Cybersecurity

NIST cyber framework depends on you

cyber attack button

The National Institute of Standards and Technology’s draft cybersecurity framework is a stepping stone toward an October deadline for a preliminary plan -- and ultimately to a "final" document due in February 2014 under President Barack Obama's cyber executive order.

To get there, NIST continues to depend on industry and the public's involvement in creating comprehensive guidelines that are adoptable and effective. The new draft, released Aug. 28, comes just weeks ahead of NIST's fourth workshop, to be held in Dallas Sept. 11-13.

It is a pattern NIST has come to rely on in the creation of the cyber framework, said Adam Sedgewick, NIST senior IT policy advisor.   The agency releases information asking for feedback, presents the feedback at a public workshop to launch discussion of key issues, then posts online the information from the workshop discussions that help inform the next iteration of a draft framework.

"We've structured the whole 240 days [given in the executive order to issue the October draft] to try to maximize the amount of public engagement and feedback we could get," Sedgewick said.  "Given the time constraints, we've used a combination of public workshops and engagements.  We have people engage through our cyber framework website, and at the tail end we'll have another public comment period."

Through the process, NIST officials have been able to present the most comprehensive draft framework yet -- one that fleshes out the core of the guidance and proposed metrics for assessing an organization's cybersecurity standings, for example. The Aug. 28 version builds on a more skeletal iteration from July, and the forthcoming versions will continue that pattern of building on each other using feedback from stakeholders.

"The process lets us see the gap areas and common themes," Sedgewick said. "Are we reflecting the comments right, and is this the right path?"  

Between now and October, architects of the framework hope to have discussions about a range of key issues, including:

  • whether  the framework adequately addresses civil liberties and privacy;
  • how it can enable cost-effective implementation;
  • how it can provide the right tools to senior executives and boards of directors to understand risk management;
  • ensuring that the framework is inclusive of, not disruptive to, cybersecurity practices an organization has in place.

"We hope to really begin validating this document so we can continue to improve it with time. The Dallas workshop will help to get that information and feedback that we feel is critical to making this a successful approach," Sedgewick said. He added that those who cannot make it to Dallas can submit comments via e-mail at cyberframework@nist.gov, and that once the October preliminary framework is out there will be a formal comment period posted in the Federal Register.

But don't expect any downtime between October and the due date in February. Dialogue will be ongoing, Sedgewick said, and even though the "final" version of the framework is due in February, it will still continue to evolve beyond then.

"After October we're going to continue to kick this higher. We're coming to the stage where we're looking at implementation and we get to see what it looks like when it's put into practice," he said. "We don’t see February as the end. We see February as another step in the process and we will continue to work with other agencies on other pieces of the executive order."

Featured

Reader comments

Wed, Sep 18, 2013

First; I have not been to a NIST workshop in quite some time. I have been to many other government Cybersecurity workshops and have been an Information Assurance Manager for while. It seems that for the most part the concepts are pretty good; not perfect but definately comprehensive as a collective. The one thing I see constantly is that the interpretation and implementation of what is considered to be a "Standard" is different across agency and industry. To top it off the regulations and laws allow for such intepretations. Understandale that no one system is the same. However operating in an environment where the only thing that is the same is that everyone is different, does not really work when attempting to implement standards.

Tue, Sep 3, 2013

To the commenter who said: "You can participate and help develop a good product, or you can whine." You apparently weren't at cyberworkshops, so you're in no position to accuse anyone else of not participating, especially those of us who actually have participated and contributed. Applying resources and wasting time to "developing good product" based on a fundamentally flawed concept will not lead to success. That was very clear from the industry comments at the two workshops. The other important point that the commenter and NIST are conveniently ignoring is that the federal government has been enacting standards, guidelines, and best practices since 1981 starting with NSA-developed DoD instructions. While you may think that the government's standards approach has been "pretty good", the results say otherwise. The outcome of the government's standards-based approach has been to spend billions of dollars over decades on compliance with this or that standard, all resulting in networks and systems that are inherently insecure and exploited on a daily basis. And that's in the Federal "enterprise" where the government has regulatory, budgetary, and governance authority from the top down, yet it's still not effective. The standards approach will be even more innective when applied to commercial industry where you have no governance authority or budget control, and you've already decided that the government won't use it's regulatory authority. The real agenda, which the commenter would know if they had actually attended the workshops or put any thought into this, is that the "voluntary" model is expected to fail. The government is giving that model a shot, knowing that it will fail, to clear the way for regulatory mandates. So what the government is really telling industry is to follow our proven-failed model that will cost you a lot of money while producing few if any security improvement, and then we'll apply more regulation and cost you more money.

Fri, Aug 30, 2013

Most people (companies) will do the "right thing", if they know what it is. I've been using NIST IT and cyber giudance and documentation for 2+ decades. It has been very helpful/useful. When 800-53 was started lots of folks thought there was no way it could work. It took time (and particpation) but it's pretty good, now. You can participate and help develop a good product, or you can whine.

Fri, Aug 30, 2013

I attended the cyber framework workshops and believe that NIST was not effective at capturing and communicating key conclusions about the framework. Some of the more important and challenging comments from the working sessions were: 1) Many critical infrastructure companies are international. Any new standards applied to these companies by the Federal Government will not be accepted or trusted by partners and subsidiaries in foreign countries, leading to expensive fragmentation and non-interoperability across international CI providers. 2) The idea of liability protection for commercial critical infrastructure providers who "comply" with the new standards fundamentally undermines risk management and leads to a model where companies achieve compliance, but not actual security (two very different things). 3) The lifecycle for critical infrastructure systems can be 15 years or more and thse CI providers have an almost insurmountable challenge dealing with legacy systems where "security" cannot be retro-fitted systems that tend to be highly specialized or purpose built. It's the same problem that Federal agencies faced when trying to secure or "accredit" systems that were implemented years ago. It leads to a process that produces paper compliance, but few signficant or adequate improvements in actual security. 4) How are new "voluntary" standards that intend to impose minimal, if any, regulatory burden going to affect real change? 5) The CI industry is so diverse and each vertical's security challenges are sufficiently unique that virtually no standard, no matter how flexible and tailorable, will apply across CI verticals.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above