New cyber framework draft sharpens focus on implementation

world map

After a nearly two-week delay caused by the government shutdown, the National Institute of Standards and Technology released the latest version of its cybersecurity framework on Oct. 22, and it aims to better secure U.S. companies and government agencies.

The new draft, originally slated for an Oct. 10 release, goes into significantly greater detail than the version released Aug. 28, which laid out the framework's core, implementation tiers and profile. Those three central pillars are designed to provide industry and government with a common cybersecurity taxonomy, establish goals and targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders.

In the latest draft, there is sharpened and expanded focus on specific areas, including implementation logistics, privacy and civil liberties. Furthermore, the cybersecurity workforce has been added as an area in particular need of improvement.

During a call with reporters on Oct. 22, NIST Director Patrick Gallagher said areas that saw the most change between the two drafts were identified in discussions with industry, government and academia, especially those stemming from the most recent public meeting held in Dallas in September.

"The real focus following the last workshop in Dallas until now had to do with clarifications, expanded sections, and privacy and civil liberties considerations," Gallagher said. "There was always that requirement in the executive order, and I think there was a real focus in Dallas to bring that section out. There's additional guidance in the framework on how to use it -- some structural issues in how to think about the tiers and how to crosswalk between certain functional areas and practices. So a lot [of changes are] around usability and the methodology and practices surrounding civil liberties."

Another change in the new draft is the inclusion of the cybersecurity workforce as a key area for improvement, an issue that was not mentioned in the previous draft.

"While it is widely known that there is a shortage of general cybersecurity experts, there is also a shortage of qualified cybersecurity experts with an understanding of the specific challenges posed to critical infrastructure," the latest draft states. "As the critical infrastructure threat and technology landscape evolves, the cybersecurity workforce must continue to adapt to design, develop, implement, maintain and continuously improve the necessary practices within critical infrastructure environments."

The idea of continued evolution in the document and the conversations surrounding it is a theme in the cybersecurity framework -- something that officials have stressed over the course of the year and that will continue to be a priority, Gallagher said.

For example, conformity and how it will be measured is still very much an evolving subject, as is the governance structure. He said the public workshop in Raleigh, N.C., in November will include discussion of options for an industry-led governance structure in the framework.

"This is not a once-through -- we are not done," Gallagher said. "Cyber threats are going to continue to evolve, [and] cyber risk management has to therefore evolve with them. The framework must be a living document, allowing for continuous improvement as technology and threats change and as businesses mature. It must evolve to meet business needs in real time."

The final draft is due in February 2014, a year after President Barack Obama directed NIST to establish the guidelines.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.