The cyber framework: What's next

keyhole digital

A week after the White House's release of a comprehensive cybersecurity framework aimed at critical infrastructure, government leaders and industry experts are looking ahead to what comes next, with a focus on creating incentives and measuring success.

The National Institute of Standards and Technology embarked on a year-long process engaging stakeholders and developing the cyber framework, released on Feb. 12. Now federal agency leaders, owners and operators of critical infrastructure and executives at other organizations are figuring out what the framework means to them and how to implement its practices and methodology.

NIST officials continue to stress that the framework is just the first version of several to come, and that the collaborative process employed in the development of version 1.0 will continue, beginning in April with discussions on privacy. But for now, the focus is on implementation -- a process that NIST Director Patrick Gallagher hopes will reveal gaps in the framework.

"We deliberately created a pause in engagement ... for the very reason that I didn't want to get in the way of the adoption piece," Gallagher said Feb. 19 at the Brookings Institution in Washington. "I'm not expecting major revisions to the framework itself; the major impetus is going after gap areas and maturing the governance discussion. We should now start seriously ... setting up a governance scheme where many companies can work together to turn this into a routine process. We've had success with that in cloud sector and smart grid, and we'd like to continue it here as well."

Outside of government, the general response has been a sense of cautious optimism. But Larry Clinton, director of the Internet Security Alliance, pointed out the commercial cybersecurity looks different than national security, and this is just the beginning of efforts that will bridge the gap between the two.

"The framework is not answer to the cybersecurity problem, but it's a step in the right direction," Clinton said Feb. 19 in a webcast hosted by law firm Venable. "To put it in an Olympic context, this is the preliminaries and we still have to make it to the final rounds. And like in the Olympics, the competition gets tougher as you go along."

Many of the biggest questions about the framework center on familiar areas: the role of potential legislation and regulatory measures, incentivization and metrics for success.

"Now the focus shifts to adoption. There are no strong mechanisms for measuring adoption, that's yet to emerge," said Jamie Barnett, co-chair of Venable's telecommunications group and a partner in the firm's cybersecurity practice. "There's motivation to stave off regulatory action [and] questions over whether incentives are enough; legislation is still needed to provide the incentives necessary for widespread adoption."

Gallagher defended his agency's work, particularly against the notion that the framework is "toothless" because it relies on voluntary compliance, and that there's too much focus on NIST controls -- the agency's guidelines and security publications, which account for much of its influence in the field.

"If you think regulation is a result of market failure, this is your opportunity to make sure the market doesn't fail. The most powerful force driving adoption is companies themselves. This is not just what you do internally," Gallagher said, but the relationship with suppliers, customers and other parts of a sector. "The framework is not about controls. ... our CIOs are drowning in piles of controls to look at. What's unique about the framework from a government perspective is the management approach of how to run a department. It makes cost allocation, skill sets [and] hiring decisions just as much a part of cybersecurity as controls."

Gallagher said that the framework's success or failure will take time to determine, but there are ways to see its impact taking shape.

"I think of the success story as having two elements," he said. "One is near term; that's the adoption. Is this inevitable? We're struggling with the nuts-and-bolts issues ... and it's coming from those organizations actually trying to implement this, so that's a success story. And while the final outcome is something we only learn retrospectively, I hope we see meaningful improvements in what we call security behavior. That can be skill level, capacity of staff, self-awareness -- I think there's a set of security behaviors that are quite measureable."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group