Cybersecurity

NIST cyber framework depends on you

cyber attack button

The National Institute of Standards and Technology’s draft cybersecurity framework is a stepping stone toward an October deadline for a preliminary plan -- and ultimately to a "final" document due in February 2014 under President Barack Obama's cyber executive order.

To get there, NIST continues to depend on industry and the public's involvement in creating comprehensive guidelines that are adoptable and effective. The new draft, released Aug. 28, comes just weeks ahead of NIST's fourth workshop, to be held in Dallas Sept. 11-13.

It is a pattern NIST has come to rely on in the creation of the cyber framework, said Adam Sedgewick, NIST senior IT policy advisor.   The agency releases information asking for feedback, presents the feedback at a public workshop to launch discussion of key issues, then posts online the information from the workshop discussions that help inform the next iteration of a draft framework.

"We've structured the whole 240 days [given in the executive order to issue the October draft] to try to maximize the amount of public engagement and feedback we could get," Sedgewick said.  "Given the time constraints, we've used a combination of public workshops and engagements.  We have people engage through our cyber framework website, and at the tail end we'll have another public comment period."

Through the process, NIST officials have been able to present the most comprehensive draft framework yet -- one that fleshes out the core of the guidance and proposed metrics for assessing an organization's cybersecurity standings, for example. The Aug. 28 version builds on a more skeletal iteration from July, and the forthcoming versions will continue that pattern of building on each other using feedback from stakeholders.

"The process lets us see the gap areas and common themes," Sedgewick said. "Are we reflecting the comments right, and is this the right path?"  

Between now and October, architects of the framework hope to have discussions about a range of key issues, including:

  • whether  the framework adequately addresses civil liberties and privacy;
  • how it can enable cost-effective implementation;
  • how it can provide the right tools to senior executives and boards of directors to understand risk management;
  • ensuring that the framework is inclusive of, not disruptive to, cybersecurity practices an organization has in place.

"We hope to really begin validating this document so we can continue to improve it with time. The Dallas workshop will help to get that information and feedback that we feel is critical to making this a successful approach," Sedgewick said. He added that those who cannot make it to Dallas can submit comments via e-mail at cyberframework@nist.gov, and that once the October preliminary framework is out there will be a formal comment period posted in the Federal Register.

But don't expect any downtime between October and the due date in February. Dialogue will be ongoing, Sedgewick said, and even though the "final" version of the framework is due in February, it will still continue to evolve beyond then.

"After October we're going to continue to kick this higher. We're coming to the stage where we're looking at implementation and we get to see what it looks like when it's put into practice," he said. "We don’t see February as the end. We see February as another step in the process and we will continue to work with other agencies on other pieces of the executive order."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.