is important to us is that we invite that criticism and we want folks to be very honest about how they’re using the framework, what they like about it and don’t like about it, so the framework itself can improve and [NIST can] develop those tools as well that can help organizations in their struggle.”