NIST cyber framework depends on you

cyber attack button

The National Institute of Standards and Technology’s draft cybersecurity framework is a stepping stone toward an October deadline for a preliminary plan -- and ultimately to a "final" document due in February 2014 under President Barack Obama's cyber executive order.

To get there, NIST continues to depend on industry and the public's involvement in creating comprehensive guidelines that are adoptable and effective. The new draft, released Aug. 28, comes just weeks ahead of NIST's fourth workshop, to be held in Dallas Sept. 11-13.

It is a pattern NIST has come to rely on in the creation of the cyber framework, said Adam Sedgewick, NIST senior IT policy advisor.   The agency releases information asking for feedback, presents the feedback at a public workshop to launch discussion of key issues, then posts online the information from the workshop discussions that help inform the next iteration of a draft framework.

"We've structured the whole 240 days [given in the executive order to issue the October draft] to try to maximize the amount of public engagement and feedback we could get," Sedgewick said.  "Given the time constraints, we've used a combination of public workshops and engagements.  We have people engage through our cyber framework website, and at the tail end we'll have another public comment period."

Through the process, NIST officials have been able to present the most comprehensive draft framework yet -- one that fleshes out the core of the guidance and proposed metrics for assessing an organization's cybersecurity standings, for example. The Aug. 28 version builds on a more skeletal iteration from July, and the forthcoming versions will continue that pattern of building on each other using feedback from stakeholders.

"The process lets us see the gap areas and common themes," Sedgewick said. "Are we reflecting the comments right, and is this the right path?"  

Between now and October, architects of the framework hope to have discussions about a range of key issues, including:

  • whether  the framework adequately addresses civil liberties and privacy;
  • how it can enable cost-effective implementation;
  • how it can provide the right tools to senior executives and boards of directors to understand risk management;
  • ensuring that the framework is inclusive of, not disruptive to, cybersecurity practices an organization has in place.

"We hope to really begin validating this document so we can continue to improve it with time. The Dallas workshop will help to get that information and feedback that we feel is critical to making this a successful approach," Sedgewick said. He added that those who cannot make it to Dallas can submit comments via e-mail at, and that once the October preliminary framework is out there will be a formal comment period posted in the Federal Register.

But don't expect any downtime between October and the due date in February. Dialogue will be ongoing, Sedgewick said, and even though the "final" version of the framework is due in February, it will still continue to evolve beyond then.

"After October we're going to continue to kick this higher. We're coming to the stage where we're looking at implementation and we get to see what it looks like when it's put into practice," he said. "We don’t see February as the end. We see February as another step in the process and we will continue to work with other agencies on other pieces of the executive order."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Wed, Sep 18, 2013

First; I have not been to a NIST workshop in quite some time. I have been to many other government Cybersecurity workshops and have been an Information Assurance Manager for while. It seems that for the most part the concepts are pretty good; not perfect but definately comprehensive as a collective. The one thing I see constantly is that the interpretation and implementation of what is considered to be a "Standard" is different across agency and industry. To top it off the regulations and laws allow for such intepretations. Understandale that no one system is the same. However operating in an environment where the only thing that is the same is that everyone is different, does not really work when attempting to implement standards.

Tue, Sep 3, 2013

To the commenter who said: "You can participate and help develop a good product, or you can whine." You apparently weren't at cyberworkshops, so you're in no position to accuse anyone else of not participating, especially those of us who actually have participated and contributed. Applying resources and wasting time to "developing good product" based on a fundamentally flawed concept will not lead to success. That was very clear from the industry comments at the two workshops. The other important point that the commenter and NIST are conveniently ignoring is that the federal government has been enacting standards, guidelines, and best practices since 1981 starting with NSA-developed DoD instructions. While you may think that the government's standards approach has been "pretty good", the results say otherwise. The outcome of the government's standards-based approach has been to spend billions of dollars over decades on compliance with this or that standard, all resulting in networks and systems that are inherently insecure and exploited on a daily basis. And that's in the Federal "enterprise" where the government has regulatory, budgetary, and governance authority from the top down, yet it's still not effective. The standards approach will be even more innective when applied to commercial industry where you have no governance authority or budget control, and you've already decided that the government won't use it's regulatory authority. The real agenda, which the commenter would know if they had actually attended the workshops or put any thought into this, is that the "voluntary" model is expected to fail. The government is giving that model a shot, knowing that it will fail, to clear the way for regulatory mandates. So what the government is really telling industry is to follow our proven-failed model that will cost you a lot of money while producing few if any security improvement, and then we'll apply more regulation and cost you more money.

Fri, Aug 30, 2013

Most people (companies) will do the "right thing", if they know what it is. I've been using NIST IT and cyber giudance and documentation for 2+ decades. It has been very helpful/useful. When 800-53 was started lots of folks thought there was no way it could work. It took time (and particpation) but it's pretty good, now. You can participate and help develop a good product, or you can whine.

Fri, Aug 30, 2013

I attended the cyber framework workshops and believe that NIST was not effective at capturing and communicating key conclusions about the framework. Some of the more important and challenging comments from the working sessions were: 1) Many critical infrastructure companies are international. Any new standards applied to these companies by the Federal Government will not be accepted or trusted by partners and subsidiaries in foreign countries, leading to expensive fragmentation and non-interoperability across international CI providers. 2) The idea of liability protection for commercial critical infrastructure providers who "comply" with the new standards fundamentally undermines risk management and leads to a model where companies achieve compliance, but not actual security (two very different things). 3) The lifecycle for critical infrastructure systems can be 15 years or more and thse CI providers have an almost insurmountable challenge dealing with legacy systems where "security" cannot be retro-fitted systems that tend to be highly specialized or purpose built. It's the same problem that Federal agencies faced when trying to secure or "accredit" systems that were implemented years ago. It leads to a process that produces paper compliance, but few signficant or adequate improvements in actual security. 4) How are new "voluntary" standards that intend to impose minimal, if any, regulatory burden going to affect real change? 5) The CI industry is so diverse and each vertical's security challenges are sufficiently unique that virtually no standard, no matter how flexible and tailorable, will apply across CI verticals.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group