The NIST Cybersecurity Framework: A Significant Milestone towards Critical Infrastructure Resiliency

Yesterday, the Administration released the much anticipated Cybersecurity Framework.  What does the Framework mean for the critical infrastructures, both in the United States and beyond?  The Framework, developed over the past year by the National Institute of Standards and Technology (NIST), is a significant milestone in an ongoing and successful collaboration among a broad range of industry and government organizations concerned with improving the cybersecurity of critical infrastructure.  Microsoft appreciates the opportunity to contribute to the development of the Cybersecurity Framework, and we were honored to participate in Wednesday’s launch event.

Last February, the President issued the Executive Order on Improving Critical Infrastructure Cybersecurity and called upon NIST to develop a “framework to reduce cyber risks to critical infrastructure.”  NIST has provided exemplary leadership in driving collaboration in the development of the Framework over the past year.  The Framework development process in many ways can serve as a template for government organizations seeking to harness industry expertise in efforts to advance cybersecurity and privacy.  NIST’s process was proactive, and carefully structured to engage a diverse group of stakeholders across the U.S. and internationally.  NIST solicited public comments to help develop the Framework, receiving input from hundreds of stakeholders, and conducted regional workshops to engage stakeholders across the nation.  For our part, Microsoft contributed to the process by providing comments in response to NIST’s initial request for information and the request for comments on Preliminary Framework, and by participating in regional workshops hosted by NIST. Additionally, we hosted an event at our Policy and Innovation Center in DC that brought together security and privacy professionals, helping to raise awareness about the Framework within the privacy community and fostering their engagement.

I am pleased to share that Microsoft’s approach to managing cybersecurity risks is consistent with the Cybersecurity Framework’s security and privacy guidance.  The Framework seeks to foster a culture of risk management, similar to the culture driven by Microsoft’s policies and practices that involve regular assessment of the security and privacy challenges facing our customers and our operations, as well as ongoing application of learnings gained through our experiences defending over one billion users from cyber-threats.

For example, we take an adaptive approach to strengthening the security of our products and services. We regularly update core security practices like our Secure Development Lifecycle, Software Security Incident Response Process, and our Operational Security Assurance.  We are also committed to maintaining and enhancing privacy protections for our customers.  We have supported and evolved a comprehensive privacy program for over ten years.  The program employs several hundred full-time and part-time individuals who have formal privacy responsibilities. All are tasked with helping ensure that our privacy policies and practices are applied across our products, devices and services to enable, maintain and enhance privacy protections for our customers.

Moving forward, there are a number of initiatives related to the Framework that are important to the success of the approach put forward in the Executive Order, including development of the Voluntary Program and of incentives to advance use of the Framework.  We look forward to working with our government and industry partners to support these initiatives, and others seeking to advance cybersecurity and privacy.

About the Author
Matt Thomlinson

Vice President, Microsoft Security

Matt Thomlinson is Vice President of Security at Microsoft and leads the Microsoft Security Engineering Center (MSEC), the Microsoft Security Response Center (MSRC) and Global Security Strategy & Diplomacy (GSSD) and internal Network Security (NetSec). His teams are responsible for Read more »