New cyber framework draft sharpens focus on implementation

world map

After a nearly two-week delay caused by the government shutdown, the National Institute of Standards and Technology released the latest version of its cybersecurity framework on Oct. 22, and it aims to better secure U.S. companies and government agencies.

The new draft, originally slated for an Oct. 10 release, goes into significantly greater detail than the version released Aug. 28, which laid out the framework's core, implementation tiers and profile. Those three central pillars are designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders.

In the latest draft, there is sharpened and expanded focus on specific areas, including implementation logistics, privacy and civil liberties. Furthermore, the cybersecurity workforce has been added as an area in particular need of improvement.

During a call with reporters on Oct. 22, NIST Director Patrick Gallagher said areas that saw the most change between the two drafts were identified in discussions with industry, government and academia, especially those stemming from the most recent public meeting held in Dallas in September.

"The real focus following the last workshop in Dallas until now had to do with clarifications, expanded sections, and privacy and civil liberties considerations," Gallagher said. "There was always that requirement in the executive order, and I think there was a real focus in Dallas to bring that section out. There's additional guidance in the framework on how to use it -- some structural issues in how to think about the tiers and how to crosswalk between certain functional areas and practices. So a lot [of changes are] around usability and the methodology and practices surrounding civil liberties."

Another change in the new draft is the inclusion of the cybersecurity workforce as a key area for improvement, an issue that was not mentioned in the previous draft.

"While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure," the latest draft states. "As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments."

The idea of continued evolution in the document and the conversations surrounding it is a theme in the cybersecurity framework -- something that officials have stressed over the course of the year and that will continue to be a priority, Gallagher said.

For example, conformity and how it will be measured is still very much an evolving subject, as is the governance structure. He said the public workshop in Raleigh, N.C., in November will include discussion of options for an industry-led governance structure in the framework.

"This is not a once-through -- we are not done," Gallagher said. "Cyber threats are going to continue to evolve, [and] cyber risk management has to therefore evolve with them. The framework must be a living document, allowing for continuous improvement as technology and threats change and as businesses mature. It must evolve to meet business needs in real time."

The final draft is due in February 2014, a year after President Barack Obama directed NIST to establish the guidelines.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected