The National Association of State Chief Information Officers announced its support of the National Cybersecurity Framework, which was released Wednesday by the White House.
In a statement, NASCIO said the framework “provides states with a common platform on which to base strategic security decisions, allocate resources, and build defenses against both common and sophisticated attacks.”
President Barack Obama called for the creation of the framework in February 2013, first announcing it during that year’s State of the Union address.
The framework allows organizations—regardless of size, degree of cyber-risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
Organizations can use the framework on a voluntary basis to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity.
NASCIO said it plans to encourage states to adopt the framework as a common language in which to build a strategic cybersecurity plan, something Virginia announced Wednesday it already plans to do.
“[Yesterday’s] release is a critical step in a process the president began a year ago when he signed an executive order that brought federal leadership to a major vulnerability in our national security infrastructure,” NASCIO said in its statement. “The inclusion of a methodology to protect privacy and personal information is also valuable for states, which are responsible for storing sensitive information on citizens and businesses. This addition is a welcome refinement to the final framework.”
NASCIO pointed out state governments typically work closely with the National institute of Standards and Technology, which was responsible for developing the framework.
In fact, three-quarters of states have adopted some cybersecurity framework based on national standards and guidelines, with the vast majority using NIST standards to some degree.
And while the framework is a key component of cybersecurity in the states, NASCIO said there is still “significant work” to be done in this area. For instance, advancing common security and information sharing, protocols, such as National Information Exchange Model, will be important to securing public sector data while still allowing it to flow between various sectors of government.
In addition, Congress and the administration must work to reform the Federal Information Security Management Act of 2002, better known as FISMA.
“By streamlining requirements to meet end goals rather than checklists, we can provide greater services to citizens and more secure state data networks,” NASCIO said.