Government Shutdown

Shutdown would not threaten NIST framework schedule

digital key

Officials at the National Institute of Standards and Technology have spent the last seven months crafting a comprehensive cybersecurity framework, triggering concerns that a critical Oct. 10 deadline could be endangered by the potential government shutdown.

However, NIST Director Patrick Gallagher on Sept. 25 said otherwise, telling a Washington cybersecurity conference audience that the preliminary draft framework is effectively complete and ready for release. He also noted that the October release is just one step in an ongoing process.

Under a February executive order from President Barack Obama, NIST has been required to release draft frameworks at specific intervals. The most recent release came in August, when an informal preliminary draft was released ahead of the agency's fourth public collaboration meeting, held in Dallas.

The formal preliminary draft framework is due Oct. 10, 240 days after the executive order, and a final version is due at the one-year mark.

"We've structured the whole 240 days to try to maximize the amount of public engagement and feedback we could get," Adam Sedgewick, NIST senior IT policy adviser, said in July. "Given the time constraints, we've used a combination of public workshops and engagements. We have people engage through our cyber framework website, and at the tail end we'll have another public comment period."

The rigid timelines mean a government shutdown beginning Oct. 1 theoretically could put the intense efforts behind schedule if those working on the project are prohibited from doing so.

"The [executive order] had specific deadlines that didn't give an out for extenuating circumstances," said one source, speaking on background.

But Gallagher indicated that the extensive work, including the broad participation of industry, that has gone into the framework allows for a release even in the event of a shutdown, and others agreed.

"Much of the draft framework has been available for several weeks, and received substantial industry input both from the workshop NIST held in Dallas and a number of separate industry meetings," said Larry Clinton, president and CEO of the Internet Security Alliance, which has been involved in the framework development process. "The framework is a work in progress, and while I don't think it's complete [and] I doubt the NIST staff thinks it's complete yet either, it is certainly far enough along to be released on time as a draft."

NIST officials have made it clear that the framework's development will continue beyond the release of both the preliminary and the final versions.

"If this process we just did over the last eight months ends up being a once-through, then we've failed," Gallagher said, according to Federal News Radio. "The technology is too dynamic, and I don't believe the framework is perfect. We expect companies who adopt it and put it into use to identify places where it makes no sense and where there are gaps. We have to operationalize this collaboration we've built and turn it into a continuous process. So right away we have to start thinking about a 2.0 version. These early adopters that take up the challenge and put this into use are going to shape the framework, and I think they'll drive the governance of the process."

That ongoing development likely will include another workshop beyond the four that already took place across the country, according to Clinton. That and other continuing efforts will help shape the framework for a formal release in February.

"They've pretty much done what they need to do for October, and [if there is a shutdown], what they released last month before Dallas will just be tweaked," said Jim Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. "I think they have something releasable now and will be able to move forward as planned."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above