New cyber framework draft sharpens focus on implementation

world map

After a nearly two-week delay caused by the government shutdown, the National Institute of Standards and Technology released the latest version of its cybersecurity framework on Oct. 22, and it aims to better secure U.S. companies and government agencies.

The new draft, originally slated for an Oct. 10 release, goes into significantly greater detail than the version released Aug. 28, which laid out the framework's core, implementation tiers and profile. Those three central pillars are designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders.

In the latest draft, there is sharpened and expanded focus on specific areas, including implementation logistics, privacy and civil liberties. Furthermore, the cybersecurity workforce has been added as an area in particular need of improvement.

During a call with reporters on Oct. 22, NIST Director Patrick Gallagher said areas that saw the most change between the two drafts were identified in discussions with industry, government and academia, especially those stemming from the most recent public meeting held in Dallas in September.

"The real focus following the last workshop in Dallas until now had to do with clarifications, expanded sections, and privacy and civil liberties considerations," Gallagher said. "There was always that requirement in the executive order, and I think there was a real focus in Dallas to bring that section out. There's additional guidance in the framework on how to use it -- some structural issues in how to think about the tiers and how to crosswalk between certain functional areas and practices. So a lot [of changes are] around usability and the methodology and practices surrounding civil liberties."

Another change in the new draft is the inclusion of the cybersecurity workforce as a key area for improvement, an issue that was not mentioned in the previous draft.

"While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure," the latest draft states. "As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments."

The idea of continued evolution in the document and the conversations surrounding it is a theme in the cybersecurity framework -- something that officials have stressed over the course of the year and that will continue to be a priority, Gallagher said.

For example, conformity and how it will be measured is still very much an evolving subject, as is the governance structure. He said the public workshop in Raleigh, N.C., in November will include discussion of options for an industry-led governance structure in the framework.

"This is not a once-through -- we are not done," Gallagher said. "Cyber threats are going to continue to evolve, [and] cyber risk management has to therefore evolve with them. The framework must be a living document, allowing for continuous improvement as technology and threats change and as businesses mature. It must evolve to meet business needs in real time."

The final draft is due in February 2014, a year after President Barack Obama directed NIST to establish the guidelines.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group